[Mimedefang] When to do Virus checks

John Rudd john at rudd.cc
Thu Nov 30 07:49:59 EST 2006


I was thinking about moving the virus check from filter_begin to 
filter_end (I do them in filter_begin, having inherited that from the 
example mimedefang-filter).  My reason is: it seems to me that the 
attachment checks (in filter and filter_multipart) are going to be 
cheaper (in CPU time and elapsed time) than the virus checks, and my 
general principle in organizing my AV/AS checks right now is: cheapest 
checks first, so that as little as possible gets sent to the more 
expensive checks.  If the virus check is more expensive than the 
attachment checks, then the attachment checks should be done first.

Does anyone have any thoughts about whether or not it seems like a good 
or bad idea to move the virus checks to filter_end (before the 
SpamAssassin check)?


So, it would look something like this:

filter_sender
    reject *.local senders
    reject some basic/egregious HELO strings

filter_recipient
    reject *.local recipients
    validate recipients with final destination

filter_begin
    reject messages with suspicious characters
    reject relays that look like botnets (which uses @Recipients
       so it can exempt messages headed only to postmaster
       and/or abuse)
    remove the headers that filter and filter_multipart will
       add (to keep them from being spoofed)

filter
    reject bad attachments by name and/or type
    add headers for good attachments

filter_multipart
    reject bad attachments by name and/or type
    add headers for good attachments

filter_end
    reject viruses
    remove spam/ham related headers
    reject high scoring spam
    add headers for ham or regular spam











More information about the MIMEDefang mailing list