On 7/29/2011 3:08 PM, Adam Moffett wrote:
On 07/29/2011 02:13 PM, Kelson Vibber wrote:
> Also, to complete the system, I recall there were some AV-mailets
at the age. If possible use> them before SA to catch message
carrying viruses.
Absolutely - we've got ClamAV running first, before anything touches
SA, and using some of the SaneSecurity signature sets to catch
additional malware.
I've often mused about which should run first, but never did any sort
of testing. Is it pretty much the general consensus that it's less
wasteful for the AV to scan the spam than to have SA scan the malware?
It depends on your setup and, more importantly, your ability to feed
mail back into Bayes. For my last setup, the filter sat in front of
customer-hosted servers, which left no easy feed back into Bayes. As a
result, I had to use autolearn on a carefully maintained filter. In my
case, Bayes performed extraordinarily better when run prior to clam
(with SaneSecurity) due to seeing the bad mail. I'd done the opposite
for some time before testing this, and needed to retrain the database
more often than I cared to, because it thought everything was ham. I
never saw a performance hit on a 1 million/day server, but the Bayes
accuracy was far better.
$.02
--
/Jason