B0;278;0cHi there, On Thu, 12 Jun 2014, Alex wrote:
I'm using clamav with spamassassin and amavisd.
We use sendmail, but that shouldn't matter. :)
I have a few hundred whitelist entries, and I'm concerned that some of those accounts may have been compromised, and have become the source of these attacks.
Er, take them off the whitelist and explain to them why you did it?
Is it possible to whitelist (whitelist_from_rcvd) yet still scan them for viruses/malware?
For this sort of thing we use MIMEDefang. Perl can do anything. :) Briefly, our setup (slightly simplified) is as follows: Our firewalls cut out most of the dross, we drop all packets from something like 25% of the IPV4 address space. This is an automated process that has built up a database over much more than a decade. Sendmail access databases deal with obvious things like the TLDs that we don't want to talk to. As it's sendmail, the code is all written in C and compiled, so it's fast. The Sendmail default settings are much tweaked, I won't say more in public but it's fairly effective. The rest are all sendmail milters: Greylisting. Very effective, a lot of 'em never bother coming back. Again I won't be too specific in public. Sender Policy Framework. Doesn't do a lot yet but it's getting there as more people get their heads around it. Why such a simple idea is seemingly so difficult for people, and why people aren't flocking to ISPs to get them to put it into operation, I have absolutely no idea. The very useful milter-regex, easy and quick to configure a new rule because the configuration is basically just a bunch of lines like reject "Go away" connect "orange server" helo "spam server" envfrom "Bank of America" header "^Subject$" "We found a pile of cash we think is yours" body "file.*=.*document\.zip" After about ten years of modifications, the version number of the milter-regex configuration file in our servers today is 1471. As you can see that's almost daily modifications at our sites. Mailfromd for geography and RBLs etc, good for the serious criminals. ClamAV with the third-party databases for phishing etc. checks. With just the SourceFire databases we find ClamAV more or less useless for viruses, but being a Linux shop we don't worry about that most of the time so it doesn't matter to us. *However* Sanesecurity kicks serious butt, and without ClamAV we wouldn't have Sanesecurity. Thanks Steve. MIMEDefang for more exotic things like extracting archives, scanning them, checking the registrar of the domain that's claiming to want to send mail and/or how long it has been registered, yadayadayada. Did I mention that you can do anything in Perl? :) SpamAssassin (with our own custom rules for things like casinos, 419 scams, and the more carefully crafted spam) is called by MIMEDefang. For design reasons that limits what it can do to the messages, but we don't really want to do much with a message if we think we don't like it - it just goes into quarantine and gets REJECTed. That's it. As there's a lot of Perl code in MIMEDefang and SpamAssassin, and Perl code is resource-hungry, they're called last in the milter chain. We hope by then that most of the time they'll be scanning only legitimate mail. Most of the time that will be a little less than one percent of the mail that people attempt to send to us. -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml