From owner-freebsd-isp@FreeBSD.ORG Tue Jan 27 14:07:57 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF96F16A4CE for ; Tue, 27 Jan 2004 14:07:57 -0800 (PST) Received: from Shenton.org (23.ebbed1.client.atlantech.net [209.190.235.35]) by mx1.FreeBSD.org (Postfix) with SMTP id 4FF7343D4C for ; Tue, 27 Jan 2004 14:07:39 -0800 (PST) (envelope-from chris@Shenton.Org) Received: (qmail 57277 invoked by uid 1001); 27 Jan 2004 22:07:38 -0000 To: David Wolfskill References: <20040127181820.GJ323@frecnocpc2.noc.egation.com> From: Chris Shenton Date: Tue, 27 Jan 2004 17:07:38 -0500 In-Reply-To: <20040127181820.GJ323@frecnocpc2.noc.egation.com> (David Wolfskill's message of "Tue, 27 Jan 2004 10:18:20 -0800") Message-ID: <861xploxjp.fsf@PECTOPAH.shenton.org> User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: isp@freebsd.org Subject: Re: Recommendation for "antivirus" software (MTA is qmail) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 22:07:58 -0000 David Wolfskill writes: > My boss, who persists in using a M$-based desktop, wants me to install > an "antivirus solution" on our mail server. > The MTA we currently use is qmail on a system running FreeBSD 4.8. > As far as I can tell, that is for its ease of integration with > vpopmail. qmail guru, Russ Nelson has the qmail-smtpd-virusscan.patch which blocks all MS executable attachments sent as base-64 encoded attachments. Folks who use it claim it stops almost all virii. I haven't done tests or analyzed logs, but it seems to help a huge amount. It's very fast since it just looks for the 9-character-long base-64 strings which match the beginning of any MS executable file in the first line of an attachment: it doesn't do unpacking, unzipping, but it also doesn't believe any filenames or extensions. It does this at the qmail-smtpd level, before getting into your queue, rejecting the connection with a message that says something like "we don't accept executable attachments" so human senders can re-send as ZIP or something. The qmail-ldap folks also use a variant for what it's worth. I patched the qmail-smtpd on a small ISP I support, with which I also use vpopmail. They're losely coupled enough this isn't a problem. I'd suggest starting with this. If anything gets through, you might want to look into another more cpu-intensive filter. But the patch is very low CPU usage. I don't have a handle on the anti-spam thing -- that's a LOT harder to detect reliably (and cheaply/quickly).