Sober (Was Re: [Mimedefang] code 421 and filter_sender)

Paul Whittney pwhittney at net.arrivetech.com
Tue Dec 6 20:34:44 EST 2005


I suppose this is a little off topic, but I'm sure we're all coping
with the Sober.X virus, at the desktop or the server.

Seeing elevated emails from all sorts of recipients. Grey listing works
to a point, but if the PC retries within the correct limit, they get
white listed (I wonder if this is a case for "This regexp needs different
timeouts" in the code..).

Personally, I've been checking the first base64 line of zip's that match:
UEsDBAoAAAAAA.{6}Myus3XtgAAF7YAAAYAAAARmlsZS1wYWNrZWRfZGF0
and quarantining the emails (or dropping, if it gets too much), as I
can't assume that the fbi, or cia are not trying to email. It's not perfect,
but it prevents users getting the emails, which some think means they're
infected (yes, I know, this is an education issue). But it incurs work,
but less work than running a scanner over all of it.

However, for some sites that deal with a small number of domains that
accept email, the first thought is to "block all that could be the virus",
and then move to the next task of the day (or hour ;-). I've actually had 
good responses with checking the IP addresses that are sending to some
of our domains, doing a whois on the IP, and calling/emailing the tech
contact listed. Remember, the reason the emails are knocking on your
server's door is that an infected machine has your users email address
somewhere on their system (okay, thats a bit too simple, as it could be
going through cached/saved files looking for emails, but still..).

Do it nicely, and not by saying "hey, you're infected, stop it!". Offer
logs, if needed. What do you get out of it? Less infected emails! Isn't
that the point? Deal with the problem, not the symptom. Its like Dshield
for emails ;-P

Sorry, Mike, doesn't really address what you're talking about. Isn't
sendmail's RCPT Throttle hooks good for this? Wonder if someone has pulled
the smtp server part out of the virus to see how RFC compliant it is?

-Paul Whittney

On Tue, Dec 06, 2005 at 04:29:00PM -0800, Mike Batchelor wrote:
<snip>
> But if I put this same code in filter_sender, to reject the worms
> sooner, it does not drop the connection.  It issues the 421 error, but
> keeps the connection open.  Why is that?  It's doing the job in
> filter_recipient (the worm does not retry a dropped connection), but
> filter_sender is where it should logically be placed.  I wouldn't call
> this a bug or anythng, I am just curious why it behaves like this. 
> Sendmail 8.13.x will reset the connection when a Milter returns 421,
> just like it would if it issued 421 from its own code.  But why not
> from within filter_sender?
> 
-- 
Paul Whittney                                  ArriveTech, Inc.
Network Specialist / Systems Engineer         / |670 West 36th Street,
                                             /--|Erie, PA, 16508, USA
PWhittney [at] arrivetech.com (Main)        /   |www.arrivetech.com 
PWhittney [at] net.arrivetech.com (Aux)    /    |Tel: 814 868 3306



More information about the MIMEDefang mailing list