W dniu 2015-01-11 o 04:49, Reindl Harald pisze: > > Am 10.01.2015 um 22:07 schrieb Marcin Mirosław: >> W dniu 2015-01-10 o 15:27, Reindl Harald pisze: >>> >>> Am 10.01.2015 um 15:19 schrieb David Flanigan: >>>> Is anyone using the Malware Patrol 3rd party Spamassassin Rules >>>> (https://www.malwarepatrol.net/index.shtml)? >>>> >>>> I have downloaded and looked them over and, in concept, they look >>>> pretty >>>> good. >>>> >>>> However the cf file is over 8.5megs (yes megs) in size. By far the >>>> biggest ruleset I have. I cannot think this would do good things for >>>> performance. >>>> >>>> Any experience, comments, etc? >>> >>> 8.5 MB SA rules is crazy >>> >>> that really belongs to clamav directly after SA because SA eats more >>> http://sanesecurity.com/usage/signatures/ >> >> Imho clamav needs less CPU power than SA (and need less time to scane >> email) so I think it's better to use clamav before SA > > that is true *but* after a few months it turned out that ClamAV don't > catch that much mail which was killed by the SA milter after it and so > 90% of all messages need to pass both - for the overall system so it > makes more sense to have SA in front
I forgot about one, important thing, I'm using unofficial rules for Clamav. My stats counted since 2014-12 are: $ grep -r "X-ACL-Warn: Virus found" 201412* 201501*|wc -l 18314 $ find 201412* 2015* -type f|wc -l 33170 $ grep -hr "X-ACL-Warn: Virus found" 201412* 201501*|grep -c UNOFFICIAL 18288 $ grep -hr "X-ACL-Warn: Virus found" 201412* 201501*|grep -vc UNOFFICIAL 26 $ grep -hr "X-ACL-Warn: Virus found" 201412* 201501*|grep -v UNOFFICIAL|sort|uniq X-ACL-Warn: Virus found / znaleziono wirusa :Heuristics.Phishing.Email.SpoofedDomain X-ACL-Warn: Virus found / znaleziono wirusa :Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net X-ACL-Warn: Virus found / znaleziono wirusa :Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net X-ACL-Warn: Virus found / znaleziono wirusa :Zip.Suspect.ExecutablePhoto-zippwd-2 $ grep -hr "X-ACL-Warn: Virus found" 201412* 201501*|grep UNOFFICIAL|grep -viE "(Junk|url|Spam)"|sort|uniq -c 1 X-ACL-Warn: Virus found / znaleziono wirusa :BofhlandMWFile1302.UNOFFICIAL 1 X-ACL-Warn: Virus found / znaleziono wirusa :BofhlandMWFile1306.UNOFFICIAL 7 X-ACL-Warn: Virus found / znaleziono wirusa :BofhlandMWFile1356.UNOFFICIAL 1 X-ACL-Warn: Virus found / znaleziono wirusa :Porcupine.Malware.29046.UNOFFICIAL 1 X-ACL-Warn: Virus found / znaleziono wirusa :Porcupine.Malware.29327.UNOFFICIAL 2 X-ACL-Warn: Virus found / znaleziono wirusa :Porcupine.Phishing.20003.UNOFFICIAL 724 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Foxhole.Zip_doc.UNOFFICIAL 715 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Foxhole.Zip_docx.UNOFFICIAL 94 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Foxhole.Zip_jpeg.UNOFFICIAL 970 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL 80 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Foxhole.Zip_xml.UNOFFICIAL 1 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Malware.19736.UNOFFICIAL 4 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Malware.21933.ZipHeur.UNOFFICIAL 1 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Malware.24212.ZipHeur.UNOFFICIAL 9 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Malware.24273.ZipHeur.UNOFFICIAL 2 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Malware.24306.UNOFFICIAL 1 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Malware.24423.ZipHeur.UNOFFICIAL 2 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Malware.24488.UNOFFICIAL 9 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Malware.24594.ZipHeur.UNOFFICIAL 15 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Malware.24595.ZipHeur.UNOFFICIAL 13 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Malware.24639.ZipHeur.UNOFFICIAL 2 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Malware.24646.DocHeur.UNOFFICIAL 9 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Malware.24647.ZipHeur.UNOFFICIAL 8 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Malware.24648.ZipHeur.UNOFFICIAL 5 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Malware.24675.XlsHeur.UNOFFICIAL 1 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Rogue.0hr.20141201-1850.UNOFFICIAL 11 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Rogue.0hr.20141202-0850.UNOFFICIAL 5 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Rogue.0hr.20141203-0953.UNOFFICIAL 11 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Rogue.0hr.20141208-0651.UNOFFICIAL 3 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Rogue.0hr.20141210-0848.UNOFFICIAL 26 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Rogue.0hr.20141212-1249.UNOFFICIAL 6 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Rogue.0hr.20141217-0648.UNOFFICIAL 4 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Rogue.0hr.20141217-0949.UNOFFICIAL 6 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Rogue.0hr.20141218-0648.UNOFFICIAL 10 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Rogue.0hr.20141219-1047.UNOFFICIAL 1 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Scam4.1386.UNOFFICIAL 1 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Scam4.1880.UNOFFICIAL 1 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.Scam4.939.UNOFFICIAL 1 X-ACL-Warn: Virus found / znaleziono wirusa :Sanesecurity.ScamL.273.UNOFFICIAL and number of mail delivered to user was ~7000. My conclusion is that using unofficial rules for Clamav can brings higher number of detected any kind of viruses and also spam. It can give perfomance benefits due to catching spam before SA takes email. And I think that official rules are updated too slow to detect new malware. P.S. Due to having spamtraps on this mail server I'm scannig (using Clamav and SA) and saving all emails delivered to MTA, no matter if it is spam or ham.