[Mimedefang] Which first: stream_by_x or virus checks?

James Ralston qralston+ml.mimedefang at andrew.cmu.edu
Thu Oct 18 14:44:11 EDT 2007 

On 2007-10-17 at 17:01-07 Kelson <kelson at speed.net> wrote:

> Okay, I need a sanity check, here.
> 
> We've got a setup where almost everyone has the same filtering
> parameters, but some users have custom thresholds, etc.  What we've
> been doing is checking whether the list of recipients includes one
> of these users, and if so, running stream_by_recipient.  This was
> fairly early in filter_begin.

We considered using stream_by_recipient(), but ultimately decided
against it, because of the issues you've encountered (and others).

The approach we use instead is that our MX servers use
filter_recipient() to discriminate against recipients based on class.
For each SMTP delivery ("MAIL FROM") transaction, the first recipient
("RCPT TO") sets the class for the remainder of that transaction.  All
subsequent recipients that don't match the class are tempfailed.

So, for example, if the first recipient is postmaster (which is in the
"receive everything, no anti-spam checks, no anti-malware checks"
class), any subsequent "regular" recipients (e.g., "joeblow") are
tempfailed.

We've been very pleased with this system.  From the sender's point of
view, it looks kind of like we're using a form of greylisting.  We
were initially concerned that legitimate messages sent to many
recipients could be delayed, but in practice, we haven't seen any
delays.

> Streaming first, then scanning for viruses, means that a message
> gets resent locally, *then* rejected.  So lost messages pile up in
> the client queue directory, warnings pile up in the logs, and bounce
> notices get generated.

With our approach, if we're in filter_begin(), and the relay IP isn't
localhost, we know that we're still in the original SMTP transaction
with the foreign relay.  If we detect malware, we can return a
permanent failure code with impunity, because we know that we will
generate no backscatter.

> Since adding the SaneSecurity signatures, which uses the Clam engine
> to identify spam, there've been a lot more rejects than there used
> to be.

Just out of curiosity, what have your experiences been with the
SaneSecurity signatures?  Have you been pleased with the
false-negative and false-positive rates?

More information about the MIMEDefang mailing list