On Mon, 28 Aug 2006, Odhiambo Washington wrote: > * On 27/08/06 15:02 -0400, Dan MacNeil wrote: > | > | See bottom of thread for thoughts > | > | >>the circumstances arose where mail folders are kept > | >>from a pre-clamav time, or there was an issue with the clamav setup at > | >>the time, or clamav was not scanning incoming mail > | > > | >I have to say that while I commend your sharing of a concept/idea, it > | >does appear that it's not very viable. > | >As for the situation, we've been using ClamAV for going on 3 years now, > | >and I have never (I repeat never) seen this occur. > | >Outside of a poor configuration/implementation that is. > | > | We're using maildir instead of mbox so the OP's script. > | > | However, I beg to differ on the point that post-delivery scanning is > | useless (dumb???). We run clam through amavis. We also clamscan our mail > | spool when fresh-clam gives us a new signature. > > Post-delivery scanning..... > > 1. You accept the mail (imagine it was infected). > 2. Then scan it... > > How long is the time difference between when it is delivered and when > the owner accesses it? > > We block all infected mail at SMTP time, so we don't even receive it.
But you still do - see below. > I have been using Clamav (clamd) for over 3 years and this is the way > we have always done it. Initially there was exiscan patch for Exim, then > exiscan-acl and finally exiscan was integrated into Exim so virus/spam > filtering is already in the MTA. You just have to install/configure > SpamAssassin/Clamav and enable the filtering/(blocking) at SMTP time. > To be honest, in all my years as sysadmin, I don't know why I would > want post-delivery scanning. This is why: There are several problems with scanning at SMTP time: It takes a lot of CPU power to be able to scan all incoming SMTP connections at once If you find a virus you can't do anything about it until the end of the DATA phase, so you have effectively received the traffic, even if you haven't saved it to disk. One you find the virus what do you do? Reject the message and then let the sending server bounce it back to some poor individual whose address was spoofed? That is not very courteous. With off-line scanning (assuming you are using some scanning manager such as Amavis or, in my case, MailScanner), you save the incoming message to a temporary queue and then process it. The advantages of that are: You can spread the scanning load more effectively, and never have to run more than a specified number of scanning instances. It takes no more bandwidth than online scanning. If you do identify a virus then you can take selective action, eg for a Word macro virus you can remove the attachment and deliver the message, for other known viruses you just quarantine them, sending no notices to either sender or recipient. If doubtful, send the message without the attachment. No one gets a silly message saying "You have sent a virus . . ." (I really hate that!) Obviously you don't just deliver the mail to a local mailbox and then start scanning! I also find that it is useful to have a store of quarantined viruses as it gives you the opportunity to have a look at what is going on, as well as to investigate the source, which is often not the server that actually sends it out to you. Obviously you want to blacklist totally brain-dead systems, but if you find a co-operative but newbie sysadmin who wants some help in finding the source you then have a chance to do it. In any case I think it is essential to have a system that examines the mail offline before final delivery to check it not only for known viruses, but also for other problems, eg: Potentially dangerous filenames/filetypes Oversize messages/attachments (with individual settings) Removal of scripting inside html Removal of web bugs Checking for phishing attacks in addition to those provided by ClamAV Individual blacklisting of mail from some addresses Scanning for spam, using DNS blacklists, SpamAssassin etc. All the above can be done using MailScanner (and probably Amavis as well). It would be theoretically possible to do all the above on line, but the chances of dying from a DOS attack would be very high. So off-line scanning for malware and spam seems to me to be the best way to go unless you have unlimited horsepower. That is not to argue against blocking anything at all during the SMTP stage - I have an extensive blacklist of known spammers, virus spewers etc that I don't accept, as well as checking for reverse DNS, enforcing greet-pause etc etc. That blocks 80% of incoming traffic right away, without any SMTP DATA phase at all. We use ClamAV as our sole virus scanner and have been very impressed. Keep up the most valuable work! Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service Tel: (263-4)-334111/304471 _______________________________________________ http://lurker.clamav.net/list/clamav-users.html