[Mimedefang] How to Handle a Virus.

Karel.DeBruyne at ua.ac.be Karel.DeBruyne at ua.ac.be
Thu Apr 18 06:11:19 EDT 2002 

On Thu, 18 Apr 2002, Jack Olszewski wrote:

> At 08:47 AM 18/04/02 +0200, you wrote:
> >On Thu, 18 Apr 2002, Jack Olszewski wrote:
> >
> >> Bouncing the message, action_bounce( ... ), does not mean sending it
> >> anywhere. It means its immediate rejection with a signal ... to the sender:
> >>
> >> 554 5.7.1 ...
> >
> >I prefered this! Simple, the least work for the sysadmin, no risk for
> >filesystems filling up...
> >
> >If I receive a mail with a virus, I add the Sender to a list wich is being
> >used by sendmail to bounce. This way, an infected pc sending a lot of
> >mails only generates one mimedefang-session.
> >
> >During the night this lists is reset, and in the bounce-message, I mention
> >an URL where a user can remove his name from this list.
> >
>
> What do you do with:
>
> Hybris    -   empty sender's address
> Magistr   -   faked sender's address
> Badtrans  -   faked sender's address
> etc.
>
> Most of email viruses/worms send themselves silently, without using one's
> regular mailer (Netscape, OE, etc.) and ignore any signals/error-messages
> coming from the receiving server. Therefore, the owner of the infected
> machine has no way of knowing he/she has been blacklisted and how to remove
> himself/herself from the blacklist. In effect, he/she has been prevented from
> sending anything anywhere till the list is reset. If, in the meantime,
> he/she did not get rid of the virus, he/she will be put back into the list
> first thing next morning.
>
> I am not sure if it is a good idea.

I've seen these virusses : they often increment the second character of
the sender address by one.

john at abc.com becomes jbhn at abc.com This is the address that will be blocked

You are right, the user won't find out his pc is infected, but the
vulnerability and the load of my server is my main concern.
For each internal pc sending an infected mail, our helpdesk gets a report
from my mimedefang indicating the IP address.

Karel
>
> Jack
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>

=======================================================================
Karel De Bruyne
System/Network Manager                      phone      + 32 3 820 22 04
UIA - Network Service                       fax        + 32 71 83 43 00
Universiteitsplein 1 - B0.12                email  dbruyne at uia.ua.ac.be
B 2610 Wilrijk - Belgium              http://www.uia.ua.ac.be/u/dbruyne
=======================================================================

More information about the MIMEDefang mailing list