Scanning Order

Michael Baird mike at TC3NET.COM
Mon Sep 19 21:57:27 IST 2005 

Well, in my setup, scanning for viruses first would probably be
beneficial sometimes. I drop the virus infected emails immediately,
while for spam, I actually just score them, since we have a opt-in
system, and I use generated procmail rules to deal with the mail based
on the score. If it was checking viruses first, I would save the
overhead of spamassassin for some messages, which I would discard as
viruses immediately. It's not a big deal, I'm sure I could move virus
scanning to a milter or something, but would lose the MailScanner
batching, and having viruses and spam handled through the same config.

Regards
Michael Baird

> Most of your mail (say 75%) is spam. Relatively, very little of it  
> (say 5%) is a virus.
> So if you do spam checks first, then delete all the spam, you don't  
> need to do anything further with 75% of your incoming mail. So the  
> overhead of all further processing of 75% of your mail never happens.  
> That includes all the expensive checks like the phishing net, as well  
> as the straight virus scanning.
> 
> On 18 Sep 2005, at 04:16, Chris Russell wrote:
> 
> > Hi All,
> >
> >   This is more than likely a question for Julian but I`ll throw it  
> > open.
> >
> >   Is there a specific reason MailScanner does MCP/Spam checks  
> > before AV ?
> >
> >   Ok, Reasoning:
> >
> >     I was looking into our systems this evening, and from our  
> > stats, Pretty much 100% of our virus infected email is simply  
> > deleted. For the most part theres very little reason to actually  
> > look at these messages as they are often the result of mass-mailing  
> > virus's etc.
> >
> >     With this in mind, would it be more efficient to virus scan the  
> > email first ? This would cut out spam/mcp scanning for infected  
> > messages (dependant on the action), and cut down on the number of  
> > messages required to be spam/MCP scanned, which seems to take the  
> > longest time/ add the most significant load to the process.
> >
> >     I've looked into /usr/sbin/MailScanner and thanks to Julian's  
> > coding, it doesn't look too difficult to change (** highly  
> > preliminary findings here!), so does anyone have any thoughts on  
> > whether AV->MCP/SPAM may be a better approach to take ?
> >
> > Cheers,
> >
> > Chris
> >
> >
> >
> >
> >
> >
> > ------------------------ MailScanner list ------------------------
> > To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> > 'leave mailscanner' in the body of the email.
> > Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> > the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> > Support MailScanner development - buy the book off the website!
> >
> 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list