please stay on list Am 18.03.2015 um 10:46 schrieb Anthony Cartmell:
no, we have per day 300 SA rejects and had 20 clamav hits before change the order, now the SA reject-count is not much different and only 5 clamav hits per dayI was just reporting that MailScanner had changed its order of scanning following the introduction of third-party ClamAV signatures. A potential benefit of running SA second is to allow scoring of the ClamAV signature matches so that you can fine-tune how much effect each group of signatures have
correct - but what you mostly want to achieve on a server with noticeable load is reject as soon as possible and skip as much as possible restrictions and scanners
wrap them that way would double the load and the potential benefit needs to be really careful considered given that in case of malware you want to reject in any case and that SA runs *all* tests with high costs
most of our SA rejects are coming with a score above 15 while reject starting with 8.0 and what i also have in mind is how to weight such decisions in case of a message has BAYES_00 but contains malware - who is right: the clamav signature or the BAYES_00 - i would say the signature (yes, with a FP risk you have anyways)
the initial post was as far as i understood it about the complete infrastructure of a inbound MX hence
* postscreen RBL scoring * postscreen protocol checks * envelope restricitions * SPF backed with DNSWL saftey nets * PTR restricitons with more DNSWL saftey nets * HELo restricitons with more DNSWL saftey nets * sender verify for senders not on any DNSWL and no SPF * expensive contentscanner with most reject hits * expensive contenscanner with less reject hits * most expensive contentscanner with only a few reject hitsthe point is that you can handle much more load without clustering and even if your load still is that high to need clustering it makes a difference in how many cluster nodes you need at the end
signature.asc
Description: OpenPGP digital signature
