On Thu, Oct 23, 2003 at 12:53:49AM -0700, Steve C. Lamb said > On Thu, Oct 23, 2003 at 05:32:59PM +1000, Rob Weir wrote: > > Hm, now I check, 27253 of those did *not* come from my secondary MXs. > > That is a stupid amount of crap. In fact, it is 3.8985GB of crap. > > Imagine that instead of dropping that shit on the floor, you sent a CR > > query. You've just doubled the number of mails flying around (thought > > not the volume, of course). > > Ya forgot to mention that of those 27253 messages (just using your count > as an example) damn nead close to 0 are likely to reach an infected host since > SWEN spoofs and lots of C-R systems fall for it. Ah, yes, that's even worse. I'm also bloody sick of getting "a virus was detected in your mail" messages from people I have never written to. > BTW, just curious how you detect SWEN before the MTA gets it? Usually > mine is post-contact on at least one occasion. After that it was firewall but > now it is just drop on a RCPT test. Hrm, should make it a HELO test. :/ I'm dropping mail based on a DATA regexp. I have the following line in /etc/postfix/ms-crap /^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$/ REJECT Message rejected, contains the Swen worm virus! and this line in /etc/postfix/main.cf to make use of it body_checks = regexp:/etc/postfix/ms-crap No doubt any other servicable MTA can handle it. Oh, and to get my counts, I use grep Swen /var/log/mail.log|awk '{print $6}'|sort|uniq|wc -l Add a grep -v for your secondary MX's before the awk to filter non-direct attempts. -- Rob Weir <rweir@ertius.org> | mlspam@ertius.org | Do I look like I want a CC? Words of the day: ASLET USCODE Crowell Mantis Maple illuminati kilderkin
Attachment:
signature.asc
Description: Digital signature