[clamav-users] Using clamav to test for bad links in incoming emails

[Dennis Peterson]

Best practice has always been least-expensive first and incrementally more 
expensive to follow. This begins with iptables (essential regardless of 
expense), tcpwrappers, DenyHosts, Fail2Ban, grey listing, country-code tables, 
access tables (sendmail and Postfix), multilayer milters, finally, AV scanning. 
The first three are also very effective defense for ftp, ssh, rsync, imap, pop, 
etc.

My ipset table has just a few blocks: afrinic, apnic, arin, lacnic, ripe. There 
are thousands of x.0.0.0/8 - x.0.0.0/24 drop all entries found in there.

Expense here refers to resource load (memory, cpu, network, disk io).

dp

On 2/9/19 9:47 AM, G.W. Haywood wrote:
> Hi there,
>
> On Sat, 9 Feb 2019, Gene Heskett wrote:
>
>> Has anyone rigged clamd to check what looks like questionable links
>> contained in incoming emails? It seems over the last 2 weeks my spam has
>> tripled, and I suspect the real payload is in the urls in the message.
>
> Trawl the logs to see where it comes from.  I find blocking incoming
> mail by country code to be far more effective than almost anything else.
> I'll hazard the guess that Asia and Eastern Europe will figure large in
> the results.
>
>> Or is this so time consuming and bandwidth wasting its not worth it?
>
> ClamAV is pretty resource intensive, so more or less anything that
> will reduce the number of calls to ClamAV processes will be well worth
> doing.  Here, at the moment, clamd sees about 1.3% of attempts to send
> mail to us.  That is, in February, 98.7% of incoming mail connections
> were rejected before clamav-milter ever got to see any data.
>