Re: [Clamav-users] use of clamav-milter
On Thursday 17 Mar 2005 14:32, Nabin Limbu wrote: > Hi, > > What is the difference between using clamd only and clamd + clamav-milter > with > mailserver. What additional benefits do we get while using clamav-milter. Security. On some platforms it will be more secure to have clamav-milter do the scanning itself rather than pass the data (which can be sniffed) to an external clamd. Furthermore, on some systems, you may find a performance increase. It's up to you whether or not to use --external! > Regards > Nabin Limbu -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] use of clamav-milter
Todd Lyons said: > Dennis Peterson wanted us to know: > >>> Of the two processes (spam scanning and virus scanning), spam scanning >>> is >>> more resource-intensive (at least the way I do it) - so I virus scan >>> first, and spam-scan second. >>Interesting - that is exactly the opposite of my experiences so I'm >>interested in knowing more about your content scanning tool. I don't use >>Perl for this (or anything else) so I'm wondering if that may be a >> factor. > > Possibly. Using spamassassin in daemon mode with spamass-milter. > >>But yes, no point in double-damning a message when once will do, and I >>guess that was my point, and clearly the most efficient method should be >>first. > > When a milter is configured to reject at the SMTP level, it never gets > to the second milter in the chain. So if clamav-milter detects a virus, > the CPU intensive content scanning process never sees the message (hence > much lower load). In the case of my systems I have but one milter that handles both spam and AV, and it's optimized to least-load priorities. It's also worth observing that as a consequence I have but one milter entry in sendmail.cf and one set of timeouts to fuss over, and I only mention it for any interested parties who are pondering over such things. > > The amount of time that clamav spends chomping on an email is typically > less than 1 second. The amount of time that spamassassin spends > chomping on an email is typically about 2 seconds. So ~33% time (or > less) for clamav and ~66% time (or more) for spamassassin. This > information gleaned from averages in my maillogs. A bit of background is helpful - in my environment we deal with huge image files as that is what we sell and receive, so we possibly are more large-attachment oriented than some businesses. I test both incoming and outgoing messages and attachments because I believe it is the most internet friendly policy, and that also runs up our server loads. I avoid some of that by scanning the content first. So as always, ymmv, batteries not included, cake will not be served, defend yourself at all times, yaddah yaddah. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] use of clamav-milter
[EMAIL PROTECTED] wanted us to know: >> When a milter is configured to reject at the SMTP level, it never gets >> to the second milter in the chain. So if clamav-milter detects a >> virus, the CPU intensive content scanning process never sees the >> message (hence much lower load). >Your site policies and your data patterns also come into play. If you >get lotsa spam and hardly any viruses it may make sense to spam-scan >first anyway. We reject viruses but accept spam (tagged so users can >have a "junk email" folder) so - for us - data patterns don't enter >into it. Yes, we're writing a quarantine program and will require spamassassin to allow the emails through as well. Good to see that this is a standard way of doing things. -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.8.1-12mdkenterprise 1 user, load average: 0.00, 0.01, 0.00 ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] use of clamav-milter
Todd Lyons wrote:
> Dennis Peterson wanted us to know:
>> But yes, no point in double-damning a message when once will do, and
>> I guess that was my point, and clearly the most efficient method
>> should be first.
>
> When a milter is configured to reject at the SMTP level, it never gets
> to the second milter in the chain. So if clamav-milter detects a
> virus, the CPU intensive content scanning process never sees the
> message (hence much lower load).
Your site policies and your data patterns also come into play. If you get
lotsa spam and hardly any viruses it may make sense to spam-scan first anyway.
We reject viruses but accept spam (tagged so users can have a "junk email"
folder) so - for us - data patterns don't enter into it.
