On Tue, 29 Aug 2006 13:23:47 +0200, Jürgen Ladstätter <[EMAIL PROTECTED]>
wrote:
>it does the following when it finds a virus:
>
>} elsif($code eq 'FOUND') {
> Mail::SpamAssassin::Plugin::dbg("ClamAV: Detected virus: $virus");
> $header = "Yes ($virus)";
> $isspam = 1;
>
>so it adds a flag for SA
Ahh - thanks; our usage is different. Our MTA calls clamd, assuming
the file is clean it passes it to SA, assuming that is clean it passes
it to McAfee, assuming that is clean it passes it to Sophos. Any
failure along the way halts the process at that point. Hence my
initial confusion.
The PM sounds good, but I think I'll stick with our current process,
it's proven very efficient. Any IP that send a virus is auto-banned
for 24 hours. This is based on the experience that viruses rarely come
in singly; usually they are fired in again and again from the same
infected host. The logic behind the 24 hour ban is to reduce load on
the scanning systems whilst giving an infected user a chance to clean
up. That said, more often than not I see the same IP's getting
immediately re-banned after the 24 hour period.
Kind regards
Nigel
