Re: migrating from clamav before mta to SA ClamAV plugin experiences
what does clamav checking in that scanner do then? It should call clamdscan asap (before SA) and when a virus is found, the mail should be imediately rejected, the same way it's rejected when SA tells so. On 23.07.07 20:31, Robert - eLists wrote: It quarantines and notifies admin via email. Real PAIN If you read the post it says I don't know how to do it the other way nor have I figured out how to do it yet if ever. looking at the perl sources could help, if you can (at least try to) uinderstand perl. What I remember about qmail is that it can not pass the error string from filtering module to the client, but maybe you use different (patched) smtp daemon for qmail? Hence the post to the SA list regarding integrating clamav into SA functions for scoring so I can reject the mail based upon high score. Of course. But I think you should try to find better way, and if something can reject the mail because it's spam, then something can reject the mail because it's a virus. I may recommend you switching to another MTA, maybe courier which is very close to qmail the way it works, but postfix and sendmail are good too, if you know how to configure them..., -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states.
Re: migrating from clamav before mta to SA ClamAV plugin experiences
which MTA are you using? The clamav plugin should reject the e-mail the same way SA plugin does that (with much less CPU time spent) On 22.07.07 15:32, Robert - eLists wrote: Uhlar ... and I thought that spelling my surname in capitals would preserver from this title ... :) I use qmail-scanner-queue.pl, clamav, spamassassin and qmail I can reject spam over a certain scoring threshold this way, yet I have not figured out a way to just reject email based upon having a virus signature per clamav. what does clamav checking in that scanner do then? It should call clamdscan asap (before SA) and when a virus is found, the mail should be imediately rejected, the same way it's rejected when SA tells so. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
Re: migrating from clamav before mta to SA ClamAV plugin experiences
On Mon, 23 Jul 2007 11:08:47 +0200, Matus UHLAR - fantomas [EMAIL PROTECTED] wrote: which MTA are you using? The clamav plugin should reject the e-mail the same way SA plugin does that (with much less CPU time spent) On 22.07.07 15:32, Robert - eLists wrote: Uhlar ... and I thought that spelling my surname in capitals would preserver from this title ... :) I use qmail-scanner-queue.pl, clamav, spamassassin and qmail I can reject spam over a certain scoring threshold this way, yet I have not figured out a way to just reject email based upon having a virus signature per clamav. what does clamav checking in that scanner do then? It should call clamdscan asap (before SA) and when a virus is found, the mail should be imediately rejected, the same way it's rejected when SA tells so. Umm, I may be missing the point here, but SA doesn't bounce mail, it just scores it. Considering the time that can be taken up with various scans it's not really feasible to hold open the smtp connection that long, so even if it could, bouncing may well not work. You then hit the problem that the chances of the sending address being legit are pretty low. So some poor sod is going to cop umpteen gazzilion bounce messages. I use a simpler solution here. If you send an email that gets tagged as a virus by any of the av scanners your IP address is put into a blocklist for a set period. The thought behind this is that viruses very rarely come in one at a time; if a host is infected it will send again and again. The blocking is done at MTA level. HTH Nigel
Re: migrating from clamav before mta to SA ClamAV plugin experiences
On 22.07.07 15:32, Robert - eLists wrote: I use qmail-scanner-queue.pl, clamav, spamassassin and qmail I can reject spam over a certain scoring threshold this way, yet I have not figured out a way to just reject email based upon having a virus signature per clamav. On Mon, 23 Jul 2007 11:08:47 +0200, Matus UHLAR - fantomas [EMAIL PROTECTED] wrote: what does clamav checking in that scanner do then? It should call clamdscan asap (before SA) and when a virus is found, the mail should be imediately rejected, the same way it's rejected when SA tells so. On 23.07.07 10:19, Nigel Frankcom wrote: Umm, I may be missing the point here, you seem to be :-) but SA doesn't bounce mail, it just scores it. however according to his informations, his qmail queue scanner rejects the mail if it's spam, but not if it's virus (which is sick and a bug imho) Considering the time that can be taken up with various scans it's not really feasible to hold open the smtp connection that long, should not be a problem if scaning does not count more than ~4 minutes (after 5 minutes many clients close connection and re-try, which results into a multiple mail delivery). I use a simpler solution here. If you send an email that gets tagged as a virus by any of the av scanners your IP address is put into a blocklist for a set period. The thought behind this is that viruses very rarely come in one at a time; if a host is infected it will send again and again. this solution can be done as additional to , but imho should not be done instead of, virus checking. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: migrating from clamav before mta to SA ClamAV plugin experiences
On Mon, 23 Jul 2007 11:32:21 +0200, Matus UHLAR - fantomas [EMAIL PROTECTED] wrote: On 22.07.07 15:32, Robert - eLists wrote: I use qmail-scanner-queue.pl, clamav, spamassassin and qmail I can reject spam over a certain scoring threshold this way, yet I have not figured out a way to just reject email based upon having a virus signature per clamav. On Mon, 23 Jul 2007 11:08:47 +0200, Matus UHLAR - fantomas [EMAIL PROTECTED] wrote: what does clamav checking in that scanner do then? It should call clamdscan asap (before SA) and when a virus is found, the mail should be imediately rejected, the same way it's rejected when SA tells so. On 23.07.07 10:19, Nigel Frankcom wrote: Umm, I may be missing the point here, you seem to be :-) but SA doesn't bounce mail, it just scores it. however according to his informations, his qmail queue scanner rejects the mail if it's spam, but not if it's virus (which is sick and a bug imho) Considering the time that can be taken up with various scans it's not really feasible to hold open the smtp connection that long, should not be a problem if scaning does not count more than ~4 minutes (after 5 minutes many clients close connection and re-try, which results into a multiple mail delivery). I use a simpler solution here. If you send an email that gets tagged as a virus by any of the av scanners your IP address is put into a blocklist for a set period. The thought behind this is that viruses very rarely come in one at a time; if a host is infected it will send again and again. this solution can be done as additional to , but imho should not be done instead of, virus checking. Ahh - it's not unheard of for me to miss the salient points :-) I don't think bouncing spam is such a good idea though, just my opinion, but it rarely originates from wherever it *says* it originates from. As far as AV scanning is concerned here, all mail that gets past the mta gets checked. My mta does various blocks and greylistings based on previous emails sent. This does throw up a very few fp's but in several years of running clam and 5 years plus of running my other virus scanners it's never happened with a virus. Still, never say never, it's bound to bite me in the ass one day. :-) Kind regards Nigel
Re: migrating from clamav before mta to SA ClamAV plugin experiences
On Mon, 23 Jul 2007 11:32:21 +0200, Matus UHLAR - fantomas [EMAIL PROTECTED] wrote: however according to his informations, his qmail queue scanner rejects the mail if it's spam, but not if it's virus (which is sick and a bug imho) On 23.07.07 10:59, Nigel Frankcom wrote: Ahh - it's not unheard of for me to miss the salient points :-) and I'm afraid you missed it again :-) I don't think bouncing spam is such a good idea though, just my opinion, but it rarely originates from wherever it *says* it originates from. (at least I hope) it does not bounce, but reject the spam. The bounce is on sending side, which is, for most of the cases, the infected machine, and viruses do not generate bounces... (at least I don't know of any) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average.
Re: migrating from clamav before mta to SA ClamAV plugin experiences
There are a number of qmail specific programs that use clamav other than qmail-scanner (which, based on a quick skim of their page, doesn't seem to support SMTP-time rejection). The ClamAV website has several alternatives, a couple of which appear to do SMTP-time rejection, listed at http://www.clamav.net/download/third-party-tools/3rdparty-mta/ Hope that helps... On Sun, 22 Jul 2007, Robert - eLists wrote: Would anyone care to share their experiences of migrating from having their pre MTA program handoff to clamav for email virus scanning changed to doing it with the SA ClamAV plugin way ??? The reason I am thinking about migrating and doing it with the SA ClamAV plugin way is that I can just reject the email at the SMTP level instead of storing it as a quarantine... Well, at least I haven't figured out how to do smtp reject the other way yet. Thanks in advance - rh -- Public key #7BBC68D9 at| Shane Williams http://pgp.mit.edu/| System Admin - UT iSchool =--+--- All syllogisms contain three lines | [EMAIL PROTECTED] Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
RE: migrating from clamav before mta to SA ClamAV plugin experiences
Nigel SA integrated via qmail-scanner-queue.pl allows smtp rejection based upon score thresholds - rh
RE: migrating from clamav before mta to SA ClamAV plugin experiences
what does clamav checking in that scanner do then? It should call clamdscan asap (before SA) and when a virus is found, the mail should be imediately rejected, the same way it's rejected when SA tells so. Matus It quarantines and notifies admin via email. Real PAIN If you read the post it says I don't know how to do it the other way nor have I figured out how to do it yet if ever. Hence the post to the SA list regarding integrating clamav into SA functions for scoring so I can reject the mail based upon high score. - rh
Re: migrating from clamav before mta to SA ClamAV plugin experiences
On 22.07.07 13:16, Robert - eLists wrote: Would anyone care to share their experiences of migrating from having their pre MTA program handoff to clamav for email virus scanning changed to doing it with the SA ClamAV plugin way ??? The reason I am thinking about migrating and doing it with the SA ClamAV plugin way is that I can just reject the email at the SMTP level instead of storing it as a quarantine... Well, at least I haven't figured out how to do smtp reject the other way yet. which MTA are you using? The clamav plugin should reject the e-mail the same way SA plugin does that (with much less CPU time spent) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They say when you play that M$ CD backward you can hear satanic messages. That's nothing. If you play it forward it will install Windows.
RE: migrating from clamav before mta to SA ClamAV plugin experiences
which MTA are you using? The clamav plugin should reject the e-mail the same way SA plugin does that (with much less CPU time spent) Uhlar I use qmail-scanner-queue.pl, clamav, spamassassin and qmail I can reject spam over a certain scoring threshold this way, yet I have not figured out a way to just reject email based upon having a virus signature per clamav. So, I thought I would remove clamav from qmail-scanner-queue.pl and let clamav be called from the SA ClamAV Plugin... This way I can reject the email once it scores over a certain threshold and not have it handled by quarantine etc. - rh
