ged at jubileegroup
Dec 4, 2009, 5:18 AM
Post #15 of 25
(3094 views)
Permalink
|
|
Re: How does Clam stand up to Commercial A/V?
[In reply to]
|
|
Hi there,
On Fri, 4 Dec 2009 Robin wrote:
> example to build my case.
Although I see nothing like the volume of mail that some others here
have to cope with I'd echo the comments from Messrs Cornet, Peterson
and Shaw. I'd add (as it might not already be obvious to your senior
management:) that there isn't one single 'solution' to their concerns.
There must be a mix of techniques implemented, and they can't all be
technical fixes. For example, it is at least as important to educate
your users (*) as it is to protect their inboxes from trash.
You might also mention that at least one ClamAV user (me) doesn't care
a hoot how good ClamAV is at spotting viruses. The reasoning is this:
1. Windows is not installed on any of my computers; effectively they
are immune from viruses most of the time. Of course if unprotected
they can still be at risk from other kinds of attack.
2. Computer users are anything but immune from scams, phishing etc.
Only yesterday, one nitwit here sent an old hoax about Christmas cards
which he'd received on his home mail account to 'everyone@'. A couple
of years ago (*) he also sent about a thousand dollars to some con man
in Romania - you'd have thought he'd have learned by now.
Well, back to the topic. On my mailservers, genuine messages number
less than two hundred per day. But they see something like 10,000 to
20,000 attempts to send unwanted junk per day. That includes viruses,
phishing, you name it. Of those attempts, the number that get as far
as establishing a connection to the mailservers is in the hundreds per
day because about 60,000 ip ranges are blocked by the firewall rules.
Two-thirds of these connections are blocked by trivial things like the
Sendmail greetpause, a multi-line greeting; some simple regex scanning
of the first parts of the SMTP conversation (CONNECT, HELO, MAIL FROM,
and RCPT TO) which by and large spambots can't get right; greylisting;
and a few DNSBL lists. That leaves ClamAV and MIMDefang/SpamAssassin
with very little to do, and so far in December they haven't blocked
anything in my installations. In four years, out of something like
twenty million attempts, they've had to block less than 1000 messages.
FWIW the Jurlbl database is responsible for about two-thirds of what
is stopped by ClamAV here at the moment, but obviously this is based
on a very small sample and I've no idea how representative it is.
Finally, [OT] don't let email divert all your attention from the other
ways that criminals have developed to abuse computers. Even if you're
using clamd to scan incoming mail, HTTP responses, and the users' home
directories, a machine can still be compromised by some script kiddy.
Enforce strong passwords. Get a copy of 'nmap', and do some proactive
scanning of your own networks. Close ports that don't need to be open.
Encrypt client-server connections (such as mail) which might carry any
sensitive information (such as passwords). It's a jungle out there.
--
73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
|
