On Tue, 29 Aug 2006 13:23:47 +0200, Jürgen Ladstätter <[EMAIL PROTECTED]> wrote:
>it does the following when it finds a virus: > >} elsif($code eq 'FOUND') { > Mail::SpamAssassin::Plugin::dbg("ClamAV: Detected virus: $virus"); > $header = "Yes ($virus)"; > $isspam = 1; > >so it adds a flag for SA Ahh - thanks; our usage is different. Our MTA calls clamd, assuming the file is clean it passes it to SA, assuming that is clean it passes it to McAfee, assuming that is clean it passes it to Sophos. Any failure along the way halts the process at that point. Hence my initial confusion. The PM sounds good, but I think I'll stick with our current process, it's proven very efficient. Any IP that send a virus is auto-banned for 24 hours. This is based on the experience that viruses rarely come in singly; usually they are fired in again and again from the same infected host. The logic behind the 24 hour ban is to reduce load on the scanning systems whilst giving an infected user a chance to clean up. That said, more often than not I see the same IP's getting immediately re-banned after the 24 hour period. Kind regards Nigel