[Mimedefang] Clamav milter or call from MIMEDefang?

[John Barton]

> On 23 Sep 2004 at 9:00, Matthew.van.Eerde at hbinc.com wrote:

>> If you want to save resources on your box, run clamav-milter FIRST.
>> This will save an expensive SpamAssassin call.
>
> How so?  The default filter already avoids calling SA if the message
> has been marked for discard or rejection, which are the two most
> common dispositions for virus-bearing messages (the default filter
> discards them).

I havent researched it yet, I just assumed that I would be getting a
benefit from not tying up a slave, etc,., if the clamav milter could get
the viruses before they got to MD. I will test this over the weekend and
see what happens.

>> Consider using FEATURE(enhdnsbl) in sendmail to reject email from
>> blacklisted sources early.
>
> There are pros and cons.  DNSBLs aren't nearly as accurate when used
> as single metrics for rejection, rather than being included in the SA
> score calculation.  You end up with a lot more incorrectly rejected
> mail that way.

I would tend to disagree with this, I block email if it is coming from a
host listed in a few select lists such as spamhaus, and I never receive
complaints about false hits. I block almost 400,000 connections a day just
using this technique (across several servers). I think the key here is to
use lists that are responsible in how they list people, and make it
somewhat easy to get removed once the problem is fixed.

>> There is actually a good argument for running clamav-milter AND
>> calling clamav from MIMEDefang.  clamav-milter and MIMEDefang
>> decompose the message differently, and MIMEDefang might feed a
>> MIME-part to clamav differently than clamav-milter would.
>
> That hasn't been true since the introduction of
> md_copy_orig_msg_to_work_dir in MD 2.42.

This would be backtracking for me anyway. I am looking to streamline
things, I dont want to scan every message 3 times with the same scanner..


-- 
John Barton
jbarton at technicalworks.net