Hi there, On Fri, 4 Dec 2009 Robin wrote:
> example to build my case. Although I see nothing like the volume of mail that some others here have to cope with I'd echo the comments from Messrs Cornet, Peterson and Shaw. I'd add (as it might not already be obvious to your senior management:) that there isn't one single 'solution' to their concerns. There must be a mix of techniques implemented, and they can't all be technical fixes. For example, it is at least as important to educate your users (*) as it is to protect their inboxes from trash. You might also mention that at least one ClamAV user (me) doesn't care a hoot how good ClamAV is at spotting viruses. The reasoning is this: 1. Windows is not installed on any of my computers; effectively they are immune from viruses most of the time. Of course if unprotected they can still be at risk from other kinds of attack. 2. Computer users are anything but immune from scams, phishing etc. Only yesterday, one nitwit here sent an old hoax about Christmas cards which he'd received on his home mail account to 'everyone@'. A couple of years ago (*) he also sent about a thousand dollars to some con man in Romania - you'd have thought he'd have learned by now. Well, back to the topic. On my mailservers, genuine messages number less than two hundred per day. But they see something like 10,000 to 20,000 attempts to send unwanted junk per day. That includes viruses, phishing, you name it. Of those attempts, the number that get as far as establishing a connection to the mailservers is in the hundreds per day because about 60,000 ip ranges are blocked by the firewall rules. Two-thirds of these connections are blocked by trivial things like the Sendmail greetpause, a multi-line greeting; some simple regex scanning of the first parts of the SMTP conversation (CONNECT, HELO, MAIL FROM, and RCPT TO) which by and large spambots can't get right; greylisting; and a few DNSBL lists. That leaves ClamAV and MIMDefang/SpamAssassin with very little to do, and so far in December they haven't blocked anything in my installations. In four years, out of something like twenty million attempts, they've had to block less than 1000 messages. FWIW the Jurlbl database is responsible for about two-thirds of what is stopped by ClamAV here at the moment, but obviously this is based on a very small sample and I've no idea how representative it is. Finally, [OT] don't let email divert all your attention from the other ways that criminals have developed to abuse computers. Even if you're using clamd to scan incoming mail, HTTP responses, and the users' home directories, a machine can still be compromised by some script kiddy. Enforce strong passwords. Get a copy of 'nmap', and do some proactive scanning of your own networks. Close ports that don't need to be open. Encrypt client-server connections (such as mail) which might carry any sensitive information (such as passwords). It's a jungle out there. -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
