> From: Chuck Yerkes <[EMAIL PROTECTED]> > > Quoting John Rudd ([EMAIL PROTECTED]): > > > From: Daniel Senie <[EMAIL PROTECTED]> > > > Products which wish to filter spam or viruses > > > REALLY should be built to "plug in" to mail clients via APIs. > > > > I disagree. The proper place to do spam and virus scanning is on the > > server. Sure, if you want user's to feel some form of warm fuzzy, they > > should have the option to run it on the client (and once there, your > > method might be right). But the best place to put it is on the server. > > For one, it means that the client hasn't wasted bandwidth downloading > > what may be huge amounts of bad data. > > No, it means you pay (without being able to charge through, often) > for a large infrastrcture upgrade because some of your customers > are running virus runtime environments (Outbreak). > > Ever scan 50-100,000 message/hour?
We're in the 5-10k messages/hour ball park, 20k-ish users on our actual systems, plus we relay for the entire campus (even more users). Our AV/AS infrastructure, not including the AV software (which is the same cost whether we use it on the servers or clients, since it's a site license) cost us less than $8k (a pair of sunblade v150's running mailscanner+sophos+spamassassin, currently only doing round-robin DNS based load sharing). I wouldn't expect our solution to change much, except in the number of SMTP servers we throw at it, for an increase of 10x the number of messages. (our current systems could handle twice the load as it is) Plus, we'd get a real load balancer. (though, if I had my druthers, they'd be freebsd or xserve machines) In fact, that's for our new AV/AS solution. Our AV solution cost SIGNIFICANTLY less and requires much less hardware to work well. If we were to move spamassassin somewhere else, those 2 sun blades could easily scale up to the 50k range on just the virus scanning part (not sure about the network interface bandwidth part). (our "AV without AS" solution ran on 2 sun ultra-2's for that same group of traffic, and they were recycled from our previous AFS file servers) > Me? I use mutt mostly. It doesn't get viruses. More, I've > been hindered from clients trying to send me viruses and > had them blocked by our IT folks. > > Why do virus scanning on the end? I don't get infected either. But it's annoying to wade through 100's or thousands of virus or virus report messages. And it DOES impact the time spent by my users (which translates to budget money wasted in all sorts of ways when the users in question are faculty or staff). It also wastes our disk space, slows down our POP server, etc. Better to eliminate the viruses before they get to the POP server, much less the client. > "By utilizing the massively distributed, mainly idle systems > available we are able to be scale our anti-virus capabilities > far being what we could do without spending 6 figures or more" I would rather spend money on the servers, than waste the bandwidth and processing time on my POP server and client networks. And, as I said, the real number is in the low 5 figures, not 6 figures. Besides, CPU time is cheap. Human time is expensive. Always reduce the human time. (and the massively distributive solution you mention requires a LOT of human time to be spent keeping it up to date and in use, where the central approach requires less than 15 minutes of my time every 90 days) (and that's low 5 figures for 20k users and 5-10k messages per hour, at home it cost me _nothing_ to do the same thing on the house mail server) If we were to scale up to 50-100k messages/hr, I would still expect to be in the 5 figure range. > Virus "attacks" usually come hard and fast at once. Rarely. Usually it's a steady flow of about 2% of our overall mail traffic. It is exceedingly rare that the virus traffic exceeds 5% of our traffic, and even more rare that it actually makes a noticible change in our overall flow statistics. In fact, looking at the records, neither of those have happened while we've been gathering the stats. No, what has historically been the denial of service type problem is http viruses taking up network bandwidth when they start trying to probe the network for vulnerable systems. We have had no email viruses that made a significant impact upon our network bandwidth since putting the sever side solution into place. > Server scanning > is a great way to do denial of service on yourself. Scan > it on landing and those hundreds of 600MHz+ machine out there > scan as the mail comes down. > > Given floppies, USB thumb drives, and CDs with Virii (thanks MS > for that one), you must scan on the machine. File-virus scanning isn't the same as mail-virus scanning, though. Sure, we allow for both, and have the same software for both, but if you wait for someone to scan their system (or their floppies, or the CDs, etc.), they've probably already opened the mail message in question and done their damage. If you require that they have a mail client that has hooks, then you're dictating clients (bad IMO). And there's other problems if you're requiring locahost proxy's. Further, doing it on the client depends upon reliable, intelligent, diligent users (and/or departmental IT folks) keeping their client machines up to date. In otherwords, doing it on the client means it doesn't get done. Since implementing a server based AV system, we've had almost zero complaints of email virus infections. Before the server based solution, while we also had another virus product on site license available to all of our users for free, we were being regularly infected from both off campus and on campus vectors. Most users weren't using it at all, or weren't using it once it was installed, or weren't keeping it up to date. These days, the only problems we see with email viruses are: a) in the short window between when a new virus emerges and when sophos releases an update (though, often mailscanner's filename matching rules handle that), we might get a very few infections. Though, the complaints don't even make it to the IT discussion mailing list anymore. b) users who use remote mail accounts, like hotmail ... and thus aren't going through our service. They end up being infected, and destroying their own data (and maybe launching an http virus), but they don't infect most other users because those other users are going through our SMTP servers. I don't think I've had any user complaints about email viruses in quite a long time. It used to be at least a few every month. Sometimes you'd even get a mob of professors ... and that's not a pretty sight. And that was all under the "do it on the client" method. > It's WAY offtopic for QPopper, but commercial Sendmail (Inc) > has anti-spam and anti-virus milters available for $$$$. Mailscanner is free and rather easy to set up. It's not a milter though (it's a dual mailqueue approach). Amavisd and Mimedefang, which are milters, can work with varous anti-virus packages and with spamassassin, and are also free. There's also a package called "blackhole". I'm not sure what mechanism it uses, but I'm pretty sure it's not a milter because it works with multiple MTA's (not just sendmail).