Best practice has always been least-expensive first and incrementally more
expensive to follow. This begins with iptables (essential regardless of
expense), tcpwrappers, DenyHosts, Fail2Ban, grey listing, country-code tables,
access tables (sendmail and Postfix), multilayer milters, finally, AV scanning.
The first three are also very effective defense for ftp, ssh, rsync, imap, pop,
etc.
My ipset table has just a few blocks: afrinic, apnic, arin, lacnic, ripe. There
are thousands of x.0.0.0/8 - x.0.0.0/24 drop all entries found in there.
Expense here refers to resource load (memory, cpu, network, disk io).
dp
On 2/9/19 9:47 AM, G.W. Haywood wrote:
Hi there,
On Sat, 9 Feb 2019, Gene Heskett wrote:
Has anyone rigged clamd to check what looks like questionable links
contained in incoming emails? It seems over the last 2 weeks my spam has
tripled, and I suspect the real payload is in the urls in the message.
Trawl the logs to see where it comes from. I find blocking incoming
mail by country code to be far more effective than almost anything else.
I'll hazard the guess that Asia and Eastern Europe will figure large in
the results.
Or is this so time consuming and bandwidth wasting its not worth it?
ClamAV is pretty resource intensive, so more or less anything that
will reduce the number of calls to ClamAV processes will be well worth
doing. Here, at the moment, clamd sees about 1.3% of attempts to send
mail to us. That is, in February, 98.7% of incoming mail connections
were rejected before clamav-milter ever got to see any data.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
