Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security The Internet

Best Antivirus Options for a Mailserver? 91

Posted by Cliff from the remember-when-email-viruses-were-a-myth dept.
CSIP asks: "I am setting up a small mailserver, with ~500 users, across 80 domains. I'm planning to use qmail-scanner and an antivirus scanner to block incoming viruses. I would prefer to use ClamAV, however I've read conflicting reports on its effectiveness. The commercial scanners appear to detect 99.X% however they are licensed per-user, which at 500+ users becomes quite the annual bill. What is everyone's experience with ClamAV? Are their other commercial scanners that allow you to license on a per-server basis?" The best indicator of quality for a virus scanner is the information in its virus database. How do ClamAV's virus definitions compare to commercial scanners, like McAfee's?
This discussion has been archived. No new comments can be posted.

Best Antivirus Options for a Mailserver? More

Best Antivirus Options for a Mailserver?

Comments Filter:

  • Re:ClamAV (Score:2, Insightful)

    by revmoo ( 652952 ) <slashdot.meep@ws> on Wednesday March 03, 2004 @06:09PM (#8456659) Homepage Journal
    I have been using ClamAV for about 6 months, and so far its blocked a few viruses. So far so good.

    Score:1, Interesting

    Right....

  • there's always the blowtorch on an ant method! (Score:3, Insightful)

    by Anonymous Coward on Wednesday March 03, 2004 @06:13PM (#8456695)
    The Blowtorch on an Ant method: Block all email with attachments.

    Now, granted, with 500 users, I'm going to assume that is not an option for you as people likely send files back and forth via email quite often.

    Still, I just wanted to point out that blocking email with attachments is probably the most effective antivirus option for a mailserver, though certainly not the best solution.

  • Do it. Then set up a simple web-based upload/download site using PHP. This is more efficient because the attachment doesn't need to be encoded for mailing, and gets around any attachment size limits for various users.

    It's extremely easy to do, and you could even set it up so that each uploaded file gets a little key so only the intended recipient can get it. The uploader script will automatically send an email to the desired recipient, containing a URL with the unique key embedded. Having all of the files stored on the server like that will probably cut down on all the inappropriate files too.

    Solution should take no more than three PHP files of 100 or less lines each.

  • something to check for in your AV scanner (Score:4, Insightful)

    by Tumbleweed ( 3706 ) * on Wednesday March 03, 2004 @06:55PM (#8457292)
    Make sure your mail-server-based AV scanner can check inside attachments that are archives (zip, etc.), and not just individual documents. Many of the latest attachment-based viruses reside inside compressed archives. Also make sure it can tell the difference between an attached file's extension, and it's real format, as sometimes they're sent out with deliberately-incorrect file extensions to get around the more stupid AV scanners.

  • Re:Here's an idea... (Score:3, Insightful)

    by gklinger ( 571901 ) on Wednesday March 03, 2004 @07:04PM (#8457408)
    Don't want to sound like a flame,but have you *ever* worked with end users?

    I've admined corporate networks with between five hundred and a thousand clients and admined ISPs with five times as many so yeah, I've dealt with end users. It was my experience that you can either marvel at their stupidity and bang your head on your desk or marvel at their stupidity, try to help and educate them and then bang your head on your desk. I found the latter gave me the always heartwarming excuse, "I tried."

    At any rate, I think that perhaps you've missed my point. You can't prevent all bad things from happening but by putting a block in place which causes people to pause and reflect, you _may_ aid them in helping themselves. This is why we have railings on stair cases, seatbelt warning lights in cars etc. I should also add that my suggestion does not in any way prevent an admin from also implementing some kind of server-side virus protection. The more protection, the merrier.

    As for users just opening things in their browser which are configured to execute anything executable they come across, what's to stop the same script from changing .exe to .xex with a note telling users that in order to execute the program they will have to manually change it back?

    Granted, you can't prevent a determinedly stupid person from being themselves but you can try to help those waivering on the edge. You also have to try to stay one step ahead of stupid because, contradictory to Darwin's teachings, stupid is evolving at a terrifying rate.

  • Clam is *better* at times . . . (Score:2, Insightful)

    by millisa ( 151093 ) on Wednesday March 03, 2004 @07:53PM (#8458012)
    We use multiple front end postfix systems with the amavis-spamassassin-clam combo to hand off to a backend Imail server (which could be any backend mail server really), servicing several thousand domains and tens of thousands of end users in those domains. With the auto-updating features setup to check in hourly, we usually have the definitions for the latest worm on the system before it really starts hitting critical mass. When the Mydoom worm (worm.sco.x) came out, the definitions on our servers were updated on the 25th of January, the worm seemed to really start pounding things on the 26th and 27th. Monday morning, it had blocked 10k+ of the little bandit before any had gotten through and I got to read about the unhappy griping of the Norton AV users who hadn't gotten updated in time. It was a case where if we'd used anything but clam, we'd probably have had to deal with plenty of whiney end users (and who wants that?). Now, I'm still not 100% sold on clam, I'll sing its praises, but I'm not going to just use it just yet (so it takes me 6-12 months for me to trust something, call me paranoid). On the actual back end mail server, I'm still using declude to tie into f-prot's scanner. However, since setting up clam, I don't think there's been a single virus that's made it through (going on 5 months now) for it to catch. As Martha would say, "It's a good thing".

    With the recent bagle and somefool worms, I was seeing lots of catches by amavis-clam, but it didn't handle the encrypted zips correctly (though word on the mailing lists are there are mods/updates that can be made to start handling them right. I'm just gonna dump all zips for now, those pesky users dont deserve 'em anyways). To answer the original question though? Is Clam ready for primetime? I think so, but erring on the side of caution and having another layer of virus checks in there can't hurt . . . either way, you'll need to keep tabs on it for the next 'catch you by surprise' variant that even the commercial products aren't responding to in time; the more users you are supporting, the higher the probability that you are going to be the one dealing with an account that was one of the first to receive the newest worm . . .

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close