[Mimedefang] Which first: stream_by_x or virus checks?

John Nemeth jnemeth at victoria.tc.ca
Thu Oct 18 07:53:35 EDT 2007 

On Mar 9, 11:36am, Kelson wrote:
} 
} We've got a setup where almost everyone has the same filtering 
} parameters, but some users have custom thresholds, etc. What we've been 
} doing is checking whether the list of recipients includes one of these 
} users, and if so, running stream_by_recipient.  This was fairly early in 
} filter_begin.
} 
} We also run our virus scanning in filter_begin.  Based on the name 
} returned by Clamd, we either discard (if it looks like a mass-mailer) or 
} reject.  Since adding the SaneSecurity signatures, which uses the Clam 
} engine to identify spam, there've been a lot more rejects than there 
} used to be.
} 
} [snip]
} 
} I'm moving the calls to stream_by_recipient *after* the virus scanning 
} logic (but still in filter_begin).  The downside is that anything clean 
} gets scanned N+1 times instead of N.  It also means that if we ever want 
} to enable per-recipient reactions to clamd results, we'll need to move 
} it back.  On the plus side, anything that does trigger Clam is only 
} scanned once instead of N times, and can be rejected immediately instead 
} of clogging the client queue.
} 
} Does this seem like a reasonable approach?

     Yes, with the caveat that you shouldn't rescan.  This is what I do
(with some local stuff removed):

sub filter_begin () {

    my($outgoing, $authuser, $FoundVirus);

    $splitout = 0;
    $outgoing = (is_outgoing($RelayAddr, 1, \$authuser) eq "yes");

    if (!$WasResent) {
        # ALWAYS drop messages with suspicious chars in headers
        if ($SuspiciousCharsInHeaders) {
            md_graphdefang_log('suspicious_chars');
            return action_bounce("Suspicious chars found in header - rejected");
        }

        # Copy original message into work directory as an "mbox" file for
        # virus-scanning
        md_copy_orig_msg_to_work_dir_as_mbox_file();

        # Scan for viruses if any virus-scanners are installed
        my($code, $category, $action) = message_contains_virus();

        # Lower level of paranoia - only looks for actual viruses
        $FoundVirus = ($category eq "virus");

        # Higher level of paranoia - takes care of "suspicious" objects
        # $FoundVirus = ($action eq "quarantine");

        # If a message contains a virus then reject it immmediately...
        if ($FoundVirus) {
            md_graphdefang_log('virus', $VirusName, $RelayAddr);
            return action_bounce("Virus $VirusName found in mail - rejected.");
        }

        if ($action eq "tempfail") {
            md_syslog('warning', "Problem running virus scanner: code=$code, category=$category, action=$action");
            return action_tempfail("Problem running virus-scanner.");
        }

        if ($outgoing) {
            md_graphdefang_log('mail_out');
        }
    }

    if (!$outgoing) {
        if (stream_by_recipient()) {
            return;
        }
    }
    delete_ip_validation_header();

    if (!$outgoing) {
        md_graphdefang_log('mail_in');
    }
}

}-- End of excerpt from Kelson

More information about the MIMEDefang mailing list