[Mimedefang] How to Handle a Virus.

Jack Olszewski jacek at hermes.net.au
Thu Apr 18 03:38:01 EDT 2002


At 08:47 AM 18/04/02 +0200, you wrote:
>On Thu, 18 Apr 2002, Jack Olszewski wrote:
>
>> Bouncing the message, action_bounce( ... ), does not mean sending it
>> anywhere. It means its immediate rejection with a signal ... to the sender:
>>
>> 554 5.7.1 ...
>
>I prefered this! Simple, the least work for the sysadmin, no risk for
>filesystems filling up...
>
>If I receive a mail with a virus, I add the Sender to a list wich is being
>used by sendmail to bounce. This way, an infected pc sending a lot of
>mails only generates one mimedefang-session.
>
>During the night this lists is reset, and in the bounce-message, I mention
>an URL where a user can remove his name from this list.
>

What do you do with:

Hybris    -   empty sender's address
Magistr   -   faked sender's address
Badtrans  -   faked sender's address
etc.

Most of email viruses/worms send themselves silently, without using one's
regular mailer (Netscape, OE, etc.) and ignore any signals/error-messages
coming from the receiving server. Therefore, the owner of the infected
machine has no way of knowing he/she has been blacklisted and how to remove
himself/herself from the blacklist. In effect, he/she has been prevented from
sending anything anywhere till the list is reset. If, in the meantime,
he/she did not get rid of the virus, he/she will be put back into the list
first thing next morning. 

I am not sure if it is a good idea.

Jack



More information about the MIMEDefang mailing list