You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert - eLists <li...@abbacomm.net> on 2007/07/22 22:16:06 UTC
migrating from clamav before mta to SA ClamAV plugin experiences
Would anyone care to share their experiences of migrating from having their
pre MTA program handoff to clamav for email virus scanning changed to doing
it with the SA ClamAV plugin way ???
The reason I am thinking about migrating and doing it with the SA ClamAV
plugin way is that I can just reject the email at the SMTP level instead of
storing it as a quarantine...
Well, at least I haven't figured out how to do smtp reject the other way
yet.
Thanks in advance
- rh
RE: migrating from clamav before mta to SA ClamAV plugin experiences
Posted by Robert - eLists <li...@abbacomm.net>.
Nigel
SA integrated via qmail-scanner-queue.pl allows smtp rejection based upon
score thresholds
- rh
Re: migrating from clamav before mta to SA ClamAV plugin experiences
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Mon, 23 Jul 2007 11:32:21 +0200, Matus UHLAR - fantomas
> <uh...@fantomas.sk> wrote:
> >however according to his informations, his qmail queue scanner rejects the
> >mail if it's spam, but not if it's virus (which is sick and a bug imho)
On 23.07.07 10:59, Nigel Frankcom wrote:
> Ahh - it's not unheard of for me to miss the salient points :-)
and I'm afraid you missed it again :-)
> I don't think bouncing spam is such a good idea though, just my
> opinion, but it rarely originates from wherever it *says* it
> originates from.
(at least I hope) it does not bounce, but reject the spam. The bounce is on
sending side, which is, for most of the cases, the infected machine, and
viruses do not generate bounces... (at least I don't know of any)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.
Re: migrating from clamav before mta to SA ClamAV plugin experiences
Posted by Nigel Frankcom <ni...@blue-canoe.com>.
On Mon, 23 Jul 2007 11:32:21 +0200, Matus UHLAR - fantomas
<uh...@fantomas.sk> wrote:
>> >On 22.07.07 15:32, Robert - eLists wrote:
>> >> I use qmail-scanner-queue.pl, clamav, spamassassin and qmail
>> >>
>> >> I can reject spam over a certain scoring threshold this way, yet I have not
>> >> figured out a way to just reject email based upon having a virus signature
>> >> per clamav.
>
>> On Mon, 23 Jul 2007 11:08:47 +0200, Matus UHLAR - fantomas
>> <uh...@fantomas.sk> wrote:
>> >what does clamav checking in that scanner do then? It should call clamdscan
>> >asap (before SA) and when a virus is found, the mail should be imediately
>> >rejected, the same way it's rejected when SA tells so.
>
>On 23.07.07 10:19, Nigel Frankcom wrote:
>> Umm, I may be missing the point here,
>
>you seem to be :-)
>
>> but SA doesn't bounce mail, it just scores it.
>
>however according to his informations, his qmail queue scanner rejects the
>mail if it's spam, but not if it's virus (which is sick and a bug imho)
>
>> Considering the time that can be taken up with various
>> scans it's not really feasible to hold open the smtp connection that
>> long,
>
>should not be a problem if scaning does not count more than ~4 minutes
>(after 5 minutes many clients close connection and re-try, which results
>into a multiple mail delivery).
>
>> I use a simpler solution here. If you send an email that gets tagged
>> as a virus by any of the av scanners your IP address is put into a
>> blocklist for a set period. The thought behind this is that viruses
>> very rarely come in one at a time; if a host is infected it will send
>> again and again.
>
>this solution can be done as additional to , but imho should not be done
>instead of, virus checking.
Ahh - it's not unheard of for me to miss the salient points :-)
I don't think bouncing spam is such a good idea though, just my
opinion, but it rarely originates from wherever it *says* it
originates from.
