Re: [Clamav-users] clamav-milter & sendmail: postmaster notificat ion

Fri, 06 Jan 2006 11:04:42 -0800 

Dennis Peterson wrote:

Chuck Swiger said:

[ ... ]

More specificly, I've found viral messages in the quarantine which were
not recognized by ClamAV when the email went by, although a day or two later
they generally will be.


My virus volumes are so great (thousands daily) I'd have to hire someone
just to do that alone. It's admirable but not practical in my environment.
I also recognize I am a beneficiary of your effort, so thank you very much
for what you do.



Oh, it's not that hard.  Once every week or so, I inspect my quarantine of 
banned, spammy, or viral email, check for any false-positives (legit mail which 
got blocked) and maybe grab a few stats.


1-pi% cd /var/virusmails
2-pi% ls -1 | wc -l
    5470
3-pi% ls -1 banned* | wc -l
      21
4-pi% ls -1 spam* | wc -l # appropriate :-)
zsh: argument list too long: ls
       0
5-pi% ls -1 virus* | wc -l
     674
6-pi% histogram.py -F: -f 3 -p INFECTED virus-*
452  Worm.Sober.U-3
152  Worm.Sober.U
14   HTML.Phishing.Bank-3
13   HTML.Phishing.Pay-37
6    HTML.Phishing.Bank-209
4    HTML.Phishing.Auction-11
3    HTML.Phishing.Bank-271
3    HTML.Phishing.Pay-38
3    HTML.Phishing.Auction-64
2    HTML.Phishing.Pay-51
2    HTML.Phishing.Bank-213
2    HTML.Phishing.Bank-28
2    HTML.Phishing.Bank-285
2    Worm.SomeFool.P
1    Worm.Sober.U, Worm.Sober.U
1    HTML.Phishing.Bank-41
1    HTML.Phishing.Bank-129
1    HTML.Phishing.Pay-14
1    HTML.Phishing.Bank-211
1    HTML.Phishing.Pay-10
1    HTML.Phishing.Pay-43
1    HTML.Phishing.Bank-240
1    Worm.Sober.U-3,
1    Worm.SomeFool.Q
1    HTML.Phishing.Bank-159
1    Worm.Mydoom.AT
1    Worm.Bagle.AG
1    HTML.Phishing.Bank-1


The histogram.py program is something I wrote here (after I got tired of 
fiddling with grep, awk, sort -nr, and uniq -c):


   http://www.pkix.net/~chuck/histogram.py

Detailed stats about the server's mail traffic are here:

   http://pi.codefab.com/cgi-bin/mailgraph.cgi


We're seeing 5-10K message delivery attempts daily, and only about 1K of 
legitimate traffic; the rest is spam or viral mail that is largely being blocked 
via Postfix's anti-spam and HELO spoofing mechanisms, or by greylisting.


Out of a million emails per year, 700,000+ are junk or actively malicious.
At least postmaster@ gets to make pretty graphs...

--
-Chuck
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html






















					Reply via email to