WOOT! - Virus Scanning

[nelsonke]

Thanks Matt and Vortech. I believe virus blocking is very different from SPAM. One man's spam is anothers information, but a virus is pretty much a virus. The spread of a virus can cost millioins. Thanks to Vortech for doing what you can to stamp them out.

I don't think notices are necessary, and in fact with all the email spoofing, they seem to create more confusion and support issues than are of help.

Question, is it now running on all the mail serviers? Thanks again to Matt and Vortech. Good job!

[admin]

Yes its running on all H-Sphere mail servers and Vortech mail servers. Not in cpanel as its much hard to get in there..

Yep... ClamAV is the virus scanner, so all viruses it can find, it will reject. EICAR included (Its what I used to test the darn thing).

[bootNumlock]

are you sure it is scanning on all mail servers?? i just go a virus email on my chicagorush.com account... i think that is mail4....

[mfennell]

Great job Matt.

I have one major problem though.

When was a notification going out about this change?

Its a pretty major change and should have at least gone out through the mailing list. Especially since it was deemed that not only will the attachment get blocked (which is great!!) but the actual message will to. And even worse that there isn't even a notification that the mail was dropped, either to the person who sent it or the person who should have recieved it.

This is unexceptable we need some form of notification!

mfennell, the message is now rejected. This isn't even a major change, considering we were blocking 99% of viruses (all but mydoom) by denying all executable attachments. Now we block 100% of viruses, and allow executables through. Not much change there.

The reason you have seen a few slip past is becuase the clamd daemon dies every so often for no particular reason. This doesn't affect mail going through, but it will let a few viruses slip through. It's now cronned to restarted and I'm working on a script that will monitor it.

[mfennell]

Quote:

Originally Posted by Bladesnitz

mfennell, the message is now rejected. This isn't even a major change, considering we were blocking 99% of viruses (all but mydoom) by denying all executable attachments. Now we block 100% of viruses, and allow executables through. Not much change there.

Thank you,

I do have to disagree about it being a major change. Before (and again now) we were at least aware there was a problem with an email.

How are you not aware now? They aren't silently dropped, I've said that three or four times now in this post. If its a virus, its REJECTED. Which means that the MTA sending it will get a little message, and that MTA is responsible for generating a bounce back to the sender. So how is it you don't know? If someone mistypes an email address, you don't get notification either... So basically, if an email doesn't follow the rules, you don't know about it. The person sending it does.

[mfennell]

Didn't say I wasn't aware now.

I said that I was aware before and again now.

[nabsUK]

Thank you.

[mresell]

I don't really have issues with viruses(knock on wood), however, I think this is great. I like the fact that the sender is notified w/ reject right away. That is who should be notified.

[nelsonke]

Here here. Good job guys.

[Silverbug]

Question: What happends if we receive an email via vortech and it still has a virus in it? would you like us to report it somewhere or is it just that the virus defs on the mail server arnt as up to date?

[admin]

Silverbug, you can just post it here, but not a lot we can do unless clamav updates to know about that virus. Also remember if a virus is in a zip thats in zip it will pass because its 2 zips deep. But I have not seen any virus that zips its zip..

[Silverbug]

yeah thought that might be the case. And to be hosnest i dont even know anyone who puts zips in zips lol