Mailing List Archive

CentOS 8 needs 2GB just to install. In my experience you will struggle to get *anything* useful to run with 2GB.

Simon Wilson
________________________________
From: bobby via clamav-users <clamav-users@lists.clamav.net>
Sent: Monday, 14 September 2020 10:34 am
To: clamav-users@lists.clamav.net
Cc: bobby
Subject: [clamav-users] Services Difference & Memory Utilization

I noticed on my CentOS 8 machine, there are two different services listed: clamd@multi-user.service  and system-clamd.slice.  I don't have enough memory to run the first one, but only the second one (192M).  Is clamd really running?  What is the difference between these two services?
I only have 2 GB of memory.  Is there any way to run clamd? I get this error when I try to run it: 
[201060.293876] Out of memory: Killed process 254784 (clamd) total-vm:830500kB, anon-rss:682068kB, file-rss:0kB, shmem-rss:0kB, UID:983
[201095.669009]  out_of_memory+0x1ba/0x490

Hi there,

On Sun, 13 Sep 2020, bobby via clamav-users wrote:

> I noticed on my CentOS 8 machine, there are two different services listed:
> clamd@multi-user.service and system-clamd.slice. I don't have enough
> memory to run the first one, but only the second one (192M). Is clamd
> really running? What is the difference between these two services?
> I only have 2 GB of memory. Is there any way to run clamd? I get this
> error when I try to run it ...

You *might* *just* *possibly* be able to run clamd on a system with
only 2G of RAM but (a) I wouldn't recommend it, (b) it seems that you
don't have enough experience to do it, and (c) you haven't explained
what you would want it to do even if you did manage to get it to run,
so doing that would be putting the cart before the horse.

What would you want clamd to do for you?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

G.W. Haywood via clamav-users wrote:

> Hi there,
>
> On Sun, 13 Sep 2020, bobby via clamav-users wrote:
>
>> I noticed on my CentOS 8 machine, there are two different services
>> listed: clamd@multi-user.service and system-clamd.slice. I don't
>> have enough memory to run the first one, but only the second one
>> (192M). Is clamd really running? What is the difference between
>> these two services? I only have 2 GB of memory. Is there any way to
>> run clamd? I get this error when I try to run it ...
>
> You *might* *just* *possibly* be able to run clamd on a system with
> only 2G of RAM

It _can_ be done, using cgroups to restrict the amount of memory used,
but it'll be doing a bit of swapping.

For email processing, we run clamd on virtual machines with slightly
less than 3Gb memory, of which clamd takes up 1Gb.



--
Per Jessen, Zürich (19.5°C)
http://www.hostsuisse.com/ - dedicated server rental in Switzerland.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Mon, 14 Sep 2020, Per Jessen wrote:
> G.W. Haywood via clamav-users wrote:
>> On Sun, 13 Sep 2020, bobby via clamav-users wrote:
>>
>>> I noticed on my CentOS 8 machine, there are two different services
>>> listed: clamd@multi-user.service and system-clamd.slice. I don't
>>> have enough memory to run the first one, but only the second one
>>> (192M). Is clamd really running? What is the difference between
>>> these two services? I only have 2 GB of memory. Is there any way to
>>> run clamd? I get this error when I try to run it ...
>>
>> You *might* *just* *possibly* be able to run clamd on a system with
>> only 2G of RAM
>
> It _can_ be done, using cgroups to restrict the amount of memory used,
> but it'll be doing a bit of swapping.
>
> For email processing, we run clamd on virtual machines with slightly
> less than 3Gb memory, of which clamd takes up 1Gb.

You and I run clamd on dedicated machines for scanning mail. The OP
will probably want to run a browser as well. :/ A browser can use a
gigabyte or more, so if you want to do everything on the same 2GB box
then something will have to give. Setting /proc/_pid_/oom_score_adj
to a large negative value might prevent the OOM killer from reaping a
clamd but you need to be careful; once upon a time I managed to get it
to kill rpc.mountd instead, the consequences of which were unpleasant.

The memory footprint in routine operation of course depends to some
extent on the size of signature databases in use. For recent versions
of ClamAV it may double during reloads unless the administrator takes
steps to prevent that. To scan mail we run a standalone clamd server
with 4GB RAM. The couple of dozen third-party signature databases we
use boost clamd's memory consumption up to about 1.3GB during normal
operation and twice that on reloads. Given that the size of signature
databases seems to be continually (albeit fitfully) increasing, it may
not be long before clamd needs 3GB just to reload the database without
either driving the box into swap or pausing the scans. If databases
get a lot bigger, then it isn't beyond question that you won't even be
able to run clamd with your chosen collection under 32-bit Linux.

I don't know what the performance impact on scanning will be like if
reloading does drive the system into swap, and wouldn't want to guess.
It seems pointless speculating since memory is so cheap. Our main
clamd server is a Raspberry Pi 4B, its cost with 4G RAM about 50USD.
You can get one with 8GB for 75USD (and I think they might have sorted
out the USB issues now too, when I have the time for it we'll get one
to see how it behaves. :)

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I plan to use it for email processing. I am using postfix currently. There
are no other users besides myself, and it's only one domain.
This may be a silly question to ask here... but is there any other
decent anti-virus software that does not take up as many resources?
I am currently running my box in DO, and it looks like the next step up for
RAM is 4GB.

On Mon, Sep 14, 2020 at 7:08 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Mon, 14 Sep 2020, Per Jessen wrote:
> > G.W. Haywood via clamav-users wrote:
> >> On Sun, 13 Sep 2020, bobby via clamav-users wrote:
> >>
> >>> I noticed on my CentOS 8 machine, there are two different services
> >>> listed: clamd@multi-user.service and system-clamd.slice. I don't
> >>> have enough memory to run the first one, but only the second one
> >>> (192M). Is clamd really running? What is the difference between
> >>> these two services? I only have 2 GB of memory. Is there any way to
> >>> run clamd? I get this error when I try to run it ...
> >>
> >> You *might* *just* *possibly* be able to run clamd on a system with
> >> only 2G of RAM
> >
> > It _can_ be done, using cgroups to restrict the amount of memory used,
> > but it'll be doing a bit of swapping.
> >
> > For email processing, we run clamd on virtual machines with slightly
> > less than 3Gb memory, of which clamd takes up 1Gb.
>
> You and I run clamd on dedicated machines for scanning mail. The OP
> will probably want to run a browser as well. :/ A browser can use a
> gigabyte or more, so if you want to do everything on the same 2GB box
> then something will have to give. Setting /proc/_pid_/oom_score_adj
> to a large negative value might prevent the OOM killer from reaping a
> clamd but you need to be careful; once upon a time I managed to get it
> to kill rpc.mountd instead, the consequences of which were unpleasant.
>
> The memory footprint in routine operation of course depends to some
> extent on the size of signature databases in use. For recent versions
> of ClamAV it may double during reloads unless the administrator takes
> steps to prevent that. To scan mail we run a standalone clamd server
> with 4GB RAM. The couple of dozen third-party signature databases we
> use boost clamd's memory consumption up to about 1.3GB during normal
> operation and twice that on reloads. Given that the size of signature
> databases seems to be continually (albeit fitfully) increasing, it may
> not be long before clamd needs 3GB just to reload the database without
> either driving the box into swap or pausing the scans. If databases
> get a lot bigger, then it isn't beyond question that you won't even be
> able to run clamd with your chosen collection under 32-bit Linux.
>
> I don't know what the performance impact on scanning will be like if
> reloading does drive the system into swap, and wouldn't want to guess.
> It seems pointless speculating since memory is so cheap. Our main
> clamd server is a Raspberry Pi 4B, its cost with 4G RAM about 50USD.
> You can get one with 8GB for 75USD (and I think they might have sorted
> out the USB issues now too, when I have the time for it we'll get one
> to see how it behaves. :)
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Hi there,

On Mon, 14 Sep 2020, bobby via clamav-users wrote:

> I plan to use it for email processing. I am using postfix
> currently. There are no other users besides myself, and it's only
> one domain.

What mail clients will there be? Any Windows boxes? To protect a
Linux box against malware is relatively straightforward[*]. I use
Linux more or less exclusively and I use ClamAV because I do a lot of
spam processing, not because I feel the need for protection.

For mail scanning you'd normally run two daemons, 'clamd' which is the
actual scanner and a 'milter'. The milter takes messages from the MTA
and passes them to clamd for scanning, then advises the MTA of clamd's
findings. That might explain your confusion about services but I know
little about the way Centos does things. ClamAV provides a milter,
unsurprisingly called 'clamav-milter'. It does a bit more than I've
described here but that's its main job.

Personally I prefer not to use the distro-specific versions of things
like ClamAV, partly because the distro maintainers almost invariably
mess with things to comply with "policies" and partly because they're
often not quite as up to date as you'd like in something like a virus
scanner. ClamAV isn't so very difficult to install from source, and
you'll learn a lot about it in the process. OTOH on security grounds
you might not want for there to be a compiler available on the box - I
would certainly not want one on a firewall for example.

> This may be a silly question to ask here... but is there any other
> decent anti-virus software that does not take up as many resources?

If you want open source, I don't think there's anything else. There
are commercial packages. I don't know how they compare for resource
usage as I have no experience of any of them. See e.g.

https://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Linux

A very few claim to be free, but you will still need a (proprietary)
licence and probably have to accept some terms before you even get a
copy of the package.

> I am currently running my box in DO, and it looks like the next step
> up for RAM is 4GB.

DO == Digital Ocean? AS14061 is in my block list. :)

--

73,
Ged.

[*] Don't run any network-listening daemons that you don't have to,
don't accept any connections you don't have to, and don't accept any
connections from China and a bunch of other places with, er, history.
Use common sense browsing habits - like using advertising and script
blockers, not visiting porn sites etc. Of course keep the security
patches up to date, don't let things run as root if they don't have
to, don't run anything you don't have good reason to trust, use good
passwords and don't give them away. Any number of places on the net
can probably add a few items to that short list. This approach is a
lot less likely to fail because of a zero-day vulnerability which the
virus scanners haven't yet caught up with. Postfix itself will need
to listen to the network so make sure if it is compromised by a zero-
day vulnerability the user which runs Postfix can't do anything bad to
the box (the same theory applies to clamd and any milters) without at
least exploiting _another_ vulnerability to get elevated privileges.
If you've done your homework well and kept on top of things there most
probably won't be one. Unluckily if you're using a provider to supply
the machine itself it's most likely virtual, meaning a vulnerability
in the VM could be used to exploit not only _your_ VM, but very likely
thousands of others as well. In that case, expect not to recover it.
You'll want to know that you have backups you can rely on; to me that
means it's in my office, not in some cloud in nobody-knows-where, and
I made it last night.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 14-09-2020 09:55, Per Jessen wrote:
> G.W. Haywood via clamav-users wrote:
>
>> Hi there,
>>
>> On Sun, 13 Sep 2020, bobby via clamav-users wrote:
>>
>>> I noticed on my CentOS 8 machine, there are two different services
>>> listed: clamd@multi-user.service and system-clamd.slice. I don't
>>> have enough memory to run the first one, but only the second one
>>> (192M). Is clamd really running? What is the difference between
>>> these two services? I only have 2 GB of memory. Is there any way to
>>> run clamd? I get this error when I try to run it ...
>> You *might* *just* *possibly* be able to run clamd on a system with
>> only 2G of RAM
> It _can_ be done, using cgroups to restrict the amount of memory used,
> but it'll be doing a bit of swapping.
>
> For email processing, we run clamd on virtual machines with slightly
> less than 3Gb memory, of which clamd takes up 1Gb.
>
>
>
Just a note: until about a year ago I had a mail and web servers running
on a 32-bit Pentium III which had a whopping 768 MB RAM. It did the job,
but over time I noticed that I started getting email increasingly
flagged as "not scanned" due to timeouts by amavisd or clamd. Of course
the system was swapping like hell.

That was the time that clamd "only" consumed 700+ MB, as opposed to
today where it now takes over 1.2 GB in a basic setting.
And yes, the mail and web servers now runs on an 10-year old 64-bit
machine with 16 GB memory. I even have structural CPU time to run BOINC
processes on my server again.

So, 3GB is enough for now as speed is mostly not a real issue. Looking
at the increased rate of memory consumption by clamd and factoring in
the fact that developers of all walks are rather sloppy with memory
consumption, it will not take that many years before you have to switch
to a 64-bit machine with 8 GB or more too.

--- Frans.

--
A: Yes, just like that A: Ja, net zo
Q: Oh, Just like reading a book backwards Q: Oh, net als een boek achterstevoren lezen
A: Because it upsets the natural flow of a story A: Omdat het de natuurlijke gang uit het verhaal haalt
Q: Why is top-posting annoying? Q: Waarom is Top-posting zo irritant?


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Why is AS14061 on your block list?

On Mon, Sep 14, 2020 at 2:58 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Mon, 14 Sep 2020, bobby via clamav-users wrote:
>
> > I plan to use it for email processing. I am using postfix
> > currently. There are no other users besides myself, and it's only
> > one domain.
>
> What mail clients will there be? Any Windows boxes? To protect a
> Linux box against malware is relatively straightforward[*]. I use
> Linux more or less exclusively and I use ClamAV because I do a lot of
> spam processing, not because I feel the need for protection.
>
> For mail scanning you'd normally run two daemons, 'clamd' which is the
> actual scanner and a 'milter'. The milter takes messages from the MTA
> and passes them to clamd for scanning, then advises the MTA of clamd's
> findings. That might explain your confusion about services but I know
> little about the way Centos does things. ClamAV provides a milter,
> unsurprisingly called 'clamav-milter'. It does a bit more than I've
> described here but that's its main job.
>
> Personally I prefer not to use the distro-specific versions of things
> like ClamAV, partly because the distro maintainers almost invariably
> mess with things to comply with "policies" and partly because they're
> often not quite as up to date as you'd like in something like a virus
> scanner. ClamAV isn't so very difficult to install from source, and
> you'll learn a lot about it in the process. OTOH on security grounds
> you might not want for there to be a compiler available on the box - I
> would certainly not want one on a firewall for example.
>
> > This may be a silly question to ask here... but is there any other
> > decent anti-virus software that does not take up as many resources?
>
> If you want open source, I don't think there's anything else. There
> are commercial packages. I don't know how they compare for resource
> usage as I have no experience of any of them. See e.g.
>
> https://en.wikipedia.org/wiki/Comparison_of_antivirus_software#Linux
>
> A very few claim to be free, but you will still need a (proprietary)
> licence and probably have to accept some terms before you even get a
> copy of the package.
>
> > I am currently running my box in DO, and it looks like the next step
> > up for RAM is 4GB.
>
> DO == Digital Ocean? AS14061 is in my block list. :)
>
> --
>
> 73,
> Ged.
>
> [*] Don't run any network-listening daemons that you don't have to,
> don't accept any connections you don't have to, and don't accept any
> connections from China and a bunch of other places with, er, history.
> Use common sense browsing habits - like using advertising and script
> blockers, not visiting porn sites etc. Of course keep the security
> patches up to date, don't let things run as root if they don't have
> to, don't run anything you don't have good reason to trust, use good
> passwords and don't give them away. Any number of places on the net
> can probably add a few items to that short list. This approach is a
> lot less likely to fail because of a zero-day vulnerability which the
> virus scanners haven't yet caught up with. Postfix itself will need
> to listen to the network so make sure if it is compromised by a zero-
> day vulnerability the user which runs Postfix can't do anything bad to
> the box (the same theory applies to clamd and any milters) without at
> least exploiting _another_ vulnerability to get elevated privileges.
> If you've done your homework well and kept on top of things there most
> probably won't be one. Unluckily if you're using a provider to supply
> the machine itself it's most likely virtual, meaning a vulnerability
> in the VM could be used to exploit not only _your_ VM, but very likely
> thousands of others as well. In that case, expect not to recover it.
> You'll want to know that you have backups you can rely on; to me that
> means it's in my office, not in some cloud in nobody-knows-where, and
> I made it last night.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Hi there,

On Mon, 14 Sep 2020, bobby via clamav-users wrote:

> Why is AS14061 on your block list?

Truckloads of spam, hacking attempts - why else?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

It really does amaze me how many people don’t know the reputations of providers like DO, OVH, Hetzner, AWS and right now SendGrid…
I personally would love to just put blocks in, but due to customers, I have to rely on RBLs which thankfully are pretty much dumping them all in spam.

Case in point… Use TalosIntelligence.com <http://talosintelligence.com/> before you purchase a VPS for email, it’ll probably save you a lot of hassle.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Sep 14, 2020, at 6:50 PM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi there,
>
> On Mon, 14 Sep 2020, bobby via clamav-users wrote:
>
>> Why is AS14061 on your block list?
>
> Truckloads of spam, hacking attempts - why else?
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

What is a good vps provider to use then if not DO?

On Mon, Sep 14, 2020 at 7:10 PM Eric Tykwinski <eric-list@truenet.com>
wrote:

> It really does amaze me how many people don’t know the reputations of
> providers like DO, OVH, Hetzner, AWS and right now SendGrid…
> I personally would love to just put blocks in, but due to customers, I
> have to rely on RBLs which thankfully are pretty much dumping them all in
> spam.
>
> Case in point… Use TalosIntelligence.com before you purchase a VPS for
> email, it’ll probably save you a lot of hassle.
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>
> On Sep 14, 2020, at 6:50 PM, G.W. Haywood via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
> Hi there,
>
> On Mon, 14 Sep 2020, bobby via clamav-users wrote:
>
> Why is AS14061 on your block list?
>
>
> Truckloads of spam, hacking attempts - why else?
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Honestly, I wouldn’t buy a VPS, but I did test out TATA’s CloudStack when I was running CloudStack in a lab, and didn’t have any issues.
Given I was just warming up some IPs for testing, and didn’t move anything real over there. I doubt they are even using it still, but that’s my experience on VPS.

IMHO at least get a /29 on IPv4 so that the provider can SWIP your IP Space, and make sure they do it.
Run all the BCOPs, DKIM, SPF, DMARC, and even MTA-STS since it’s relatively easy, if possible add DANE and TLSA records.

First though, look at the reputation of every provider. Talos is one place, MailOps is another: https://www.mailop.org/cgi-bin/mailman/listinfo/mailop <https://www.mailop.org/cgi-bin/mailman/listinfo/mailop>
Check out M3AAWG: https://www.m3aawg.org/ <https://www.m3aawg.org/>, though a lot of the information is going to be towards bulk senders.

Finally define your acceptable risk, so I’ve got dedicated servers on OVH with all BCOPs except for Google’s ARC, never did figure that out on milters,
but it’s RBL’d on a few providers which is fine since I mainly use it for incoming and down notifications on monitoring, so I’ve got myself whitelisted.


Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Sep 14, 2020, at 8:17 PM, bobby via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> What is a good vps provider to use then if not DO?
>
> On Mon, Sep 14, 2020 at 7:10 PM Eric Tykwinski <eric-list@truenet.com <mailto:eric-list@truenet.com>> wrote:
> It really does amaze me how many people don’t know the reputations of providers like DO, OVH, Hetzner, AWS and right now SendGrid…
> I personally would love to just put blocks in, but due to customers, I have to rely on RBLs which thankfully are pretty much dumping them all in spam.
>
> Case in point… Use TalosIntelligence.com <http://talosintelligence.com/> before you purchase a VPS for email, it’ll probably save you a lot of hassle.
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>
>> On Sep 14, 2020, at 6:50 PM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>> wrote:
>>
>> Hi there,
>>
>> On Mon, 14 Sep 2020, bobby via clamav-users wrote:
>>
>>> Why is AS14061 on your block list?
>>
>> Truckloads of spam, hacking attempts - why else?
>>
>> --
>>
>> 73,
>> Ged.
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
>> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>>
>> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users <https://lists.clamav.net/mailman/listinfo/clamav-users>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq <https://github.com/vrtadmin/clamav-faq>
>
> http://www.clamav.net/contact.html#ml <http://www.clamav.net/contact.html#ml>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Hi there,

On Mon, 14 Sep 2020, Eric Tykwinski wrote:

> It really does amaze me how many people don’t know the reputations ...

The best way to find out about these things is to run a mail server,
and most people don't do that.

> ... providers like DO, OVH, Hetzner, AWS and right now SendGrid…

It was only a couple of years ago that I implemented the ASN blocklist
in my milter - more or less in desperation - but all those in your list
were on it from the start. There's an exceptions list of course. It's
difficult to get on that one (and if you're with OVH it's impossible. ;)

You forgot to mention gmail, outlook and yahoo. At one time Redmond's
offerings were among the best, but it seems to me they've gone rather
downhill in the past few months. Google might make a big deal of how
many million fraudulent messages they block every day, but they don't
make much noise about how many they _send_ every day. And with the AI
investments they claim to have made you'd think they could spot that a
lawyer representing the United Nations who's offering to split a cache
of negotiable bearer bonds with me 50-50 and wants me to reply by mail
to a yahoo account, or call him in Nigeria, is unlikely to be kosher -
especially when the same message was sent to thousands of recipients.

But to sort of stray back on topic, if you want to even semi-automate
blocklisting then ClamAV with a bunch of third-party signatures can do
a fair job at the triage stage. Having said that, don't underestimate
the task. If you've never run a mail server before, it will open your
eyes to just how much of global Internet traffic is outright criminal.
This morning I'm seeing messages via outlook.com to lots of people who
I've never heard of, about just over seventeen grand sitting in a bank
account that has obviously been forgotten. The recipients don't have
mail accounts with us so the messages are going into the tarpit. You
might think that somebody at Microsoft would want to know why so many
messages sent by their customers were not being delivered, but nobody
there will even notice. I'm quite convinced that nobody there cares.
Many of the providers unashamedly welcome criminal customers.

Protecting businesses from this has taken up most of my work life for
the past couple of decades, and I'm still looking for a way to explain
that better than "you've never been compromised". People very quickly
get used to what's 'normal'. If it's normal that their systems aren't
compromised then it can be really difficult to get through to them how
much work it takes to keep things that way. All they'll see is their
work, the results of all your work are more or less transparent. It's
like having a reliable water supply. It makes little impression until
it isn't there, when people may start to realize how important it was.
Catch 22. The only way they'll see what you mean at first hand is if
you fail to do the job properly.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml