On Thu, Oct 23, 2003 at 12:53:49AM -0700, Steve C. Lamb said
> On Thu, Oct 23, 2003 at 05:32:59PM +1000, Rob Weir wrote:
> > Hm, now I check, 27253 of those did *not* come from my secondary MXs.
> > That is a stupid amount of crap. In fact, it is 3.8985GB of crap.
> > Imagine that instead of dropping that shit on the floor, you sent a CR
> > query. You've just doubled the number of mails flying around (thought
> > not the volume, of course).
>
> Ya forgot to mention that of those 27253 messages (just using your count
> as an example) damn nead close to 0 are likely to reach an infected host since
> SWEN spoofs and lots of C-R systems fall for it.
Ah, yes, that's even worse. I'm also bloody sick of getting "a virus was
detected in your mail" messages from people I have never written to.
> BTW, just curious how you detect SWEN before the MTA gets it? Usually
> mine is post-contact on at least one occasion. After that it was firewall but
> now it is just drop on a RCPT test. Hrm, should make it a HELO test. :/
I'm dropping mail based on a DATA regexp. I have the following line in /etc/postfix/ms-crap
/^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$/ REJECT Message rejected, contains the Swen worm virus!
and this line in /etc/postfix/main.cf to make use of it
body_checks = regexp:/etc/postfix/ms-crap
No doubt any other servicable MTA can handle it. Oh, and to get my counts, I use
grep Swen /var/log/mail.log|awk '{print $6}'|sort|uniq|wc -l
Add a grep -v for your secondary MX's before the awk to filter non-direct
attempts.
--
Rob Weir <rweir@ertius.org> | mlspam@ertius.org | Do I look like I want a CC?
Words of the day: ASLET USCODE Crowell Mantis Maple illuminati kilderkin
Attachment:
signature.asc
Description: Digital signature