move ClamAVPlugin into the core distro?

[Justin Mason <jm...@jmason.org>]

hi Troels --

you're listed as the original author of
http://wiki.apache.org/spamassassin/ClamAVPlugin -- would you mind if we
considered moving it into the core distribution?  I think it'd fit well
there, nowadays (although probably disabled by default).

SpamAssassin committers-- anyone disagree that it should go in?
I'm only considering it because I've repeatedly found myself installing
it, and it's a nice simple plugin which works well. ;)

--j.

Re: move ClamAVPlugin into the core distro?

["Kevin A. McGrail" <ke...@thoughtworthy.com>]

>> Honestly I'm -0.5 on this.  SA isn't a virus scanner, and while it could
>
> The magic key that to my mind makes bringing it into the core set isn't 
> "virus", its "phish".  Agreed, SA isn't a virus scanner and probably 
> shouldn't be; it is quite inefficient at that sort of thing.

My thoughts are the exact same as Loren.  Knowing that Symantec Antivirus 
was renamed to Symantec Endpoint Protection with the release of SAV 11, I 
think there is a lot of convergence with AV products to handling malware of 
all types including virii, trojans, backdoors, malware, spyware, adware, 
phishing scams, etc. etc. etc.  The nuances between each type is lost on the 
vast majority of the users.

But in any case, ClamAV covers the same bases.  The term Anti-Virus is just 
too narrow.  Endpoint Protection isn't bad but still not great.

The point is, ClamAV does block other things including phishes.  While there 
are better ways perhaps to do this, adding the code to have the plugin 
disabled by default but available seems a decent idea.

And I would recommend this plug-in is used ESPECIALLY if someone was to use 
ClamAV in a way that ONLY used phishing signatures which might not be safe 
enough to use in an outright blocking manner but would be more suitable to 
SA's scoring algorithms.

My vote remains +1.

Regards,
KAM 

Re: move ClamAVPlugin into the core distro?

[Loren Wilton <lw...@earthlink.net>]

> Honestly I'm -0.5 on this.  SA isn't a virus scanner, and while it could

The magic key that to my mind makes bringing it into the core set isn't 
"virus", its "phish".  Agreed, SA isn't a virus scanner and probably 
shouldn't be; it is quite inefficient at that sort of thing.

But to the best of my knowledge there is no dedicated "phish" scanner, and I 
don't recall anyone ever having put one or more feet down and stated 
categorically that "SA isn't  a phish scanner!".  There is the interesting 
question of whether you want to reject phish outright at connect time, or 
whether you maybe want to collect them and do somethig with them.  I'm 
inclined to the later approach; others might not be.

The nice thing about the Clam plugin is that it lets you have it either way 
with phish.  And yes, with virui too; but I consider that immaterial to the 
discussion.

SA has some rules to detect phish.  I've written quite a few myself, 
although rather long ago in email years.  Frankly they aren't very 
comprehensive.  These days the SaneSecurity stuff does an *excellent* job of 
catching phish - so much so that I haven't needed to write more than one or 
two specific rules in the last 6 months for these things.

By using the Clam plugin with the SaneSecurity signatures you have the 
chance to catch suspected phish and do something other than rejecting them 
outright.

>From conversations on the user's list lots of people are using this plugin 
and like it (me included), and there hasn't been any notable nagative 
comment that I can recall, other than the occasional "SA isn't a virus 
scanner, so don't use that plugin" comments.

        Loren

Re: move ClamAVPlugin into the core distro?

[Theo Van Dinter <fe...@apache.org>]

On Fri, Oct 12, 2007 at 01:07:19AM +0200, Mark Martinec wrote:
> As long as users set their expectations right and understand this
> is not a replacement for a more dependable virus checking ...

Honestly I'm -0.5 on this.  SA isn't a virus scanner, and while it could
definitely be used in such a way, I don't want people to get confused.  I
also, frankly, don't want to be responsible for supporting the plugin since
it's not really core to what we do.  Also, there are other, likely better,
ways of doing virus scanning than using the plugin -- people using amavis or
mailscanner are probably far outnumbering those who use the plugin, for
example.

That said, I haven't looked at the plugin nor do I do virus scanning on my
mail, so I could totally be biased in some of my opinions.

-- 
Randomly Selected Tagline:
"it's so easy! you click, you kill, you loot!"
         - Gonzo Granzeau paraphasing a friend about Diablo II

Re: move ClamAVPlugin into the core distro?

[Mark Martinec <Ma...@ijs.si>]

> http://wiki.apache.org/spamassassin/ClamAVPlugin

> SpamAssassin committers-- anyone disagree that it should go in?
> I'm only considering it because I've repeatedly found myself installing
> it, and it's a nice simple plugin which works well. ;)

As long as users set their expectations right and understand this
is not a replacement for a more dependable virus checking ...

- messages longer than the few-hundred kB SA limit are not virus scanned;

- failure of a clamd daemon or communication with it goes by unnoticed
  (a debug message is logged at a debug level, I doubt anybody would notice)
  and mail passes unchecked;

- it doesn't distinguish between virus names: nowadays that ClamAV
  is often used with contributed rules (e.g. SaneSecurity, catching
  phishing and images), false positives are more frequent. There should
  be a separate and lower score for such hits than the normal score
  for truly infected mail;

- the File::Scan::ClamAV hasn't been updated for three years.
  Is it still supported?


Mark

Re: move ClamAVPlugin into the core distro?

[Michael Peddemors <mi...@linuxmagic.com>]

But I do want to re-iterate the suggestion that it is disabled by default.

Most installations will probably already have some mechanism to do clamAv 
filtering.  

And one comment to consider.  When doing virus scanning, it is recommended 
that it happen during the DATA transmission during an SMTP transaction, so 
that a mail server can appropriately reject the contents, without accepting 
the transmission.  (5xx)

This allows senders to immediately know that they have an infection, and makes 
it simpler to diagnosis ('Where did my email go?'), plus many more subtle 
side effects.

But, it will make it simpler for the bulk of SA users I am sure.

On Thursday 11 October 2007 07:59, Doc Schneider wrote:
> Justin Mason wrote:
> > hi Troels --
> >
> > you're listed as the original author of
> > http://wiki.apache.org/spamassassin/ClamAVPlugin -- would you mind if we
> > considered moving it into the core distribution?  I think it'd fit well
> > there, nowadays (although probably disabled by default).
> >
> > SpamAssassin committers-- anyone disagree that it should go in?
> > I'm only considering it because I've repeatedly found myself installing
> > it, and it's a nice simple plugin which works well. ;)
> >
> > --j.
>
> +1 from me as well.

-- 
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors - President/CEO - LinuxMagic
Products, Services, Support and Development
Visit us at http://www.linuxmagic.com
------------------------------------------------------------------------
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-589-0037 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended 
solely for the use of the individual or entity to which they are addressed. 
Please note that any views or opinions presented in this email are solely 
those of the author and are not intended to  represent those of the company.

Re: move ClamAVPlugin into the core distro?

[Doc Schneider <ma...@maddoc.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Justin Mason wrote:
> hi Troels --
> 
> you're listed as the original author of
> http://wiki.apache.org/spamassassin/ClamAVPlugin -- would you mind if we
> considered moving it into the core distribution?  I think it'd fit well
> there, nowadays (although probably disabled by default).
> 
> SpamAssassin committers-- anyone disagree that it should go in?
> I'm only considering it because I've repeatedly found myself installing
> it, and it's a nice simple plugin which works well. ;)
> 
> --j.

+1 from me as well.

- --

 -Doc

 Penguins: Do it on the ice.
   8:44am  up 4 days, 16:55, 17 users,  load average: 0.18, 0.30, 0.37

 SARE HQ  http://www.rulesemporium.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFHDjpLqOEeBwEpgcsRAjqQAJoCG8H4kRXO4E+F5vKsfmzDjHdXagCfZc9K
r/AXgIoDvNXx5jpBEycIt2o=
=lJAL
-----END PGP SIGNATURE-----

Re: move ClamAVPlugin into the core distro?

["Kevin A. McGrail" <ke...@thoughtworthy.com>]

Re: ClamAV

> SpamAssassin committers-- anyone disagree that it should go in?
> I'm only considering it because I've repeatedly found myself installing
> it, and it's a nice simple plugin which works well. ;)


+1 from me.

regards,
KAM