[EMAIL PROTECTED](Damian Menscher) 06.05.05 00:05
>My silly university spent $0.5M on a commercial product to perform
>spam and virus filtering (they have the "if it costs that much, it
>MUST be good" mentality).
Hm, i know it as: "If nobody can sent a bill, the product can't be
worth anything, so lets take the second expensive from the list.
SO no one can blame us we have saved money at wrong place."...
>And, just after they put it into
>production, Sober.P came out and knocked it flat.
What's older than the snow from yesterday, the news from today or
the stock rates from midday?
Right, the new virus signatures of _next_ week!
It's an endless combat, and the virus writers are mostly always
one step ahead. (Maybe some heuristic scanners may help, but may
cause too much false positives. And executing every email in a
sandbox takes a lot of time and is risky too.)
Anyway:
BIG Thanks to the clamav team keeping the database as uptodate as possible.
>After a couple days with multi-hour email delays, people are pretty pissed.
>And I smell opportunity....
One simple trick is:
Slow down your server. (you already did ;-()
It sounds silly but it works as the virus don't have time to wait,
but good servers can+do wait.
You save so much time, that your wanted emails are not really noticible
delayed.
An other trick is "gray listing":
If there is a new "mail from:" adresse, reject the email with a
"450 Please try again later. See http:\\info for the reason of the delay."
Viruses don't run a mail quue and will never try again.
Spamers thombies don't run mail quues too (but may
simply resent the email. That's why serveral spam mail will
be seen twice. ).
The simplest, cheapes and very secure attempt:
Remove every directly executable attachment.
I know nobody who sends executables as attachment, only worms do.
Place the attachments into quantain and give it out only if the
user asks for. After virus scanning it.
>Could someone with a LARGE site (we have about 35,000 users) post what
>hardware they use for ClamAV, and how many messages/day it handles?
I think you should first read the chapter
"how to built a firewall" and make a concept.
If you use unix 35000 users are no problem for a single system.
Using Windows you should not have more than 1000 users per box.
(Based on the last info i had approx. 3 years ago.).
>I'd like to suggest they put it on a few PCs and have their relays
>contact the milter via a network socket in a round-robin fashion.
Yes, and how will you manage the problem to be able to reject
emails to unknown users?
I assume your 0,5Mio box accepted every email it got offered,
the virus scanns it and then(!) generate a bounce because
the "mail to:" account is unkown after all that...
That's a very bad but common practise. So it's easier to
sell bigger machines...
Too those bounces -to totally innocent receipients- distributes the
address to more and more (maybe infected) PC, generating more worm mails...
making it easier to sell bigger machines and showing how important
the virus scanning has become...
Simply "reject unknown" is only a fast database lookup.
After that not further actions are required.
Most worm mails are addressed to unknown users.
>But it would be good to hear people's experiences with something
>on this large of a scale before I make the proposal.
On the first degree (after apply the simlpe roles above)
i would recommend "dspam", NOT a virus scanner.
dspam is "just" a database and "learning" would is "spam" and
what is not. As a side effect it protects against viruses as
viruses may lead to the same "repetitive signature".
Summary (the numbers shows the (felt) "cost effectiveness"):
- (10) "reject" all emails for unknown recipients
- (5) "graylist" all unkown "from"
- (3) slow down SMTP dialog or dynamic IPs or reject all.
- (4) verify that sender exists
- (3) block spam, maybe with self adjusting databases and p2p networks
which distributes signature in real time.
- (9) remove all executables attachments (.exe .pif ...long long list.
including "ActiveX"
it's easier to say: allow .zip .txt .doc .xls and its OSS counter parts)
- (4) use a virus scanner to scan the (few) remaining emails.
I think that will lower the load so much so you don't need to
worry much about the hardware for so "few" users.
Of cause that can't give 100% protection.
Who is promissing that is lying, who trust it is an idiot.
Brain v1.0 is still the unbeaten virus scanner ;-)
(But sometimes tricked out by the mail client)
Rainer
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
