> [
mailto:exim-users-bounces@exim.org] On Behalf Of Timothy Spear
> Sent: Monday, August 01, 2005 6:48 PM
> I did the exiscan direct to ClamAV and then SpamAssassin.
> This is to reduce load on the server, since I perform it is
> part of the SMTP Data ACL. Virus email is rejected before the
> call to SpamAssassin. Since SpamAssassin will run all rules
> which apply, even if the spam score has been passed, I would
> end up running spam filtering rules against viral email.
I do this as well -- we do not drop mail based on SpamAssassin
(yet) but we do drop an email, but if ClamAV says it has a virus
we never accept it. (Maybe that is too aggressive but it is what
we do currently.)
Given this practice -- we do virus scanning before Spam scanning,
and then do NOT use the SpamAssassin virus/clamav plugin --
it would not only be redundant but fruitless to scan for viruses
again.
Greylisting is running on my "low priority" (high numbered MX)
server and it is knocking down practically all of the Spam that
arrives there -- with no scanning at all. I have not identified
any "lost" Ham this way, but it is fairly uncommon for a Ham to
arrive on that server anyway.
Oh, and we don't even do the greylisting unless the incoming
mail server is in some Blacklist. With this method we can use
very aggressive blacklists since all they do not block anything,
only direct the mail through the greylisting checks.
I am considering using SpamAssassin scores to do the same, e.g.,
Score > threshold THEN greylist (check) it.
This would be preferable to an outright dropping, and a lot
easier to handle the review of email given a "Spam" score by
SA.
In a followup, a poster ask 'why would anyone do it the other way?'.
Doing the ClamAv/virus checks is just another choice, and some
people don't have an easy way to do the virus scanning at SMTP
connect time or separate from SA so that is their best method.
--
Herb
