[unisog] Auto AV Notification ( was Re: New virus)

Jeremy Mooney j-mooney at bethel.edu
Tue Nov 29 02:32:21 GMT 2005


Steve VanDevender wrote on 2005/11/28 13:20:
> Russell Fulton writes:
>  > Now if someone can come up with a way to decide if a message is a worm
>  > or spam before accepting it then we could also suppress normal bounce
>  > messages for old addresses.  That would solve the irritating problem of
>  > users ringing the heldesk "I've just received a bounce message for an
>  > email I never sent. Has someone stolen my email account?"
> 
> Actually, we're doing virus scanning on inbound mail using ClamAV
> (specifically clamav-milter hooked into sendmail) so we can do exactly
> that; messages that scan as infected are refused at the end of the DATA
> phase in the SMTP transaction (note, this is not bouncing the mail,
> unless the remote sender is really an MTA instead of a worm-spewer).
> 
> I'm not really a big fan of the virus-scanning approach but ClamAV turns
> out to be surprisingly efficient (on our systems it has an overhead of
> about 0.01 CPU-seconds per message on average) and they have a nice
> automated method for updating their signature database.  Besides
> recognizing various Windows worms/viruses ClamAV also recognizes a
> number of common phishing mail patterns.

We use the same configuration (scan at SMTP-time, return 5xx code for 
infected), also with great results.  We also have SA as a milter, and it 
rejects any spam with excessive scores (>15, where 5 is the normal flag 
level).  All other messages are flagged (for spam) or modified (banned 
file types removed and replaced with notice), and passed through to the 
user routing/mailboxes, and filtering can be done on the client side (or 
preferably .procmailrc or Exchange server-side rules) as desired by the 
user.

-- 
Jeremy Mooney
ITS - Bethel University


More information about the unisog mailing list