block msgs based on filename without using antivirus?

Matt Kettler mkettler at EVI-INC.COM
Thu May 5 21:30:39 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Furnish, Trever G wrote:

>I have the terrible feeling that a way of doing this ought to be jumping into my mind, but I'm not getting it.
>
>I have a system configured which barely meets our load under the current sober onslaught and is not currently configured with any virus scanning, just spam filtering.  As such I hesitate to add any virus scanning as it might increase the server load too much.
>
>
While I agree you might not want to do that right now, read that
sentence carefully and think about what you just said.

Personally, I'd sacrifice the spam scanning in order to add AV scanning.
It's significantly more important. Spam is a very common nuisance, but
viruses are a threat. If you're unable to deal with actual security
threats because your processor is busy dealing with nuisance problems,
your network security plan needs serious reconsideration.

You might consider sacrificing load-intensive SpamAssassin features like
bayes and auto-whitelisting in order to fit a scan of clamav in. Clamav
isn't particularly expensive to run. Also make sure you're not using
anything outrageous in your SA setup like bigevil.cf, or any add-on
rulesets (from SARE and other sources) over 32k in size.

At least that should get you by until you can do some minor hardware
upgrades. Really, if you're pushing your load limit now, think about
what would happen to your server if a larger flood of garbage came in,
say from a major joe-job or DoS attack. You probably need some extra
headroom in the long run.

>Is there any way to delete the sober messages based on attachment filename, without running antivirus checks?  I suppose I could look at the code that interfaces to the "real" antivirus engines and hack up an engine to just reject those messages - I'm hoping there's an easier way.
>
There is..  Look at the "generic" virus scanner option in
MailScanner.conf. This will pass the files to a script called
generic-wrapper. You can have it declare the files to be virus infected
and MS will handle it as a virus.

Still, I'd do some real serious thinking about adding a virus scanner.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list