B0;278;0cHi there,
On Thu, 12 Jun 2014, Alex wrote:
I'm using clamav with spamassassin and amavisd.
We use sendmail, but that shouldn't matter. :)
I have a few hundred whitelist entries, and I'm concerned that some
of those accounts may have been compromised, and have become the
source of these attacks.
Er, take them off the whitelist and explain to them why you did it?
Is it possible to whitelist (whitelist_from_rcvd) yet still scan
them for viruses/malware?
For this sort of thing we use MIMEDefang. Perl can do anything. :)
Briefly, our setup (slightly simplified) is as follows:
Our firewalls cut out most of the dross, we drop all packets from
something like 25% of the IPV4 address space. This is an automated
process that has built up a database over much more than a decade.
Sendmail access databases deal with obvious things like the TLDs that
we don't want to talk to. As it's sendmail, the code is all written
in C and compiled, so it's fast. The Sendmail default settings are
much tweaked, I won't say more in public but it's fairly effective.
The rest are all sendmail milters:
Greylisting. Very effective, a lot of 'em never bother coming back.
Again I won't be too specific in public.
Sender Policy Framework. Doesn't do a lot yet but it's getting there
as more people get their heads around it. Why such a simple idea is
seemingly so difficult for people, and why people aren't flocking to
ISPs to get them to put it into operation, I have absolutely no idea.
The very useful milter-regex, easy and quick to configure a new rule
because the configuration is basically just a bunch of lines like
reject "Go away"
connect "orange server"
helo "spam server"
envfrom "Bank of America"
header "^Subject$" "We found a pile of cash we think is yours"
body "file.*=.*document\.zip"
After about ten years of modifications, the version number of the
milter-regex configuration file in our servers today is 1471. As
you can see that's almost daily modifications at our sites.
Mailfromd for geography and RBLs etc, good for the serious criminals.
ClamAV with the third-party databases for phishing etc. checks. With
just the SourceFire databases we find ClamAV more or less useless for
viruses, but being a Linux shop we don't worry about that most of the
time so it doesn't matter to us. *However* Sanesecurity kicks serious
butt, and without ClamAV we wouldn't have Sanesecurity. Thanks Steve.
MIMEDefang for more exotic things like extracting archives, scanning
them, checking the registrar of the domain that's claiming to want to
send mail and/or how long it has been registered, yadayadayada. Did I
mention that you can do anything in Perl? :)
SpamAssassin (with our own custom rules for things like casinos, 419
scams, and the more carefully crafted spam) is called by MIMEDefang.
For design reasons that limits what it can do to the messages, but we
don't really want to do much with a message if we think we don't like
it - it just goes into quarantine and gets REJECTed.
That's it.
As there's a lot of Perl code in MIMEDefang and SpamAssassin, and Perl
code is resource-hungry, they're called last in the milter chain. We
hope by then that most of the time they'll be scanning only legitimate
mail. Most of the time that will be a little less than one percent of
the mail that people attempt to send to us.
--
73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
