Re: [spa] Re: Linking ClamAV into procmail? (SUMMARY)

[Charles Gregory <cg...@hwcn.org>]

On Thu, 26 Feb 2004, Bob George wrote:
> > Yes, and I am still looking for a good procmail-driven virus
> > checker, with decent signature updates, which would make a
> > good 'companion' for SA.
> Oh, clamav works quite well from procmail but you do want a wrapper
> script to extract, then scan attachments.

Dang. I'm sorry, I've been repeating myself so often that I've gotten
tired of spelling it out each time. What I want is an anti-virus program
that works in a single 'pass' without writing stuff out to disk.

> Since that's the ONLY mode bitdefender works in anyhow....

Is bitdefender freeware? Didn't look like it when I visited the site...

> Clamav also works well from anomy sanitizer, which I call from
> procmail to defang, etc.

I've not wanted to us anomy sanitizer because not all our users have the
technical skills to properly interpret the output. So for the most part,
anything we have to install has to be conservative and very simple to use.
And yes, that was a *challenge* with SpamAssassin. Our users have access
to two settings: The 'hits required' and whether to merely 'flag' or
actually delete mail tagged as spam. Seems to be working fairly well.....

- Charles

Re: [spa] Re: Linking ClamAV into procmail? (SUMMARY)

[Charles Gregory <cg...@hwcn.org>]

On Fri, 27 Feb 2004, Bob George wrote:
> I assume the single pass requirement is for performance reasons?

A combination of performance and simplicity of installation/maintenance
(for the distinct possibility that the next sysadmin will be volunteer).
We're running a community-network ISP here..... :-)

> >>Is bitdefender freeware? Didn't look like it when I visited the site...
> "Free for personal use" -- at least free enough to be included in Debian.

Which rules out CommunityNets..... (sigh)

> I put anomy in BECAUSE my users (family mostly) lack those skills. I 
> have it set to scan, then allow through if it passes the scan, or 
> quarantine and direct users to ask for help if not.

Before I installed SpamAssassin, I had a simple blacklist filter with a
quarantine system and I would have users calling up and complaining that
their disk quota was full but their 'inbox' empty. Even though the docs
practically SCREAMED that they had to clear out the spam box, far too many
users just 'clicked the button' and expected the spam to magically
disappear. So I finally gave in and gave them the option to just delete
spam based on the SA score. with a default to just tag spam, they can
easily check for FP's before they start deleting. Their choice.... 

And we really can't be suggesting that hundreds of users phone us for
help, especially when a good number think 'help' means they call us to cdo
things *for them* again and again..... (sigh)

> It can just as easily drop infected messages. I can see this depending
> largely on the userbase though.

Got it in one. As a community base we service a market segment that has
more difficulty with computers than average.... :-)

> Still, I'd lean towards scanning SOMEWHERE, regardless of how.

Uh-huh. That's why I want to get CLAMAV running. I figure they'll either
straighten out the 'mbox' option soon, or I'll follow the 'mailscanner'
trick of splitting postfix, though that will mean extra file I/O..... :-(

> Here's a thought: Allow users to "scan for viruses" or not.

I might offer them anomy sanitizing as an option. But basic virus scanning
has to be on for everyone. It's in everyone's best interest....

> If not, just don't call it. If using sanitizer, different procmail rules 
> could call it specifying different configs for content (defang html), 
> virus scanning, etc. depending on the options checked by the user 
> (assuming you've got a web checklist somewhere).

Yeah, we're headed in that direction. But let's get basic AV running
first..... :-)

- Charles

Re: Linking ClamAV into procmail? (SUMMARY)

[Bob George <ma...@ttlexceeded.com>]

Charles Gregory wrote:

> [...]
>
>Dang. I'm sorry, I've been repeating myself so often that I've gotten
>tired of spelling it out each time. What I want is an anti-virus program
>that works in a single 'pass' without writing stuff out to disk.
>  
>
Oh, I want that too. But until it's available (or someone just calls the 
script "the scanner" :), clamav is a great tool, and worlds better than 
NO protection.

I assume the single pass requirement is for performance reasons?

>>Since that's the ONLY mode bitdefender works in anyhow....
>>Is bitdefender freeware? Didn't look like it when I visited the site...
>>    
>>
"Free for personal use" -- at least free enough to be included in Debian.

>>Clamav also works well from anomy sanitizer, which I call from
>>procmail to defang, etc.
>>    
>>
>I've not wanted to us anomy sanitizer because not all our users have the
>technical skills to properly interpret the output. So for the most part,
>anything we have to install has to be conservative and very simple to use.
>  
>
I put anomy in BECAUSE my users (family mostly) lack those skills. I 
have it set to scan, then allow through if it passes the scan, or 
quarantine and direct users to ask for help if not. It can just as 
easily drop infected messages. I can see this depending largely on the 
userbase though. Still, I'd lean towards scanning SOMEWHERE, regardless 
of how.

>And yes, that was a *challenge* with SpamAssassin. Our users have access
>to two settings: The 'hits required' and whether to merely 'flag' or
>actually delete mail tagged as spam. Seems to be working fairly well.....
>  
>
Here's a thought: Allow users to "scan for viruses" or not. If they opt 
for scanning, call clamav (or sanitizer), configured to drop infected. 
If not, just don't call it. If using sanitizer, different procmail rules 
could call it specifying different configs for content (defang html), 
virus scanning, etc. depending on the options checked by the user 
(assuming you've got a web checklist somewhere).

An option anyhow. Good luck, and let us know if you find a more 
email-aware solution! I want one too.

- Bob