Within the register sub of the clamdscan plugin, is this little nugget:
# Set some sensible defaults
$self->{'_args'}{'deny_viruses'} ||= 'yes';
$self->{'_args'}{'max_size'} ||= 128;
$self->{'_args'}{'scan_all'} ||= 0;
Having a default enable for denying viruses is sensible enough.
But a max_size of 128K? You mean all a virus author needs to do is attach an image to his virus laden message to evade virus scanning on a qpsmtpd server? Is that really a sensible default?
My first inclination is that max_size should default to whatever $config->data_bytes is set to. Why would such a low limit be considered sensible?
The other thing I'm questioning is why scan_all=0 is the 'sensible' default. If one is going to bother running a virus scanner, it would seem the "safe" choice is to scan everything. Should it be as easy as inserting an illegal character into the Content-Type field value (which would get ignored later), to bypass multipart detection, and thus virus scanning?
Matt