[Tfug] blocking exe's and com files with postfix

Sam Hart hart at physics.arizona.edu
Tue Jul 20 11:34:51 MST 2004 

Just gonna spit out my own $.02 on the issue... Feel free to ignore the 
rant if you choose to...

Having set up many different SPAM/Viral blocking schemes over the years, 
and being a user in several different networks where other schemes were 
employed, I would just like to say that it is, IMHO,  a bad idea to just 
block all files of a certain type (exe, com, zip, pif, etc) just because 
they may be viral in nature.

Any time you block things arbitrarily (like blocking IPs from a list of 
supposed spam relayers, or blocking attachments of a certain type, or 
blocking free email accounts like hotmail, yahoo, etc) you are going to 
cause more grief for your users than solve your problems with spam and 
viri.

A far better solution is to do selective filtration based upon a more 
fuzzy scanning of content and attachments. A scheme that I personaly 
employ (and used to teach, and have set up for various clients) is to use 
Postfix+Amavisd with SpamAssassin, Vipul's Razor, ClamAV, et al to filter 
spam and viri. By using something like this, I find that you tend to block 
more spam/viri than you otherwise would, and you tend to annoy your users 
far less. And for me, it's all about keeping my users happy (I know, I 
know, that's rarely what sysadmins concern themselves with... but I'm just 
a big softy) as well as providing as much security as is humanly possible.

I would say that ClamAV, if kept up to date, will do a remarkable job of 
filtering viri. In fact, since using it on mail.samhart.net, I am yet to 
get a single viral attachment to come through.

If you would like to see some stats on doing things this way, feel free to 
check out my mail.samhart.net stats here:
	http://stats.samhart.net/mail/

One of these days I'm going to come up with a script that analyzes all 
this information better. One of these days ;-)

You can also read up on my system with the following URLs:

	(High level, management style overview)
	http://files.samhart.net/bmn/docs/aspam.0.9.9/

	(Old, moderately outdated TFUG presentation)
	http://www.physics.arizona.edu/~hart/aspam/

	(Old, outdated, yet still useful classnotes on it):
	http://samhart.com/cgi-bin/classnotes/wiki.pl?Setting_Up_An_Anti-SPAM_Gateway

-- 
Sam Hart
University/Work addr. <hart at physics.arizona.edu>
Personal addr. <sam at samhart.net>
end

More information about the tfug mailing list