For the record, we use MIMEDefang + SpamAssassin to spam-scan. Each MIMEDefang
thread has its own SpamAssassin object which is quite big. I've been toying
with the idea of writing a SpamAssassin::Client module to emulate spamc, but
haven't done anything serious with it. I know someone else got a working
prototype together.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] use of clamav-milter
Dennis Peterson wanted us to know: >> Of the two processes (spam scanning and virus scanning), spam scanning is >> more resource-intensive (at least the way I do it) - so I virus scan >> first, and spam-scan second. >Interesting - that is exactly the opposite of my experiences so I'm >interested in knowing more about your content scanning tool. I don't use >Perl for this (or anything else) so I'm wondering if that may be a factor. Possibly. Using spamassassin in daemon mode with spamass-milter. >But yes, no point in double-damning a message when once will do, and I >guess that was my point, and clearly the most efficient method should be >first. When a milter is configured to reject at the SMTP level, it never gets to the second milter in the chain. So if clamav-milter detects a virus, the CPU intensive content scanning process never sees the message (hence much lower load). The amount of time that clamav spends chomping on an email is typically less than 1 second. The amount of time that spamassassin spends chomping on an email is typically about 2 seconds. So ~33% time (or less) for clamav and ~66% time (or more) for spamassassin. This information gleaned from averages in my maillogs. -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.8.1-12mdkenterprise 1 user, load average: 0.08, 0.09, 0.02 ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] use of clamav-milter
[EMAIL PROTECTED] said: > Dennis Peterson wrote: >> It is frequently most efficient to test for spam content prior to >> scanning >> for viruses - there is no point in virus scanning a file if it has >> failed a spam content test. That's more than you asked but not bad to >> know. > > The reverse is also true. There is no point in spam scanning a file if it > has been identified as a virus. > > Of the two processes (spam scanning and virus scanning), spam scanning is > more resource-intensive (at least the way I do it) - so I virus scan > first, and spam-scan second. Interesting - that is exactly the opposite of my experiences so I'm interested in knowing more about your content scanning tool. I don't use Perl for this (or anything else) so I'm wondering if that may be a factor. But yes, no point in double-damning a message when once will do, and I guess that was my point, and clearly the most efficient method should be first. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] use of clamav-milter
[EMAIL PROTECTED] wanted us to know: >Dennis Peterson wrote: >> It is frequently most efficient to test for spam content prior to scanning >> for viruses - there is no point in virus scanning a file if it has >> failed a spam content test. That's more than you asked but not bad to >> know. >The reverse is also true. There is no point in spam scanning a file if >it has been identified as a virus. Of the two processes (spam scanning >and virus scanning), spam scanning is more resource-intensive (at least >the way I do it) - so I virus scan first, and spam-scan second. I second that. When I changed my system to av scan before spam, my load dropped by about 40%. -- Regards... Todd There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. --Ed Howdershelt Linux kernel 2.6.8.1-12mdkenterprise 1 user, load average: 0.00, 0.00, 0.00 ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] use of clamav-milter
Dennis Peterson wrote:
> It is frequently most efficient to test for spam content prior to scanning
> for viruses - there is no point in virus scanning a file if it has
> failed a spam content test. That's more than you asked but not bad to
> know.
The reverse is also true. There is no point in spam scanning a file if it has
been identified as a virus.
Of the two processes (spam scanning and virus scanning), spam scanning is more
resource-intensive (at least the way I do it) - so I virus scan first, and
spam-scan second.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] use of clamav-milter
Nabin Limbu said: > Hi, > > What is the difference between using clamd only and clamd + clamav-milter > with > mailserver. What additional benefits do we get while using clamav-milter. > > Regards > Nabin Limbu The milter is the component that communicates with both the smtp server and the clamav scanner. To handle mail scanning in real time this component has to exist in some form. Milters are closely associated with SendMail and the libmilter library they provide. There are several products that can run in place of the clamav-milter code, so you have choices. Some of those choices include spam content and spammer behavior filters in addition to invoking ClamAv. It is frequently most efficient to test for spam content prior to scanning for viruses - there is no point in virus scanning a file if it has failed a spam content test. That's more than you asked but not bad to know. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] use of clamav-milter
> Hi, > > What is the difference between using clamd only and clamd + clamav-milter > with > mailserver. What additional benefits do we get while using clamav-milter. > Clamav-milter is a "milter" interface for sendmail. Although not the only way to interface clam with a host running sendmail, it is probably the most common. Read the documentation for a further description. > Regards > Nabin Limbu > > ___ > http://lurker.clamav.net/list/clamav-users.html > -- Ken Jones ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] use of clamav-milter
Hi, What is the difference between using clamd only and clamd + clamav-milter with mailserver. What additional benefits do we get while using clamav-milter. Regards Nabin Limbu ___ http://lurker.clamav.net/list/clamav-users.html