As far as AV scanning is concerned here, all mail that gets past the
mta gets checked. My mta does various blocks and greylistings based on
previous emails sent. This does throw up a very few fp's but in
several years of running clam and 5 years plus of running my other
virus scanners it's never happened with a virus. Still, never say
never, it's bound to bite me in the ass one day. :-)
Kind regards
Nigel
Re: migrating from clamav before mta to SA ClamAV plugin experiences
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> >On 22.07.07 15:32, Robert - eLists wrote:
> >> I use qmail-scanner-queue.pl, clamav, spamassassin and qmail
> >>
> >> I can reject spam over a certain scoring threshold this way, yet I have not
> >> figured out a way to just reject email based upon having a virus signature
> >> per clamav.
> On Mon, 23 Jul 2007 11:08:47 +0200, Matus UHLAR - fantomas
> <uh...@fantomas.sk> wrote:
> >what does clamav checking in that scanner do then? It should call clamdscan
> >asap (before SA) and when a virus is found, the mail should be imediately
> >rejected, the same way it's rejected when SA tells so.
On 23.07.07 10:19, Nigel Frankcom wrote:
> Umm, I may be missing the point here,
you seem to be :-)
> but SA doesn't bounce mail, it just scores it.
however according to his informations, his qmail queue scanner rejects the
mail if it's spam, but not if it's virus (which is sick and a bug imho)
> Considering the time that can be taken up with various
> scans it's not really feasible to hold open the smtp connection that
> long,
should not be a problem if scaning does not count more than ~4 minutes
(after 5 minutes many clients close connection and re-try, which results
into a multiple mail delivery).
> I use a simpler solution here. If you send an email that gets tagged
> as a virus by any of the av scanners your IP address is put into a
> blocklist for a set period. The thought behind this is that viruses
> very rarely come in one at a time; if a host is infected it will send
> again and again.
this solution can be done as additional to , but imho should not be done
instead of, virus checking.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
Re: migrating from clamav before mta to SA ClamAV plugin experiences
Posted by Nigel Frankcom <ni...@blue-canoe.com>.
On Mon, 23 Jul 2007 11:08:47 +0200, Matus UHLAR - fantomas
<uh...@fantomas.sk> wrote:
>> > which MTA are you using? The clamav plugin should reject the e-mail the
>> > same way SA plugin does that (with much less CPU time spent)
>
>On 22.07.07 15:32, Robert - eLists wrote:
>> Uhlar
>
>... and I thought that spelling my surname in capitals would preserver from
>this title ... :)
>
>> I use qmail-scanner-queue.pl, clamav, spamassassin and qmail
>>
>> I can reject spam over a certain scoring threshold this way, yet I have not
>> figured out a way to just reject email based upon having a virus signature
>> per clamav.
>
>what does clamav checking in that scanner do then? It should call clamdscan
>asap (before SA) and when a virus is found, the mail should be imediately
>rejected, the same way it's rejected when SA tells so.
Umm, I may be missing the point here, but SA doesn't bounce mail, it
just scores it. Considering the time that can be taken up with various
scans it's not really feasible to hold open the smtp connection that
long, so even if it could, bouncing may well not work. You then hit
the problem that the chances of the sending address being legit are
pretty low. So some poor sod is going to cop umpteen gazzilion bounce
messages.
I use a simpler solution here. If you send an email that gets tagged
as a virus by any of the av scanners your IP address is put into a
blocklist for a set period. The thought behind this is that viruses
very rarely come in one at a time; if a host is infected it will send
again and again.
The blocking is done at MTA level.
HTH
Nigel
Re: migrating from clamav before mta to SA ClamAV plugin experiences
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > what does clamav checking in that scanner do then? It should call
> > clamdscan
> > asap (before SA) and when a virus is found, the mail should be imediately
> > rejected, the same way it's rejected when SA tells so.
On 23.07.07 20:31, Robert - eLists wrote:
> It quarantines and notifies admin via email. Real PAIN
>
> If you read the post it says I don't know how to do it the other way nor
> have I figured out how to do it yet if ever.
looking at the perl sources could help, if you can (at least try to)
uinderstand perl. What I remember about qmail is that it can not pass the
error string from filtering module to the client, but maybe you use
different (patched) smtp daemon for qmail?
> Hence the post to the SA list regarding integrating clamav into SA functions
> for scoring so I can reject the mail based upon high score.
