* Cream[DONut] <[EMAIL PROTECTED]> [2003-08-25 01:46]:
> At 11:03 25-08-2003 +1200, you wrote:
> >You've seen several people ask why when they block .PIF/etc files, the fact
> >that message contained a virus isn't detected. And you've seen the replies:
> >it's a design issue. The component that quarantines attachments runs
> >before the
> >AV scanners do, and Q-S immediately cleans up and exits the moment a single
> >reason to quarantine is found.
> >Originally I had the order perlscanner->AV for performance reasons:
> >perlscanner has a much smaller overhead than the AVs. However, when I think
> >about this, it really doesn't matter. I mean, let's assume that 1% of all
> >your mail ends up quarantined (if we ignore the current SoBIG farce). Of
> >that 1% maybe 0.1% is blocked by attachment. Basically who cares about the
> >"extra load" it would cause:
> >Would anyone mind if Q-S ran the AVs first and perlscanner last? The upside
> >is that even if you block all PIF files, those with SoBIG would be reported
> >correctly instead of being "policy" quarantines.
> >I can't think of a real downside... Anyone else?
> >If I here nothing, the next RC of 1.20 will have those two calls reversed.
> I think this would be a good idea,
[snip]
... and I would agree. The performance argument is certainly a good one,
but if I run perlscanner first *and* block PIF and others, I will end up
being called "admin of those badly configured mail systems that send out
notifications to forged envelope sender addresses". Part of the Sobig.f
annoyances indeed were those useless notifications. On the other hand,
telling a valid sender that his mail was contaminated and dropped is
usefull where it makes sense (--silent-viruses). (I think, sender *or*
recipient should know that a mail got lost.)
As dropping PIF and friends with perlscanner is the more generic rule
over dropping well-known viruses with clamscan or some proprietary AV,
it should go last.
I have chosen another approach. After getting hundreds of Sobig.f mails
I installed Russ Nelson's viruscan patch to qmail. It will block some
95% of all mails with M$ OS executable content at smtp level. This is
fine with our company policy (use ZIP if sending binary files) and
catches most of the viruses. All mails that sneak through are fed to
some AV to catch the viruses and finally to perlscanner to enforce the
policy.
Result: The incoming rate of Sobig.f dropped from 5 per minute to 5 per
day (those were bounces *with* the attachment) before any AV/perlscanner
is called.
[Fighting spam I let rblsmtpd do the coarse work and SpamAssassin handles
what gets through.]
Best wishes,
Alex
--
Alex Pleiner
zeitform Internet Dienste Fraunhoferstrasse 5
64283 Darmstadt, Germany
http://www.zeitform.de Tel.: +49 (0)6151 155-635
mailto:[EMAIL PROTECTED] Fax: +49 (0)6151 155-634
GnuPG/PGP Key-ID: 0x613C21EA
-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
