[clamav-users] clamav-milter LocalNet option / outgoing mail (Debian Wheezy)

Daniel Spies ds20150222clam at pskx.net
Sun Feb 22 15:09:57 EST 2015

On 02/22/2015 10:08 AM, Simon Hobson wrote:
> Recipients may not trust the tags, but it *should* stop outbound spam/infected mail should your machine (or one of the clients) get compromised. IMO spam and malware is not just something to stop coming in, it's something to porevent going out - if more networks prevented it going out then there'd be less of a problem.

It's not always black and white. I assume you're responsible for the 
clients you're talking about, i.e. they are your customers or 
colleagues. While spoon-feeding colleagues or customers may be okay for 
the sake of security, my clients would certainly raise hell if they 
would receive errors due to false positives. Most people expect their 
system to just work -- no matter what.

By the way: I don't even reject virus/spam mail, I just tag them. If a 
client is dumb enough to open the attachment of a tagged e-mail, so be it.

> On my systems I scan *everything*, and I firewall off everything I can - including preventing outbound connections to port 25.

I am not in the situation where all my clients sit in a firewalled 
private network; it's more the free-mail kind of situation. What and 
when my clients send e-mail is non of my concern, as long as they do it 
in common dimensions, i.e. in a way that matches a real person.

> At work I run mail servers that are used by customers - including as smart relays. It's not all that uncommon to find one of the customer compromised and sending out thousands (or millions) of spam emails - so my latest server also does rate limiting to limit the damage done before it gets spotted and blocked.

Rate limiting is certainly a good idea to mitigate the damage that's 
being done by a compromised client. Manual intervention might still be 
necessary, possibly after automated sanctions (e.g. consistently 
lowering the rate limit for a misbehaving client). However, rejecting 
outgoing e-mail right away is not an option, which ultimately makes the 
scanning of these messages redundant.

More information about the clamav-users mailing list