[Mimedefang] Virus-scanning in calling sequence
Andrzej Adam Filip
anfi at onet.eu
Sun Oct 12 16:54:37 EDT 2008
"James Borland" <castlepoint at gmail.com> wrote:
> In recent months, our three incoming smtp servers hit sustained high
> load averages for several hours during the middle of weekday prime
> time with little to no complaints from our customers about excessively
> delayed mail. However, until I made a major change (see below)
> Tuesday, for at least two weeks prior, the sustained high load
> averages persisted round-the-clock with loud complaints about
> excessively delayed incoming messages from our business customers.
> Lowering MX_MAXIMUM to bring the load averages under sendmail's 12
> cutoff seemed to make the problem worse.
>
> We have sendmail call relaydelay first and then mimedefang, which
> calls both uvscan, clamav/clamd. and SpamAssassin in addition to its
> own checks. The culprit was uvscan, which I reluctantly disabled in
> mimedefang.pl. Everything's fine now: the load averages dropped to
> well under 1, mqueue size is very manageable, and message delay times
> are measured in seconds or less.
>
> But I'm not comfortable running the much less thorough clamd without
> running uvscan, too. Just how "good" is clamd/clamav compared to
> uvscan? Should I just leave things as they are? If not, then perhaps
> it may be worth considering the following in general:
>
>>From what I can tell, mimedefang calls the virus scanners very early
> in the sequence at filter_begin. Wouldn't there be far less overhead,
> due to arguably far fewer messages to be virus scanned, in calling any
> virus scanners after everything else at filter_end?
>
> Comments?
1) What is your spam/ham ratio *after* DNSBL checks/rejects?
DCC data would suggest 60-70% of spam in total mail.
http://www.rhyolite.com/dcc/graphs/?resol=1y&BIG=1#graph1
2) Do you block DUL ranges?
3) It may be possible to do two stage anti-virus scanning
* fast in SMTP session
* slower after accepting message in SMTP session
It would allow deploying "throughput averaging" but it would require
"extra magic".
--
[pl>en: Andrew] Andrzej Adam Filip : anfi at onet.eu : anfi at xl.wp.pl
There comes a time to stop being angry.
-- A Small Circle of Friends
More information about the MIMEDefang
mailing list