Re: [exim] Snowshoe spam rejection

Top Page
Delete this message
Reply to this message
Author: Phillip Carroll
Date:  
To: exim-users
Subject: Re: [exim] Snowshoe spam rejection


On 11/16/2015 4:48 PM, Dennis Davis wrote:
> Possibly worth pointing out that there's common ground between
> anti-virus and anti-spam software. Esepecially if you're using the
> ClamAV virus checker:
>
> http://www.clamav.net/
>
> The variety of extra ClamAV signatures at:
>
> http://sanesecurity.com/
>
> include anti-spam, anti-phishing, etc signatures.
>
> I found the above extra signatures were very useful and got rid of
> a lot of stuff before even running messages through SpamAssassin.
> This was quite efficient computationally, at the expense of the
> extra memory used by ClamAV to store the "virus" signatures.
>
> I've been out of the mail administrator role for quite some time
> now. So I can't say whether or not these extra ClamAV signatures
> will help with Snowshoe spam rejection.
> -- Dennis Davis <dennisdavis@???>


I agree there is quite a bit of overlap between spam and malware checkers.

As I mentioned, my first line of defense is running every connection
against spamhaus zen at rcpt acl time. Since employing the zen check,
both malware and botnet spam were drastically reduced.

In the data acl, I also run clamav with the latest signatures before
running SA. Interestingly, Clamav has not found anything in several
months. (Admittedly, my server is very low volume, only a few hundred
"ham" emails daily.)

I attribute the lack of malware to the zen XBL.

The last vestige of spam getting past rcpt time at my server is 100% of
the 'snowshoe' variety. I am now pretty sure I have figured out how to
stop that with a home-grown message scanner. (Which I plan to run after
clamav and before SA)

I have also decided to stop using "deny" at the data ACL and instead
either redirect to a webmaster alias or the bit bucket. I have reached
the conclusion that denying spam or malware at data time doesn't
accomplish anything useful. Using deny with a code at rcpt time has the
feature of saving both internet bandwidth and server time, but after
data, that damage is already done.