[Mimedefang] Re: "Please try again later"

[John Rudd]

On Sep 11, 2005, at 9:12 AM, Paul Murphy wrote:

> John,
>
>> A little while later, it came back.  It seemed less frequent, but this
>> is uner a night load, instead of a day load.  So it's hard to tell.  
>> It
>> looks like we're going to have to wait for the hardware upgrade.
>
> Some standard questions:
>
> 1.  Do you limit the size of messages submitted to SpamAssassin?

I had completely ripped SpamAssassin out of our Mimedefang.  For now, 
we were going to be doing ClamAV Sophos and filename checks in 
Mimedefang, and Dangerous Content checks and Spam Assassin in 
MailScanner.  (in the past, we did sophos, filename checks, dangerous 
content checks, and spam assassin in mailscanner, and we're back to 
that configuration now)

(and, our limit in mailscanner is 256k; at home, where I _do_ use SA in 
mimedefang, I also use 256k as my limit, so if we ever get to moving SA 
into mimedefang at work, that's probably what limit I'll use there, as 
well)


> 2.  Do you do Spam checks on outgoing mail?  Again, many sites work on 
> the
> assumption that their outgoing mail is highly unlikely to be spam, so 
> they
> don't scan it.  If one of their users is showing abnormal numbers of
> messages, they'll notice and investigate.

We can't make that assumption.  We are central IT, and we have to relay 
for all of campus, but we have little control of the email servers and 
clients that are spread around campus.  So, we not only try to protect 
campus from the world, we have a slight bit of needing to protect the 
world from some open relay that pops up on campus.  And, with viruses 
turning workstations into spam zombies, it's not really a valid 
assumption that messages which come from within aren't going to be spam 
(in any organization).

> 3.  Do you run multiple virus scanners in serial/parallel over all 
> messages?
> If so, you might want to consider how effective this is, since 
> generally
> running two reliable scanners is the ideal trade-off between 
> performance and
> effectiveness.  Personally, I trust Clamav implicitly, and if I have 
> to use a
> second high-profile scanner, I'd pick one of the main commercial 
> scanners.

I had re-written that part of mimedefang to only run Sophos if ClamAV 
didn't find anything.  I suppose that means most of the messages were 
getting scanned twice, though.  I suppose I could have it only run 
Sophos if ClamAV has a failure.

The other side of the coin, though, is that our existing set up was to 
replace each infected attachment with a warning message.  That means I 
had to move the virus scans from "filter_begin" to "filter" and 
"filter_multipart", because (as I understand it) I can't run 
action_drop_with_warning during filter_begin (I understand why, I'm 
just saying, that's the routine I need in order to maintain a seamless 
transition for our users).  I expect that that added some overhead (as 
each attachment has to be scanned individually), but it was a necessary 
move.  I also can't call "replace_entire_message" until filter_end 
(where I could have replaced the entire message in filter_begin, if 
that had been allowed).

Before you say anything about just dropping or bouncing viruses, 
there's two things:

1) for viruses that don't come from our IMAP server (which is also our 
webmail server, and the SMTP server for some of our clients), our 
action was to bounce ... why don't we bounce for our IMAP server?  
There's some concern about odd-user experience if a macro-virus is sent 
from within that mail service to both people inside and outside of the 
IMAP server ... those inside will see the message (unscanned), and 
those outside wont get the message at all ... and the sender will only 
know what happened if they read the bounce message (not entirely 
likely).  And if it's a forged sender virus message, instead of a 
macro-virus, then bounces will get stuck in the IMAP server's queue 
(because it sends all outgoing messages through the virus scanning 
hosts), which is something we're trying to avoid.

2) and if I had gotten to the next stage, I was planning to add code 
that only did drop-with-warning for non-forged sender viruses, like 
document macro viruses, where the notice CAN be useful to the sender, 
but mimedefang wont let me action_notify_sender for _any_ virus, thus 
the useful notification for non-forged viruses has to go to the 
recipient (which is actually what we do now for mailscanner, as well).

But, yes, we silently discard forged viruses now, but we replace with 
warnings when it's a non-forged virus, or a bad attachment filename ... 
and that's what I was trying to duplicate.  But I can't do that in 
filter_begin.