SLUG Mailing List Archives
Re: [SLUG] Mid-DATA spam/AV detection considered harmful [Was: Virus scanning bounce strategy]
- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] Mid-DATA spam/AV detection considered harmful [Was: Virus scanning bounce strategy]
- From: Theo Julienne <slug@xxxxxxxx>
- Date: Sun, 01 Feb 2004 19:33:52 +1100
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4
Jeff Waugh wrote:
No, not Amavis. Amavis is just the middle-man. I'm talking about the
virus scanners. Amavis does indeed run as a daemon - but it still runs
command-line scanners ( kavscanner, etc ) which load the virus database
each time - Kaspersky even recommends this daemonised approach for their
AV software ( and really, they have made a _great_ piece of software ).
You need to research Amavis a bit more. :-) These days, it runs as a daemon
and talks SMTP, loads and uses SpamAssassin modules directly, plus talks to
all the AV daemons directly (or the command line clients and scanners). Its
role is largely policy and response, as well as safe unpacking of archives
Why should Amavis be here extracting the files, when good virus programs
like KAV can do it for you? Why do we have Amavis there acting as a
middle-man, when we could be going directly? Fine, MTAs don't support it
out of the box, but really, it's a much simpler and more efficiant
solution than having a perl script daemon running there in the middle!
It's not mid-data, it's post-data. But
pre-telling-the-remote-mta-that-its-sent-perfectly ( eg DATA ends with
"." -- after that, according to the SMTP protocol the mail server must,
if the mail was sent correctly, send a "250 OK" message back -- simply,
rather than sending the OK message, we send back error and say "don't
send me viruses" or whatever -- most MTAs send this string back to the
user that sent it ).
You haven't addressed the mid-DATA problems at all, though.
Providing everything is configured correctly - it's not unreliable. If
the daemon turns off - mail is indeed rejected - but the sender is told
that it's a temporary local problem and to try again. HOWEVER - this
should _never_ happen!
If we're going to scan our emails for spam/viruses, is there any _real_
disadvantage to doing this at SMTP time?
Yes - it's viciously unreliable.