Atomicorp

Hello.

About the ClamAV database files in /var/clamav in Gamera, wich one of these is the pure virus database and how can I configure ClamAV to just update that datasebase?

Now if I remove files/dbs in there it gets back over night when the update is run.

I simply do only want ClamAV to check for viruses, not phishing etc.

Thanks.

You want to be able to send phishing emails ?

Nah, if I would like to SPAM my customers I would simply kill our Gamera boxes =)

But from time to time we get big SPAM outbreak hitting our customers domains and therefor also the Gamera boxes. The logs keep saying virus_found_in_message and the preprocessed qmail queue is building up really fast.

It seems like a hit from ClamAV disables further check by SA and since the email is not SA checked, do not get a SPAM score over 7 (delete limit) and do not get deleted it goes to the qmail queue and that gets qmail really really busy. Just a week ago we got 60K mail in the preproccessed and had to block incoming port 25 to get the Gamera server time to catch up. However, since we removed all DB's exect the daily and main from /var/clamAV things are working great.

This is even tough we got two Quad XEON 2.5Ghz servers as Gamera Gateways with Commtouch plug-in, handling aroung 1 million mails per month.

I think I have read on these forums before that "Scott and his crew" got a lot of custum rules that identifies SPAM/phishing by the ClamAV engine?

Does any fo this make sense...?

it should throw those messages into the quarantine by default, we used clamav for that because it was a lot faster than SA. Unless you reconfigured it to not quarantine messages for some reason?

Hello.

I have not done any additional config to ClamAV so it should be the default settings. But what happends to an email that get a match for something in the ClamAV databases.

It 's beeing moved into the quarantine and then...? Does it reply something to the sender or does it forward someting to the reciptin of the email?

I think the problem is that instead of a SA rule match that complteley deleted the email the ClamAV match send out something to the sender or the reception so that the queue grows up really really fast and all mails get a delay for several hours...

Simply, what happends by default when a match is made in ClamAV and can I where do I, if needed, change the behaviour?

By default after 7 days (I think, havent looked in a while) it gets deleted. It does not notify the sender or the recipient by default, although it does have that capability.

Changes are made from /etc/qmail-scanner.ini, then you run the reconfigure script

What are the settings needed to /etc/qmail-scanner.ini to delete a virusmail detected by clamAV?

It quarantines them to /var/spool/qscan/quarantine/ by default, in fact I didn't even know you could turn that off

I simly deleted the unwanted databases in /var/clamav and commented out the following part in /etc/cron.daily/freshclam:

# Current 3rd party channel updater
#if [ -x /usr/bin/clamav_updater.sh ]; then
# /usr/bin/clamav_updater.sh >/dev/null 2>&1
#fi

Now things run smoothly and SA rules does the job for SPAM =)