One, you lock the target...
August 12, 2005 9:27 AM Subscribe
Looking for a new inbound-/outbound- SMTP virus scanning solution on Linux (SLES, to be exact).
We're looking for fresh ideas for a new solution that doesn't require a whole lot of cash and is fairly reputable. What we have right now is driving us ka-raaaaazy!!!
I'm currently using McAfee WebShield SMTP for Windows, which has proven functional yet unreliable and seems to be near end-of-life as McAfee is trying to hype up their appliances), and we currently have a slew of their other virus scanning products for our servers and client PCs, so the use of McAfee virus scanning software is preferable (since they update their virus definition files rather often).
Filtering spam isn't so much of a big deal, we have an internal tool that does that very well (Gwava).
A friend, for instance, is using clam-av + sendmail + spamassassin, but I'm a little leery of using a free virus scanner like Clam-AV for a large enterprise that gets hammered with viruses and spam... unless someone can convince me otherwise.
Anyone got any ideas on how to put together a mostly-open-source virus scanning solution that will get the job done for a 6000+ user environment and not leave our heads spinning in the process?
We're looking for fresh ideas for a new solution that doesn't require a whole lot of cash and is fairly reputable. What we have right now is driving us ka-raaaaazy!!!
I'm currently using McAfee WebShield SMTP for Windows, which has proven functional yet unreliable and seems to be near end-of-life as McAfee is trying to hype up their appliances), and we currently have a slew of their other virus scanning products for our servers and client PCs, so the use of McAfee virus scanning software is preferable (since they update their virus definition files rather often).
Filtering spam isn't so much of a big deal, we have an internal tool that does that very well (Gwava).
A friend, for instance, is using clam-av + sendmail + spamassassin, but I'm a little leery of using a free virus scanner like Clam-AV for a large enterprise that gets hammered with viruses and spam... unless someone can convince me otherwise.
Anyone got any ideas on how to put together a mostly-open-source virus scanning solution that will get the job done for a 6000+ user environment and not leave our heads spinning in the process?
ugh, do not not not use sendmail whatever you do. no, really. exim is my personal preference. postfix and qmail are also quite good. stone age vs. diamond age, if you will.
clamav is pretty good. the other thing is that with something like spamassassin/razor/pyzor/dcc working, you are already going to be cutting out major amounts of incoming viruses (simply due to the spamminess of said virus emails)
posted by dorian at 9:44 AM on August 12, 2005
clamav is pretty good. the other thing is that with something like spamassassin/razor/pyzor/dcc working, you are already going to be cutting out major amounts of incoming viruses (simply due to the spamminess of said virus emails)
posted by dorian at 9:44 AM on August 12, 2005
clamav is exceptionally good. I run a company that does email filtering commercially, and we use it along with a commercial scanner to catch viruses. I honestly don't know why we waste CPU time with the commercial scanner. It's been months since it had a signature before clamav.
I suggest exim+clam-av... I hate SA, but as far as open-source products go, it's pretty much the only thing going.
posted by mosch at 9:52 AM on August 12, 2005
I suggest exim+clam-av... I hate SA, but as far as open-source products go, it's pretty much the only thing going.
posted by mosch at 9:52 AM on August 12, 2005
ClamAV is really good, and it ought to scale to 6,000 users just fine.
posted by cmonkey at 10:35 AM on August 12, 2005
posted by cmonkey at 10:35 AM on August 12, 2005
i use the mailscanner package with clam AV for about 1000 users. i was referred to mailscanner by some colleagues that run larger installations and i've been very pleased with it.
posted by yeahyeahyeahwhoo at 11:01 AM on August 12, 2005
posted by yeahyeahyeahwhoo at 11:01 AM on August 12, 2005
clamav is exceptionally good. I run a company that does email filtering commercially, and we use it along with a commercial scanner to catch viruses. I honestly don't know why we still waste CPU time with the commercial scanner. It's been months since it had a relevant signature before clamav, and even then it was an hour, not a day.
I suggest exim+clam-av... I hate SA, but as far as open-source products go, it's pretty much the only thing going.
posted by mosch at 11:15 AM on August 12, 2005
I suggest exim+clam-av... I hate SA, but as far as open-source products go, it's pretty much the only thing going.
posted by mosch at 11:15 AM on August 12, 2005
Another strong vote for ClamAV. I've been using it for over a year with exim and greylisting, and I've had no complaints and have never received a bounce from another mailserver that has recognised a virus that ClamAV hasn't.
I used to use SA for anti-spam, but it's not worth the overhead because the greylisting does such a good job.
posted by quiet at 11:39 AM on August 12, 2005
I used to use SA for anti-spam, but it's not worth the overhead because the greylisting does such a good job.
posted by quiet at 11:39 AM on August 12, 2005
quiet, do you have some pointers for what you're using for greylisting?
posted by phearlez at 11:54 AM on August 12, 2005
posted by phearlez at 11:54 AM on August 12, 2005
phearlez: this is what i'm using for greylisting with sendmail:
http://hcpnet.free.fr/milter-greylist/
posted by yeahyeahyeahwhoo at 2:21 PM on August 12, 2005
http://hcpnet.free.fr/milter-greylist/
posted by yeahyeahyeahwhoo at 2:21 PM on August 12, 2005
I do graylisting in exim with a custom config. Mostly reasonable configs to do this are available in the exim archives.
One warning about greylisting: beware of the webmail sites. Gmail and yahoo both play badly with traditional graylisting (they routinely resend from different servers), and there are a few other services (UPS's flatfile info delivery comes to mind) that muddy up the envelope sender info in a way that breaks when applied to standard greylist implementations as well.
Unfortunately, I've yet to see any publicly available greylist implementation that wasn't severely flawed.
posted by mosch at 7:06 PM on August 12, 2005
One warning about greylisting: beware of the webmail sites. Gmail and yahoo both play badly with traditional graylisting (they routinely resend from different servers), and there are a few other services (UPS's flatfile info delivery comes to mind) that muddy up the envelope sender info in a way that breaks when applied to standard greylist implementations as well.
Unfortunately, I've yet to see any publicly available greylist implementation that wasn't severely flawed.
posted by mosch at 7:06 PM on August 12, 2005
Look into exim + exiscan (was a patch, now included stock) + clamav + spamassassin.
The beauty of exiscan is that it lets you scan the message during the DATA phase, before you've accepted it. This means that if it's a virus or spam you can 550 it right then and there and not even give the slightest hint of it being accepted. This means you aren't stuck with the decision of sending out a bounce (which in almost all spam/virus cases will be sent to some completely innocent and unrelated third party whose address was spoofed) or not sending a bounce and miss sending legitimate bounces. When someone joe-jobs your address in a spam run you will very quickly realise how stupid and braindead most bounces are.
Scanning at SMTP time instead of accepting it and then scanning is much better for everyone involved.
You can even do a two level thing. For example, I reject spam that scores greater than 20 spamassassin points at SMTP DATA phase, and I tag messages that scan higher than 5 points for filtering in the MUA.
posted by Rhomboid at 1:30 AM on August 13, 2005
The beauty of exiscan is that it lets you scan the message during the DATA phase, before you've accepted it. This means that if it's a virus or spam you can 550 it right then and there and not even give the slightest hint of it being accepted. This means you aren't stuck with the decision of sending out a bounce (which in almost all spam/virus cases will be sent to some completely innocent and unrelated third party whose address was spoofed) or not sending a bounce and miss sending legitimate bounces. When someone joe-jobs your address in a spam run you will very quickly realise how stupid and braindead most bounces are.
Scanning at SMTP time instead of accepting it and then scanning is much better for everyone involved.
You can even do a two level thing. For example, I reject spam that scores greater than 20 spamassassin points at SMTP DATA phase, and I tag messages that scan higher than 5 points for filtering in the MUA.
posted by Rhomboid at 1:30 AM on August 13, 2005
This thread is closed to new comments.
posted by kuperman at 9:28 AM on August 12, 2005