Performance and accuracy issues

Michael Dahlberg dahlberg at BUCKNELL.EDU
Tue Feb 17 16:55:24 GMT 2004


Julian Field [mailscanner at ECS.SOTON.AC.UK] wrote:
> At 18:42 13/02/2004, you wrote:
> >Michael Dahlberg [dahlberg at bucknell.edu] wrote:
> >> Fanatastic piece of software...I can't imagine running a mail server
> >> without it.  However, the latest upgrade (from 4.13-3 to 4.26.8) has
> >> uncovered a few issues.
> >>
> >> A little about our config: MailScanner (4.26.8) runs with Sophos
> >> (3.78d) on a dual processor Sun 220R with 2GB RAM. The
> >> MailScanner.conf file is set to start 10 child processes which will
> >> scan a max of 30 messages.  MailScanner also runs in queue mode rather
> >> than batch.  We do no spam analysis, just virus scanning.  I've also
> >> installed the first Message.pm perl mod that Julian Fields released a
> >> couple of days ago.
> >>
> >> I've noticed that when running the SAVI engine (Virus Scanner =
> >> sophossavi), rather than `sweep` (Virus Scanner = sophos) it
> >> takes about 3x as long with the SAVI engine (approx. 3 min to scan 100
> >> messages using SAVI versus 1 min with sweep).  Also when I use the
> >> SAVI engine, more MyDoom-infected email messages are found and
> >> removed.
> >>
> >> Is this the experience of other readers of this list?  Does anyone
> >> have an explanation or advice on which virus scanner (Sophos or SAVI)
> >> to use?
> >>
> >
> >  Unfortunately, we had to downgrade MailScanner back to 4.13-3.
> >  The rate at which messages were being scanned and moved to an
> >  outbound mail queue was so slow that mail delivery times had
> >  increased to half an hour and the inbound queue size was steadily
> >  increasing.
>
> Switch on the speed logging with "Log Speed = true" and see if it sheds any
> light on the subject. Take a careful look at the "Allow Form Tags" and the
> other related HTML tag checks. If you switch off detection and logging of
> all of them, it optimises the code out completely.
>
> Have you added any large rulesets since your 4.13 installation?
>

Julian:

Thanks for the suggestions.  These are the way I have set the HTML tag
checks:

Allow IFrame Tags = yes
Log IFrame Tags = no
Allow Form Tags = yes
Allow Object Codebase Tags = yes
Convert Dangerous HTML To Text = no
Convert HTML To Text = no

I tried logging the speed.  The speed of the spam and MCP checks is
very high and identical, because I'm not doing spam or MCP checks.
I've also turned off filetype checks.  The virus scan check usually
runs between 1 - 3 kB/sec.  Any other suggestions?

Thanks,
Mike



More information about the MailScanner mailing list