RE: [exim] which approach for: exiscan, clamav & spamassass…

Top Page
Delete this message
Reply to this message
Author: Timothy Spear
Date:  
To: 'Herb Martin', 'Mailinglist EXIM'
CC: Timothy Spear
Subject: RE: [exim] which approach for: exiscan, clamav & spamassassin ?
The advantage of rejecting via SpamAssassin during the ACL is the sender
will get almost immediate feedback that the message was rejected. Our deny
message tells the sender to contact whomever they were trying to email via
phone and ask for their domain to be whitelisted. This way legitimate email
is not dropped into never never land waiting for human intervention. This
has dramatically reduced the amount of spam we deal with, with so far only a
single customer impact (it was actually someone I deal with :-)). I created
the initial whitelists from two months of domains which we send to, minus
the obvious mail houses (Yahoo, MSN....). I use the same method with the
majority of the other Spam Filtering tools which we use; this will insure
email is never lost, and the sender is notified; and email is not bounced
abusing some poor soul who has had the misfortune to have his/her email
address spoofed.

Tim

-----Original Message-----
From: exim-users-bounces@??? [mailto:exim-users-bounces@exim.org] On
Behalf Of Herb Martin
Sent: Monday, August 01, 2005 8:33 PM
To: 'Mailinglist EXIM'
Subject: RE: [exim] which approach for: exiscan, clamav & spamassassin ?

> [mailto:exim-users-bounces@exim.org] On Behalf Of Timothy Spear
> Sent: Monday, August 01, 2005 6:48 PM
> I did the exiscan direct to ClamAV and then SpamAssassin.
> This is to reduce load on the server, since I perform it is
> part of the SMTP Data ACL. Virus email is rejected before the
> call to SpamAssassin. Since SpamAssassin will run all rules
> which apply, even if the spam score has been passed, I would
> end up running spam filtering rules against viral email.


I do this as well -- we do not drop mail based on SpamAssassin
(yet) but we do drop an email, but if ClamAV says it has a virus
we never accept it. (Maybe that is too aggressive but it is what
we do currently.)

Given this practice -- we do virus scanning before Spam scanning,
and then do NOT use the SpamAssassin virus/clamav plugin --
it would not only be redundant but fruitless to scan for viruses
again.

Greylisting is running on my "low priority" (high numbered MX)
server and it is knocking down practically all of the Spam that
arrives there -- with no scanning at all. I have not identified
any "lost" Ham this way, but it is fairly uncommon for a Ham to
arrive on that server anyway.

Oh, and we don't even do the greylisting unless the incoming
mail server is in some Blacklist. With this method we can use
very aggressive blacklists since all they do not block anything,
only direct the mail through the greylisting checks.

I am considering using SpamAssassin scores to do the same, e.g.,
    Score > threshold THEN greylist (check) it.


This would be preferable to an outright dropping, and a lot
easier to handle the review of email given a "Spam" score by
SA.

In a followup, a poster ask 'why would anyone do it the other way?'.
Doing the ClamAv/virus checks is just another choice, and some
people don't have an easy way to do the virus scanning at SMTP
connect time or separate from SA so that is their best method.

--
Herb


--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/