On 8/25/2020 2:29 PM, Benny Pedersen wrote:
maybe make clamav sigs ?
Benny,
Thanks for your other suggestions - those are worth exploring.
Also - the Clamav Sigs is not a bad idea - but even besides the fact
that (like SA rules), Clamav is content filtering and not at the
SMTP-Envelope level - Clamav doesn't tend to have nearly AS fast of a
turnaround time as do DNSBLs.
In a previous message, someone was disappointed that we missed one, and
it turns out our 24-second turnaround time on that message (from the
start of the SMTP connection - to being fully deployed in the data) was
a contributing factor. We now have a plan to shorten that 24-seconds to
about 4 seconds AND (for invaluement subscribers) - we have a "push"
technology that is available now where those invaluement subscribers who
opt for this feature (no extra charge!) - can get a split second
notification to run their RSYNC just 1 second after the file updates -
and we do that already for our direct query servers. So there is an
option (once implemented!) to potentially get the these FULLY
DISTRIBUTED within about 8 seconds from the start of the SMTP connection
of the first such spam received - to being FULLY deployed on DNS servers
(both our own direct query servers - and our RSYNC subscribers' internal
rbldnsd servers) - that will be AMAZING. I expect to be there within a
week from now. Something like clamav just can't even begin to compete
with that fast of a turnaround. But ClamAv rules may still be a good way
to get this implemented for many.
Someone else mentioned one that was completely off of our radar - but
we're about to double the coverage of these in terms of mailboxes and
traps used for this purpose - so that will help further minimize our
"blind spots".
--
Rob McEwen
https://www.invaluement.com
+1 (478) 475-9032