[Mimedefang] mimedefang and clamav

Jan Pieter Cornet johnpc at xs4all.nl
Wed Apr 6 18:31:20 EDT 2005


On Wed, Apr 06, 2005 at 07:38:22PM +0000, Speedy Sweedy wrote:
> >I find it hard to believe that anyone has over 50% e-mail traffic consist
> >of viruses unless (1) you normally get almost no mail, or (2) some internal
> >user is infected.
> 
> It hasn't always been this bad, and it may just be a temporary thing, but 
> it has been going on now for about a month.  It's only a few user accounts 
> that these emails are going to so the other thing I could do is re-assign 
> new email addresses and just bounce the old accounts.  It might be worth 
> the overhead to sendmail rather than the overhead of clamav and discard.

Then it's likely only one or just a few types of viruses that plague you
(That percentage is ridiculously high and is an indication of a specific
problem. If I consider my ISP to be a reasonable average of the internet,
scanning roughly 5 million emails per day, then the current virus flow
is 0.98%. A 5-month average is 9.2%, and this includes two fairly major
outbreaks, temporarily peaking the virus/email percentage to like 30%,
for Sober/I, in November 2004, and a somewhat lesser outbreak for Sober/K.
Info from: http://www.xs4all.nl/~johnpc/virus-infected.html and
http://www.xs4all.nl/veiligheid/index.php?taal=en )

Your best bet may actually be to use mimedefang, but in a smart way, to
block the virus before it even transfers any data. This does require a
little research and coding on your part, though. See below.

> >> Yes, this is exactly why I wanted to have mimedefang make a second call
> >> to clamav once it passes clamav the first time.
> >
> >But if you're doing that, then where are the savings?
> 
> I find that clamav is less overhead than mimedefang.  If I can call clamav 
> first, before mimedefang and discard any emails be it gets to mimedefang, I 
> think i will see a savings on the proc.

clamav isn't necessarily called "before" mimedefang at all, both are
called as the SMTP protocol progresses, in the order in which they're
in the sendmail configuration file. And mimedefang already has hooks
that are called upon initial connection, after receiving MAIL FROM, and
after RCPT To. clamav-milter only kicks in after all the data is
received, which is several steps later. (However, I admit, in the
default configuration, mimedefang also only acts after the DATA phase.
But that can be modified).

Solutions you could possibly use are:
- use blacklists. Using filter_recipient, it's trivial to only apply
  blacklists to those few recipients that are plagued by the virus.
- Continuing on the previous item: collect your own blacklist data
  simply from number of viruses received per remote IP, possibly offset
  by the number of non-viruses (but usually not. Most viruses use their
  own SMTP engine, while legal mail clients tend to use the ISP's outgoing
  mail servers, so even if you block the IP sending viruses, the person
  behind that IP can still send legal email).
- use graylisting. Since most viruses send using their own SMTP engines,
  they don't care to properly retry on a temp failure.
- use the HELO value as a means to detect the virus early. Some viruses
  have crappy SMTP implementations that HELO using a somewhat predictable
  value (eg, a lone hostname) that is unlikely to appear in legitimate
  email. If necessary, only apply this filter to the few troubled users.
- use the envelope sender to detect the virus. If you're really lucky,
  just blocking the "fbi.gov" domain from sending to the plagued users
  solves it all.

All the above cases allow you to block the virus even before it starts
transmitting data, which saves you a whole lot of processing. And all
of them cannot be handled by clamav-milter, because the actual virus
executable is never seen, but they can be handled by mimedefang :)

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet



More information about the MIMEDefang mailing list