[Mimedefang] Question about virus scanning

David F. Skoll dfs at roaringpenguin.com
Thu Apr 18 21:06:54 EDT 2002


On Fri, 19 Apr 2002, Anthony Giggins wrote:

> What are everyone's thoughts about only scanning file smaller then a set
> size for example I was thinking 1MB? Unless someone has any reasons why not
> to do this.

It's dangerous.  I could envisage virus writers padding their payloads
to (a) infect systems which do NOT scan large messages, or (b) DoS
those which do scan large messages.  For me, it's moot because I
have this in my sendmail.cf:

O MaxMessageSize=1000000

:-)

> The reason for this is our current mail-relay gets hammered when a large
> attachment gets stuck in mimedefang and gets continuesly scanned causing
> load avereages to go above 12 causing sendmail to stop receiving untill the
> load average drops below 12.

But is that a problem in practice?  Does it result in lost mail or just
delayed mail?

One thing which I strongly recommend is using a different machine for
local e-mail submission.  This machine should not do any scanning at
all; it should simply accept mail and relay it to the main mail
server.  That way, even if your main mail server is bogged down, your
local users won't know or care.  The submission server will simply
retry.

Regards,

David.




More information about the MIMEDefang mailing list