[PLUG] On the topic of spam & MS-virii

Fri Feb 6 21:24:02 UTC 2004

On Fri, 2004-02-06 at 20:23, Wil Cooley wrote:
> On Fri, 2004-02-06 at 19:50, AthlonRob wrote:
> 
> > That would, of course, be a bit redundant.  Local spam checks would be
> > run twice.  The first half second of any virus scans would be run
> > twice.  It would be nice to configure it such that the virus scans would
> > only be run once if they completed successfully on the first run, but
> > I'm relatively confident that would require more hacking than I want to
> > toss into this right now.
> 
> You would definitely /want/ the local spam checks to be run twice--it
> might not make the score high enough with the local checks alone, but
> local and remote checks later might.

Yes... it would be nice if there were some method of passing the already
completed local checks score to the second scan, which would just add on
the remote scores to it.  Of course, that would be far more work with
the existing tools out there...

> > Things that made it through to the second tier... I would still be left with the initial
> > issue - to bounce or not to bounce?  ...but it would be far less
> > important, as the big popular viruses out there today could be blocked
> > with local SA rules if the virus scanner takes too long.
> 
> I don't bounce for spam or viruses; there isn't much point.

Viruses, I agree... and I don't bounce for them.  Spam, however... I had
an RBL returning everything true for about a week before I figured out
what was up (well... took the time to figure it out)... if people hadn't
emailed me saying their messages to me were getting dropped, I would
probably have never checked.  Unfortunately, false positives do happen
due to things like that sometimes.  :-(

> > Nice.
> > 
> > Now, to implement such a thing might be more of a pain in the ass than
> > thinking it up.  :-)
> 
> Not too bad really--you'll just need separate config files and separate
> temp dirs.  One downside is that you'll also need separate Bayes
> databases, so Bayes will be pretty much useless on the front-end proxy
> (it seems very unlikely to me that you'll pass the score thresholds
> without remote checks enabled; it might be useful if you can some how
> find a way a feed messages back into it).

I hadn't thought about the bayes database... I wonder if I could run
both layers of the same database?  Since SA is just reading the
database, locking/sharing stuff shouldn't be an issue.  If both
instances of amavis were running as the same user, they'd share the same
bayes database.  The local_sa_checks setting is in amavis's config file,
so should be set in the spamd intialization......

This might take some experimentation, but I'll bet we can get the bayes
database shared between the two check levels.  Otherwise, we could just
duplicate it between the two users.

> Let me know how it works out.

Will do... although I'm not sure when I'll get around to attempting an
implementation.

Rob