[1st ANNOUNCEMENT] Virus-Filter/Blocker

[interfasys]

Which AV will the exim.conf call to check the messages?

I don't see the benefits of scanning at data time. We still have to download data to check if it's a "virus inside" message, so why not download the message, scan it and delete it?

 

[hci]

Another thought on this.

Why not just put a package together with Mailscanner + ClamAV and Spamassassin? Its tried and proven and then perhaps the Directadmin guru's will add a gui interface to it all.

I know there are a few Directadmin how-to's on how to put these all together and I have done it on a few RAQ boxes I am just afraid if I hack to much on the Directadmin system a Directadmin upgrade might kill it. Something that Directadmin supports would be much better.

Just my 2 cents.

Matt

 

[hci]

I don't see the benefits of scanning at data time. We still have to download data to check if it's a "virus inside" message, so why not download the message, scan it and delete it?

I see an advantage. No need to store or deliver the message. Just reject it and done.

Matt

 

[nobaloney]

Which AV will the exim.conf call to check the messages?

My current thought is to use ClamAV. Do you have any other suggestions?
[/quote]I don't see the benefits of scanning at data time. We still have to download data to check if it's a "virus inside" message, so why not download the message, scan it and delete it?[/quote]
As hci mentions, rejecting the virus is a lot simpler than filtering it afterwards.

I understand that some people would rather delete than reject; I'm still considering that.

Of course you can write yours any way you want; this is just my idea.

Jeff

 

[nobaloney]

Why not just put a package together with Mailscanner + ClamAV and Spamassassin?

In fact that's the direction I'm leaning towards.

Its tried and proven and then perhaps the Directadmin guru's will add a gui interface to it all.

I'm awaiting their new Exim release, to see what they've added besides my SpamBlock code.

I know there are a few Directadmin how-to's on how to put these all together and I have done it on a few RAQ boxes I am just afraid if I hack to much on the Directadmin system a Directadmin upgrade might kill it.

Automatic DirectAdmin updates will not change exim.conf. Version updates to programs used by DirectAdmin may, but I'd presume that if they do, they'll save the old config files.

Certainly, if it were me I wouldn't update any DA included program to a new version without saving the config file(s) first.

Jeff

 

[interfasys]

I still don't get it

How do you reject an email if you don't scan it? And if you scan it, then you have already downloaded it, no? So how is this different from the standard MailScanner way of doing things?

 

[nobaloney]

It's an exim thing.

You can do the scanning at data time rather than at rcpt time.

Yes, exim does read the entire email before it rejects it, but because it hasn't sent the "data ok" before it does, it can still reject the message and therefore doesn't have to decide what to do with a message it doesn't want to deliver.

Since RFCs say you shouldn't throw away messages, and since you can't return a virus-laden email because you're not sure the envelope sender isn't spoofed, rejecting it is the way to go... at least to me.

Jeff

 

[interfasys]

Thanks for the explanation. I'm all for following RFCs that make sense .

 

[hci]

I still don't get it

How do you reject an email if you don't scan it? And if you scan it, then you have already downloaded it, no? So how is this different from the standard MailScanner way of doing things?

You need to understand the SMTP protocol. During the hand shaking after the RCPT TO it gives the go ahead for sending SMTP server to send the data portion of the message and end it with "<crlf>.<crlf>". After that point the receiving SMTP server has the message in its entirety but has not said ok yet. At this point the message can be scanned and if its clean send ok. If its infected reject it.

I have never known a email virus scanner to work this way but it certainly seems possible.

Matt

 

[nobaloney]

I'm still studying; I think it's possible with exim; exim is extremely configurable.

Jeff

 

[jjma]

Jeff

Any update to this? If it works as well as your spamblocker I would like to donate something towards your efforts.

You might consider putting a donation page on your web site for this kind of thing. Have you seen the donation page for the mrtg creator here You never know someone might donate a car

cheers

Jon

 

[hci]

You can simply add a virus scanner such as ClamAV to Exiscan which comes with Directadmin now. Been running it for several months now and it works fine.

http://www.directadmin.com/forum/showthread.php?s=&threadid=3860

What I want now is to upgrade to Spamassassin 3.0 when it comes out.

Matthew

 

[jjma]

I prefer the method Jeff had discussed with his virus scanner in that infected email is not processed on the server, but rejected(like spamblocker) at date time.

regards

Jon

 

[hci]

Thats what the above method does using Exiscan.

Matthew

 

[rldev]

With what operating system. I keep hearing exiscan and RHE is problematic. I asked a while back if anyone has exiscan/Clam/SA working on RHE. Anyone?

 

[nobaloney]

Getting our VirusBlocker solution working is now a top priority at NoBaloney.Net.

Jeff

 

[hci]

Been running Fedora2 with Exiscan, ClamAV and Spamassassin for a few months now with no trouble. I will know more when I move more sites to it to load it a little heavier. I did have some stabillity problems once before installing ClamAV but replacing the cheap generic RAM with Viking RAM cleared that up.

Matthew

 

[rldev]

Thanks. Do you know anyone running this on RHE?

 

[sander815]

You can simply add a virus scanner such as ClamAV to Exiscan which comes with Directadmin now. Been running it for several months now and it works fine.

http://www.directadmin.com/forum/showthread.php?s=&threadid=3860

What I want now is to upgrade to Spamassassin 3.0 when it comes out.

Matthew

are you running it with spamblocker exim config?

 

[hci]

You can simply add a virus scanner such as ClamAV to Exiscan which comes with Directadmin now. Been running it for several months now and it works fine.

http://www.directadmin.com/forum/sh...=&threadid=3860

What I want now is to upgrade to Spamassassin 3.0 when it comes out.

Matthew

are you running it with spamblocker exim config?

All new Directadmin exim configs come with the Spamblocker but I have it turned off.

I have setup manually to block in exim.conf based on the 2 blacklists: ordb.org and spamhaus.org both of which rarely false and have clear listing policies.

#ACLs
deny dnslists = relays.ordb.org : sbl-xbl.spamhaus.org
message = rejected because $sender_host_address is in the blacklist at $dnslist_domain\n\ ($dnslist_text)

I do not trust blocking based on any other blacklists. I prefer using Spamassassin to score each message and give the end email user the option to keep or toss messages. I understand the argument that blocking is better since it saves CPU cycles and bandwidth and I aggree. I just feel a junk mail folder the end user can check once a week or so is much safer. Also, with a junk mail folder they can tell how well the SPAM flter is working too!

If we had a way to turn Spamblocker on in the Directadmin GUI per email user I admit I would really like that. That way if they want it turned on its there decision and they cannot complain to me about there aunt not being able to email them from China. Of course they will probably still complain to me about it.

Matthew