[Mimedefang] Re: Unsafe file types
Michael Sofka
sofkam at rpi.edu
Thu Dec 4 10:05:55 EST 2003
On Wednesday 03 December 2003 16:25, Lucas Albers wrote:
> I also block the maximum level of mimeparts:
> $MaxMIMEParts = 15;
>
> Because virus scanners can't seem to scan attachments that have to many
> mimeparts.
We had the same problem. It was caused by the start up time for Sophos
sweep, ~ 1 second. This is how long it too sweep to read in the virus
databases, and initialize it's tables, variables, etc. Actually, quite
efficient when you think of what it's likely doing, but a performance
killer when a forwarded web page has 100+ attachments. With too many
attachments, the milter timed out, returning a soft error to the
connecting relay.
To fix this, we found a Perl module on cpan which used the SAV library.
Now SAV stays active until the mimedefang process restarts.
P.S. We tried sophie, but it was not returning the error codes we wanted
for logging.
P.P.S. Speaking of those error codes, this morning our logs showed 27
rejections of wendy.zip (the name of the Mimail-L attachment) which where
encrypted! Fortunately, we reject encrypted attachments, since they cannot
be virus scanned. There is no mention of this on Sophos's virus
information page, but the attachments came from different servers,
to different recipients, from different senders. And, I recognized
one of the recipients, and he is not in the `analyze this virus and
report back to me' category. Quite the opposite, his email address
being widely distributed, he is in the `thank god your blocking all
those viruses' camp. (In that sense, his email address is a virus
canary.)
Mike
--
Michael D. Sofka sofkam at rpi.edu
C&CT Sr. Systems Programmer Email, TeX, epistemology.
Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/
More information about the MIMEDefang
mailing list