Block SOBER at MTA (postfix)

Drew Marshall drew at THEMARSHALLS.CO.UK
Mon Dec 5 17:52:04 GMT 2005 

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

On Mon, December 5, 2005 17:15, Dhawal Doshy wrote:
> As Drew mentioned, this is NOT supposed to replace a real AV but at the
> same time i'd like having a feature where viruses are rejected without
> much processing power. Plugging in an AV at the MTA is not such a great
> idea (no bandwidth savings and no decrease in resource usage).

Oh, I don't know. If you plug in the clamAV scanner in the right place...

If you use before queue scanning as described here
http://www.postfix.org/SMTPD_PROXY_README.html and set up the SMTP clam
scanner as per here http://memberwebs.com/nielsen/software/clamsmtp/ you
will save bandwidth as you can get Postfix to reject the mail at SMTP
stage

but it won't save processing in the same way as a decent MIME/ header/
body check will do.

>
> What i was not sure about is when do these body checks take place.
>
> a. Mail is almost accepted / rejected (just before 250 OK / 550 REJECT)
> and then rejected in which case there is no substantial bandwidth
> saving. This is not the case as per the postfix-users list.
> b. Rejected as soon as the offending MIME line is found, this is done
> using the body_checks_size_limit (default 51200) in postfix. This is
> what really happens (see postfix ain't so bad after all).
>
> I have a significant benefit (decrease in bandwidth and resource usage)
> in doing these checks, if someone benefits from this as well great!! but
> i completely agree in NOT converting this in to a project but rather
> continuing on a per incident basis in case of severe viral outbreaks and
> let MailScanner handle regular non-PITA/N worms (so any volunteers? :) ).

Not being smart enough to do this (Reliably) I'll gracefully back away.

It should also be remembered that you should consider what/ who you will
be '550ing' and take suitable steps. For example one of my boxes relays
for another Internet connected box, which also happens to serve another
domain. The incoming mail is swept for viruses after this box relays to me
so I receive 'unclean' mail from it and clean it before delivery. In this
instance it is of no benefit to bounce this mail as it would just generate
virus laden bounce messages from the incoming server (Who has, after all,
accepted the message). Rather than remove the problem it adds to it (And
possibly creates a Joe Job for some poor domain owner else where on the
Internet). In this instance, I would rather take the bandwidth hit and
just send those messages to the bit bucket to no longer pester the world.

Drew


-- 
In line with our policy, this message has 
been scanned for viruses and dangerous 
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list