Date: Tue, 27 Jan 2004 17:07:38 -0500 From: Chris Shenton <chris@shenton.org> To: David Wolfskill <david@egation.com> Cc: isp@freebsd.org Subject: Re: Recommendation for "antivirus" software (MTA is qmail) Message-ID: <861xploxjp.fsf@PECTOPAH.shenton.org> In-Reply-To: <20040127181820.GJ323@frecnocpc2.noc.egation.com> (David Wolfskill's message of "Tue, 27 Jan 2004 10:18:20 -0800") References: <20040127181820.GJ323@frecnocpc2.noc.egation.com>
next in thread | previous in thread | raw e-mail | index | archive | help
David Wolfskill <david@egation.com> writes: > My boss, who persists in using a M$-based desktop, wants me to install > an "antivirus solution" on our mail server. > The MTA we currently use is qmail on a system running FreeBSD 4.8. > As far as I can tell, that is for its ease of integration with > vpopmail. qmail guru, Russ Nelson has the qmail-smtpd-virusscan.patch which blocks all MS executable attachments sent as base-64 encoded attachments. Folks who use it claim it stops almost all virii. I haven't done tests or analyzed logs, but it seems to help a huge amount. It's very fast since it just looks for the 9-character-long base-64 strings which match the beginning of any MS executable file in the first line of an attachment: it doesn't do unpacking, unzipping, but it also doesn't believe any filenames or extensions. It does this at the qmail-smtpd level, before getting into your queue, rejecting the connection with a message that says something like "we don't accept executable attachments" so human senders can re-send as ZIP or something. The qmail-ldap folks also use a variant for what it's worth. I patched the qmail-smtpd on a small ISP I support, with which I also use vpopmail. They're losely coupled enough this isn't a problem. I'd suggest starting with this. If anything gets through, you might want to look into another more cpu-intensive filter. But the patch is very low CPU usage. I don't have a handle on the anti-spam thing -- that's a LOT harder to detect reliably (and cheaply/quickly).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?861xploxjp.fsf>