+++ Robert Rotman [exim-users] <19/09/01 18:58 +0200>:
> has anybody here experiances with scaning emails on a high-loaded
> incoming mailsystem?
I have used it on a system with ~ 50k mails (big ones, courtesy it being a
corporate mailserver and lots of people love to send 400kb .. 1mb attachments
back and forth) per hour.
Hassles are -
1. Better not keep copies of infected mail - or store them someplace other
than /var (or /var fills up VERY fast, esp if the viruses are sircam
attachments etc)
2. Every single mail is scanned - so every single attachment is unzipped /
uncompressed, scanned, compressed back and sent on its mail. Inbound and
outbound. This means a significant delay in processing - and huge amount of
disk I/O. A journaling filesystem of some sort (SGI XFS should do the trick)
is a good idea in such a case.
3. Monitor the postmaster (or whatever other mailbox) account to which virus
alerts are forwarded, on a continuous basis, and straightaway pull a guy's
network card if he's sending out virii. Adding a nullroute / ipchains block
sometimes means that the virus starts hammering on your machine at the rate
of several hundred connections per second.
--
Suresh Ramasubramanian <----> mallet <at> efn dot org
EMail Sturmbannfuhrer, Lower Middle Class Unix Sysadmin
