[Mimedefang] Question about virus scanning
Anthony Giggins
AGiggins at synergyit.com.au
Thu Apr 18 23:34:56 EDT 2002
I cant envisage this being a huge problem because
a) I don't think I've ever seen a virus larger then 1MB
b) We're blocking a large list of attachments
ie.
ade|adp|asx|com|bat|cmd|chm|cpl|crt|bas|hlp|hta|vb|vbs|vbe|scr|shs|scf|sct|s
hb|dll|vxd|pif|reg|msc|msi|msp|mst|pcd|prf|ocx|lnk|js|jse|ini|inf|ins|isp|ws
f|wsc|wsh|url
MaxMessageSize isn't really an option because our customers need the
facility to send large attachments.
Most of the time just delayed email but were providing a service and
customers expect almost immediate delivery.
Theres been a case where a message got stuck scanning for at least 2 days
-----Original Message-----
From: David F. Skoll [mailto:dfs at roaringpenguin.com]
Sent: Friday, 19 April 2002 11:07 AM
To: 'mimedefang at lists.roaringpenguin.com'
Subject: Re: [Mimedefang] Question about virus scanning
On Fri, 19 Apr 2002, Anthony Giggins wrote:
> What are everyone's thoughts about only scanning file smaller then a set
> size for example I was thinking 1MB? Unless someone has any reasons why
not
> to do this.
It's dangerous. I could envisage virus writers padding their payloads
to (a) infect systems which do NOT scan large messages, or (b) DoS
those which do scan large messages. For me, it's moot because I
have this in my sendmail.cf:
O MaxMessageSize=1000000
:-)
> The reason for this is our current mail-relay gets hammered when a large
> attachment gets stuck in mimedefang and gets continuesly scanned causing
> load avereages to go above 12 causing sendmail to stop receiving untill
the
> load average drops below 12.
But is that a problem in practice? Does it result in lost mail or just
delayed mail?
One thing which I strongly recommend is using a different machine for
local e-mail submission. This machine should not do any scanning at
all; it should simply accept mail and relay it to the main mail
server. That way, even if your main mail server is bogged down, your
local users won't know or care. The submission server will simply
retry.
Regards,
David.
_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list