On Mon, 28 Aug 2006, Odhiambo Washington wrote:
> * On 27/08/06 15:02 -0400, Dan MacNeil wrote:
> |
> | See bottom of thread for thoughts
> |
> | >>the circumstances arose where mail folders are kept
> | >>from a pre-clamav time, or there was an issue with the clamav setup at
> | >>the time, or clamav was not scanning incoming mail
> | >
> | >I have to say that while I commend your sharing of a concept/idea, it
> | >does appear that it's not very viable.
> | >As for the situation, we've been using ClamAV for going on 3 years now,
> | >and I have never (I repeat never) seen this occur.
> | >Outside of a poor configuration/implementation that is.
> |
> | We're using maildir instead of mbox so the OP's script.
> |
> | However, I beg to differ on the point that post-delivery scanning is
> | useless (dumb???). We run clam through amavis. We also clamscan our mail
> | spool when fresh-clam gives us a new signature.
>
> Post-delivery scanning.....
>
> 1. You accept the mail (imagine it was infected).
> 2. Then scan it...
>
> How long is the time difference between when it is delivered and when
> the owner accesses it?
>
> We block all infected mail at SMTP time, so we don't even receive it.
But you still do - see below.
> I have been using Clamav (clamd) for over 3 years and this is the way
> we have always done it. Initially there was exiscan patch for Exim, then
> exiscan-acl and finally exiscan was integrated into Exim so virus/spam
> filtering is already in the MTA. You just have to install/configure
> SpamAssassin/Clamav and enable the filtering/(blocking) at SMTP time.
> To be honest, in all my years as sysadmin, I don't know why I would
> want post-delivery scanning.
This is why:
There are several problems with scanning at SMTP time:
It takes a lot of CPU power to be able to scan
all incoming SMTP connections at once
If you find a virus you can't do anything about
it until the end of the DATA phase, so you have
effectively received the traffic, even if you
haven't saved it to disk.
One you find the virus what do you do? Reject
the message and then let the sending server
bounce it back to some poor individual whose
address was spoofed? That is not very courteous.
With off-line scanning (assuming you are using some scanning manager such
as Amavis or, in my case, MailScanner), you save the incoming message to a
temporary queue and then process it. The advantages of that are:
You can spread the scanning load more effectively,
and never have to run more than a specified number
of scanning instances.
It takes no more bandwidth than online scanning.
If you do identify a virus then you can take selective
action, eg for a Word macro virus you can remove the
attachment and deliver the message, for other known
viruses you just quarantine them, sending no notices
to either sender or recipient. If doubtful, send the
message without the attachment.
No one gets a silly message saying "You have sent a virus . . ."
(I really hate that!)
Obviously you don't just deliver the mail to a local mailbox and then
start scanning!
I also find that it is useful to have a store of quarantined viruses as it
gives you the opportunity to have a look at what is going on, as well as
to investigate the source, which is often not the server that actually
sends it out to you. Obviously you want to blacklist totally brain-dead
systems, but if you find a co-operative but newbie sysadmin who wants some
help in finding the source you then have a chance to do it.
In any case I think it is essential to have a system that examines the
mail offline before final delivery to check it not only for known viruses,
but also for other problems, eg:
Potentially dangerous filenames/filetypes
Oversize messages/attachments (with individual settings)
Removal of scripting inside html
Removal of web bugs
Checking for phishing attacks in addition to those
provided by ClamAV
Individual blacklisting of mail from some addresses
Scanning for spam, using DNS blacklists, SpamAssassin etc.
All the above can be done using MailScanner (and probably Amavis as well).
It would be theoretically possible to do all the above on line, but the
chances of dying from a DOS attack would be very high. So off-line
scanning for malware and spam seems to me to be the best way to go unless
you have unlimited horsepower.
That is not to argue against blocking anything at all during the SMTP
stage - I have an extensive blacklist of known spammers, virus spewers
etc that I don't accept, as well as checking for reverse DNS, enforcing
greet-pause etc etc. That blocks 80% of incoming traffic right away,
without any SMTP DATA phase at all.
We use ClamAV as our sole virus scanner and have been very impressed.
Keep up the most valuable work!
Regards
Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service
Tel: (263-4)-334111/304471
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
