[clamav-users] Using clamav to test for bad links in incoming emails

[Gene Heskett]

On Saturday 09 February 2019 12:47:11 G.W. Haywood wrote:

> Hi there,
>
> On Sat, 9 Feb 2019, Gene Heskett wrote:
> > Has anyone rigged clamd to check what looks like questionable links
> > contained in incoming emails? It seems over the last 2 weeks my spam
> > has tripled, and I suspect the real payload is in the urls in the
> > message.
>
> Trawl the logs to see where it comes from.  I find blocking incoming
> mail by country code to be far more effective than almost anything
> else. I'll hazard the guess that Asia and Eastern Europe will figure
> large in the results.

My ISP seems to take care of about 95% of that stuff, most of what gets 
my attention comes from local to the US servers, like earthlink.

> > Or is this so time consuming and bandwidth wasting its not worth it?
>
> ClamAV is pretty resource intensive, so more or less anything that
> will reduce the number of calls to ClamAV processes will be well worth
> doing.  Here, at the moment, clamd sees about 1.3% of attempts to send
> mail to us.  That is, in February, 98.7% of incoming mail connections
> were rejected before clamav-milter ever got to see any data.

I tend to leave the disposal of the positives to procmail. But it never 
tells me specifically when it sends a mail to virii. So I go look at it, 
and if over ten megs, nuke it and touch it. I don't look at it that 
closely, but haven't found but maybe 1 FP a year. As long as its not a 
rich uncle dying and leaving me millions, I don't care cause I have no 
such kin, all dirt poor like me. :)

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>