Of course. But I think you should try to find better way, and if something
can reject the mail because it's spam, then something can reject the mail
because it's a virus.
I may recommend you switching to another MTA, maybe courier which is very
close to qmail the way it works, but postfix and sendmail are good too, if
you know how to configure them...,
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
RE: migrating from clamav before mta to SA ClamAV plugin experiences
Posted by Robert - eLists <li...@abbacomm.net>.
>
> what does clamav checking in that scanner do then? It should call
> clamdscan
> asap (before SA) and when a virus is found, the mail should be imediately
> rejected, the same way it's rejected when SA tells so.
>
Matus
It quarantines and notifies admin via email. Real PAIN
If you read the post it says I don't know how to do it the other way nor
have I figured out how to do it yet if ever.
Hence the post to the SA list regarding integrating clamav into SA functions
for scoring so I can reject the mail based upon high score.
- rh
Re: migrating from clamav before mta to SA ClamAV plugin experiences
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> > which MTA are you using? The clamav plugin should reject the e-mail the
> > same way SA plugin does that (with much less CPU time spent)
On 22.07.07 15:32, Robert - eLists wrote:
> Uhlar
... and I thought that spelling my surname in capitals would preserver from
this title ... :)
> I use qmail-scanner-queue.pl, clamav, spamassassin and qmail
>
> I can reject spam over a certain scoring threshold this way, yet I have not
> figured out a way to just reject email based upon having a virus signature
> per clamav.
what does clamav checking in that scanner do then? It should call clamdscan
asap (before SA) and when a virus is found, the mail should be imediately
rejected, the same way it's rejected when SA tells so.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
RE: migrating from clamav before mta to SA ClamAV plugin experiences
Posted by Robert - eLists <li...@abbacomm.net>.
>
> which MTA are you using? The clamav plugin should reject the e-mail the
> same
> way SA plugin does that (with much less CPU time spent)
>
Uhlar
I use qmail-scanner-queue.pl, clamav, spamassassin and qmail
I can reject spam over a certain scoring threshold this way, yet I have not
figured out a way to just reject email based upon having a virus signature
per clamav.
So, I thought I would remove clamav from qmail-scanner-queue.pl and let
clamav be called from the SA ClamAV Plugin...
This way I can reject the email once it scores over a certain threshold and
not have it handled by quarantine etc.
- rh
Re: migrating from clamav before mta to SA ClamAV plugin experiences
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 22.07.07 13:16, Robert - eLists wrote:
> Would anyone care to share their experiences of migrating from having their
> pre MTA program handoff to clamav for email virus scanning changed to doing
> it with the SA ClamAV plugin way ???
>
> The reason I am thinking about migrating and doing it with the SA ClamAV
> plugin way is that I can just reject the email at the SMTP level instead of
> storing it as a quarantine...
>
> Well, at least I haven't figured out how to do smtp reject the other way
> yet.
which MTA are you using? The clamav plugin should reject the e-mail the same
way SA plugin does that (with much less CPU time spent)
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
Re: migrating from clamav before mta to SA ClamAV plugin experiences
Posted by Shane Williams <sh...@shanew.net>.
There are a number of qmail specific programs that use clamav other
than qmail-scanner (which, based on a quick skim of their page,
doesn't seem to support SMTP-time rejection). The ClamAV website has
several alternatives, a couple of which appear to do SMTP-time
rejection, listed at
http://www.clamav.net/download/third-party-tools/3rdparty-mta/
Hope that helps...
On Sun, 22 Jul 2007, Robert - eLists wrote:
>
> Would anyone care to share their experiences of migrating from having their
> pre MTA program handoff to clamav for email virus scanning changed to doing
> it with the SA ClamAV plugin way ???
>
> The reason I am thinking about migrating and doing it with the SA ClamAV
> plugin way is that I can just reject the email at the SMTP level instead of
> storing it as a quarantine...
>
> Well, at least I haven't figured out how to do smtp reject the other way
> yet.
>
> Thanks in advance
>
> - rh
>
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew