You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2007/10/11 16:28:34 UTC
move ClamAVPlugin into the core distro?
hi Troels --
you're listed as the original author of
http://wiki.apache.org/spamassassin/ClamAVPlugin -- would you mind if we
considered moving it into the core distribution? I think it'd fit well
there, nowadays (although probably disabled by default).
SpamAssassin committers-- anyone disagree that it should go in?
I'm only considering it because I've repeatedly found myself installing
it, and it's a nice simple plugin which works well. ;)
--j.
Re: move ClamAVPlugin into the core distro?
Posted by "Kevin A. McGrail" <ke...@thoughtworthy.com>.
>> Honestly I'm -0.5 on this. SA isn't a virus scanner, and while it could
>
> The magic key that to my mind makes bringing it into the core set isn't
> "virus", its "phish". Agreed, SA isn't a virus scanner and probably
> shouldn't be; it is quite inefficient at that sort of thing.
My thoughts are the exact same as Loren. Knowing that Symantec Antivirus
was renamed to Symantec Endpoint Protection with the release of SAV 11, I
think there is a lot of convergence with AV products to handling malware of
all types including virii, trojans, backdoors, malware, spyware, adware,
phishing scams, etc. etc. etc. The nuances between each type is lost on the
vast majority of the users.
But in any case, ClamAV covers the same bases. The term Anti-Virus is just
too narrow. Endpoint Protection isn't bad but still not great.
The point is, ClamAV does block other things including phishes. While there
are better ways perhaps to do this, adding the code to have the plugin
disabled by default but available seems a decent idea.
And I would recommend this plug-in is used ESPECIALLY if someone was to use
ClamAV in a way that ONLY used phishing signatures which might not be safe
enough to use in an outright blocking manner but would be more suitable to
SA's scoring algorithms.
My vote remains +1.
Regards,
KAM
Re: move ClamAVPlugin into the core distro?
Posted by Loren Wilton <lw...@earthlink.net>.
> Honestly I'm -0.5 on this. SA isn't a virus scanner, and while it could
The magic key that to my mind makes bringing it into the core set isn't
"virus", its "phish". Agreed, SA isn't a virus scanner and probably
shouldn't be; it is quite inefficient at that sort of thing.
But to the best of my knowledge there is no dedicated "phish" scanner, and I
don't recall anyone ever having put one or more feet down and stated
categorically that "SA isn't a phish scanner!". There is the interesting
question of whether you want to reject phish outright at connect time, or
whether you maybe want to collect them and do somethig with them. I'm
inclined to the later approach; others might not be.
The nice thing about the Clam plugin is that it lets you have it either way
with phish. And yes, with virui too; but I consider that immaterial to the
discussion.
SA has some rules to detect phish. I've written quite a few myself,
although rather long ago in email years. Frankly they aren't very
comprehensive. These days the SaneSecurity stuff does an *excellent* job of
catching phish - so much so that I haven't needed to write more than one or
two specific rules in the last 6 months for these things.
By using the Clam plugin with the SaneSecurity signatures you have the
chance to catch suspected phish and do something other than rejecting them
outright.
>From conversations on the user's list lots of people are using this plugin
and like it (me included), and there hasn't been any notable nagative
comment that I can recall, other than the occasional "SA isn't a virus
scanner, so don't use that plugin" comments.
Loren
Re: move ClamAVPlugin into the core distro?
Posted by Theo Van Dinter <fe...@apache.org>.
On Fri, Oct 12, 2007 at 01:07:19AM +0200, Mark Martinec wrote:
> As long as users set their expectations right and understand this
> is not a replacement for a more dependable virus checking ...
Honestly I'm -0.5 on this. SA isn't a virus scanner, and while it could
definitely be used in such a way, I don't want people to get confused. I
also, frankly, don't want to be responsible for supporting the plugin since
it's not really core to what we do. Also, there are other, likely better,
ways of doing virus scanning than using the plugin -- people using amavis or
mailscanner are probably far outnumbering those who use the plugin, for
example.
That said, I haven't looked at the plugin nor do I do virus scanning on my
mail, so I could totally be biased in some of my opinions.
--
Randomly Selected Tagline:
"it's so easy! you click, you kill, you loot!"
- Gonzo Granzeau paraphasing a friend about Diablo II
Re: move ClamAVPlugin into the core distro?
Posted by Mark Martinec <Ma...@ijs.si>.
> http://wiki.apache.org/spamassassin/ClamAVPlugin
> SpamAssassin committers-- anyone disagree that it should go in?
> I'm only considering it because I've repeatedly found myself installing
> it, and it's a nice simple plugin which works well. ;)
As long as users set their expectations right and understand this
is not a replacement for a more dependable virus checking ...
- messages longer than the few-hundred kB SA limit are not virus scanned;
- failure of a clamd daemon or communication with it goes by unnoticed
(a debug message is logged at a debug level, I doubt anybody would notice)
and mail passes unchecked;
- it doesn't distinguish between virus names: nowadays that ClamAV
is often used with contributed rules (e.g. SaneSecurity, catching
phishing and images), false positives are more frequent. There should
be a separate and lower score for such hits than the normal score
for truly infected mail;
- the File::Scan::ClamAV hasn't been updated for three years.
Is it still supported?
Mark
Re: move ClamAVPlugin into the core distro?
Posted by Michael Peddemors <mi...@linuxmagic.com>.
But I do want to re-iterate the suggestion that it is disabled by default.
Most installations will probably already have some mechanism to do clamAv
filtering.
And one comment to consider. When doing virus scanning, it is recommended
that it happen during the DATA transmission during an SMTP transaction, so
that a mail server can appropriately reject the contents, without accepting
the transmission. (5xx)
This allows senders to immediately know that they have an infection, and makes
it simpler to diagnosis ('Where did my email go?'), plus many more subtle
side effects.
But, it will make it simpler for the bulk of SA users I am sure.
On Thursday 11 October 2007 07:59, Doc Schneider wrote:
> Justin Mason wrote:
> > hi Troels --
> >
> > you're listed as the original author of
> > http://wiki.apache.org/spamassassin/ClamAVPlugin -- would you mind if we
> > considered moving it into the core distribution? I think it'd fit well
> > there, nowadays (although probably disabled by default).
> >
> > SpamAssassin committers-- anyone disagree that it should go in?
> > I'm only considering it because I've repeatedly found myself installing
> > it, and it's a nice simple plugin which works well. ;)
> >
> > --j.
>
> +1 from me as well.
--
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors - President/CEO - LinuxMagic
Products, Services, Support and Development
Visit us at http://www.linuxmagic.com
------------------------------------------------------------------------
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-589-0037 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
Re: move ClamAVPlugin into the core distro?
Posted by Doc Schneider <ma...@maddoc.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Justin Mason wrote:
> hi Troels --
>
> you're listed as the original author of
> http://wiki.apache.org/spamassassin/ClamAVPlugin -- would you mind if we
> considered moving it into the core distribution? I think it'd fit well
> there, nowadays (although probably disabled by default).
>
> SpamAssassin committers-- anyone disagree that it should go in?
> I'm only considering it because I've repeatedly found myself installing
> it, and it's a nice simple plugin which works well. ;)
>
> --j.
+1 from me as well.
- --
-Doc
Penguins: Do it on the ice.
8:44am up 4 days, 16:55, 17 users, load average: 0.18, 0.30, 0.37
SARE HQ http://www.rulesemporium.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
iD8DBQFHDjpLqOEeBwEpgcsRAjqQAJoCG8H4kRXO4E+F5vKsfmzDjHdXagCfZc9K
r/AXgIoDvNXx5jpBEycIt2o=
=lJAL
-----END PGP SIGNATURE-----
Re: move ClamAVPlugin into the core distro?
Posted by "Kevin A. McGrail" <ke...@thoughtworthy.com>.
Re: ClamAV
> SpamAssassin committers-- anyone disagree that it should go in?
> I'm only considering it because I've repeatedly found myself installing
> it, and it's a nice simple plugin which works well. ;)
+1 from me.
regards,
KAM