Re: [Qmail-scanner-general]breaking apart the quarantine
AV/content filter for Qmail
Brought to you by:
jhaar
Menu
▾
▴
Re: [Qmail-scanner-general]breaking apart the quarantine
|
From: Jason H. <Jas...@tr...> - 2005-07-18 21:04:39
|
qma...@an... wrote: > okay, probably a dumb question, i excel at those! > > i'm quarantining on average 1,000 messages per hour. no, this isn't > 'stock' qmail-scanner, it's qmail-scanner-st, so most of what i'm > quarantining is spam. without regard to the arguments for and against > quarantining spam, i can say that for *me* and my customers, it works > great. false positives are vanishingly low, the amount of crap kept > out of our mailboxes high. > 1000 quarantines/hour? I'm guessing that's due to the SPAM rather than viruses? > however, from this high rate of quarantining comes an unpleasant side > effect - a gigantic quarantine. i clean out the quarantine using a > rolling one day find - every hour it goes through and deletes > everything 24 hours old. i like to keep one day as a bare minimum - if > something were to be quarantined inappropriately, it's good to be able > to yank it out. > Good point. However I can't see any solution that would be correct for 80% of sites. e.g. you could run the cronjob every 10 minutes (now only ~160 msgs) and move them all into a more appropriate directory structure, then run a cronjob per hour to delete older than XXX days. However, the next thing most sites doing spam quarantining may ask for is the ability to recover falsely quarantined mail - in which case 1 day is probably not long enough, and you're going to need different file ownerships, along with probably a more appropriate directory structure - like /var/spool/spam-quarantine/jh...@tr.../Monday/[cur|tmp|new] - or whatever... Hard call - I don't think there is one correct answer. Certainly choosing a filesystem that is most appropriate for handling lots of small files (such as reiserfs) and running with noatime would be a good start. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 |