Re: Exim, SpamAssassin and AV-advice needed
On Friday 10 January 2003 19:59, Derrick 'dman' Hudson wrote:
> More-or-less. A lot of the (snipped) requirements are variations on
> the same theme.
Thanks a lot for your response! It is actually an snippet from your page
I use for my exim config of SA. :-)
> | Long version: I did apparently get hit rather badly by a bunch of
> | e-mails with large virus-attachments last night at about 3am my
> | time.
>
> Some virii can be trivially trashed with a simple string or regex
> match. I feel that an entire AV scanner is overkill. If you upgrade
> to exim 4 you can use the ACLs to reject (not bounce) that sort of
> junk during the SMTP conversation.
OK, that would be cool. I also feel I don't need an AV-scanner, but I
would need to keep those regex uptodate, and I don't feel like doing
that myself. Are anybody maintaining a repository of simple regexs to
reject viruses?
Also, when I first put up my server, we exchanged a couple of e-mails on
SA-Exim. I wasn't feeling too adventurous, and I didn't really know if
I should go for Marc's Exim4 debs... You guys eventually recommended
against it... :-) Has that changed...?
> | At the same time, some lists I administer on a server with an old
> | Mailman install got spammed hard, causes Mailman to send me
> | notices.
> |
> | Due to that Spamassassin was busy scanning those viruses, and my
> | new 2.43 install didn't get Razor to work as expected, the notices
> | from Mailman bounced.
>
> Messages shouldn't bounce just becase SA had problems contacting the
> razor servers. Regardless of the scanning, the message should have
> been frozen instead.
Yeah, those get frozen, but the load is getting big, it seems, so that
the server can't handle more and bounces _other_ incoming messages...
>In any case you'll get better performance if
> you don't use razor.
Sure. But Razor works pretty well. I've disabled it now, but I would
like to use it.
> | The funny thing with this install (which isn't mine, I can't fix
> | it) is that it reacts to a bounce from an admin, with sending the
> | admin another message complaining about the bounce... Which
> | bounces, of course, so it sends another, and another...
>
> That is a /really/ /really/ bad configuration. Bounces can't bounce.
> A bounce is sent with the NULL ("<>") envelope sender (as per RFC 821
> and 2821) so that this sort of situation can't occur.
Yep, but it isn't my config. It is the buggy mailman implementation.
_That's_ the one who is responding to a bounce from an admin with
sending the admins notices about it. So, it isn't a bounce of a bounce,
it is a notice of that a bounce has happened, but sent to a list in the
database that happens to be the address that is bouncing... It is at
least two years since I first alerted the postmaster of that domain
about the problem, so I don't expect them to correct it any time
soon....
> | Half an hour later, syslog indicates that my machine ran out of
> | memory, and when I came to work this morning, everything had pretty
> | much stalled...
>
> Yep. Fortunately, the kernel won't die in an out-of-memory
> situation. It just starts killing processes in an effort to kill the
> resource hog.
Yeah, I noticed it killed several thousands...
> However, you may not have a functional system if the
> wrong processes are killed (eg 'init' -- I had that happen on a
> machine with a really small amount of memory).
Uh... :-)
> | Nevertheless, I really need Spamassassin working, becaue I'm used
> | to getting spammed hard.
>
> Tips for performance tuning SA :
> 1) use the spamc/spamd combination -- it stresses the system a
> lot less
Done! :-)
> 2) Limit SA to scan only a few messages concurrently. Add '-m
> 5' to the command line options passed to spamd.
How would I do that in Debian...? :-)
> 3) Don't scan really large messages, or scan just a subset of
> them (btw, the default for spamc is to not send messages larger than
> 250k to spamd; you can adjust this with the "-s" option or by
> conditions on the director in exim.conf)
OK, that sounds good.
> | But obviously, I would rather have a virus scanner take care of
> | those large MS-virus-attachments, so SA won't have to deal with
> | those.
>
> Naturally, but I would just use a version 4 ACL or the system filter
> (I believe the system filter will be run before the director that
> runs SA, the filter can "fail" (bounce) or "seen finish" (drop) the
> message)
> | I have allready grabbed his SpamAssassin backport,
>
> Version 2.43? You shouldn't be running anything older than that.
Hehe, yeah, I know... But then, moving away from what is provided in the
stable distribution is always a bit scary to someone like me... :-)
> Have you seen this :
> http://dman.ddts.net/~dman/config_docs/index_.html
Yep, sure! I have pretty much a verbatim copy of that... :-)
> Using a setup like that, adjust the "condition =" setting on the
> spamcheck_director. Use that to exclude mails submitted locally and
> via localhost (you don't harbor spammers on your system, right?).
Hehe, they would be whacked so badly... No, it's only me and my parents
here... :-)
> You can also have the director skip the message if it is large or
> based on the recipient.
Any examples I can look at...?
> The main trick, as you suspect, is to determine which messages
> scanning is useful and which it is wasteful, then don't scan the
> messages that don't need it.
Yup.
Best,
Kjetil
--
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/
Reply to: