Anyone using CLAMav on their servers?

Just wondering what the typical CPU/RAM consumption is of CLAMav when it's scanning your mails (and how many emails it is actually scanning on avg).

Thanks.

 

My personal servers don't get enough mails for a reasonable comparison.

On a customer's server which processes ~ 100 000 mails a day, average time to scan using clamav is just under 1 second on a Xeon 3Ghz.

Spamassassin takes a lot more time and uses more resources than ClamAV.

 

Mine will do 3-500 a day roughly.

Really? I would have thought some keyword filtering and perhaps contacting some RBLs would have been faster than scanning a file against all known virus signatures.

Then again, ClamAV will only run against those with attachment as oppose to every email gets SA-ed.

Any (rough) stats on what SA takes up in resources?

 

Actually, ClamAV should get run against all emails, regardless of whether or not they appear to have attachments.

Most the the delay with SpamAssassin is waiting from the DNS replies from the RBLs, but there's a reasonable amount of CPU time taken whilst doing the filtering too.

If you're only getting less than 1000 mails a day then I wouldn't worry about the extra load from ClamAV/SpamAssassin unless your server is already heavily loaded (constantly at 2+).

 

Why? I thought a virus or worm could only reside in an attachement. Perhaps in an image inline but that's still sent across as an attachment though isn't it?

Which RBLs do you use? I was considering Spamhaus only because of their conservative status. I'd rather have a few slip through than real messages being blocked. Have any feedback on Spamhaus efficiency and/or DNS response time?

Averages at peak times at 0.10 so it seems I have some to spare But I did ask the engineers whether they could throttle CPU usage for the MTA so there's plenty left for Apache and MySQL.

BTW do you know how to export Ham and Spam from Outlook and use it to train SA?

 

Yup, but by the time you've gone to the trouble of looking at the data part of the message you might have well just scanned the whole thing. Most messages without attachements are pretty small (>5kb) anyway.

On the servers I maintain, I reject immediately if the sending server is in sbl-xbl.spamhaus.org.

SpamAssassin does further checks on RBLs, then scores based upon the results.

You could nice the SA/ClamAV processes I suppose, for the small number of messages you're getting it's probably not worth the hassle.

Sorry, don't do Windows

 

You can, but it's better to leave them in. Other (eg bl.spamcop.net) sometimes have false positives, but if an IP is listed in multiple bls then that's a pretty good indication of a problem.