Sober (Was Re: [Mimedefang] code 421 and filter_sender)

Mike Batchelor mike at batch.com
Tue Dec 6 21:56:05 EST 2005


On 12/6/05, Paul Whittney <pwhittney at net.arrivetech.com> wrote:
> Sorry, Mike, doesn't really address what you're talking about. Isn't
> sendmail's RCPT Throttle hooks good for this?

Thanks for your input, even though it is only tangential to my
question.  My object is to get the worm off the socket asap. 
Sometimes it sends as many as 60 or 70 recips in a single message. 
RcptThrottle would just make it hang around on the socket longer that
it already does.

Expanding on my earlier code 421 idea, I have come up with a
replacement for sendmail's MaxRecipientsPerMessage, which is also
helping me deal with Sober M681 and its variants.  We have long ago
set a policy of no more than 9 recips per message, so I reimplemented
this in filter_recipient, and made sendmail drop the connection,
rather that repeatedly issuing 4xx codes while allowing the worm to
keep the socket open.

    # check how many recipients, if > 10, drop the connection
    read_commands_file;
    my $recipcount = @Recipients;
    my $maxrecips = 10;
    if ($recipcount >= $maxrecips) {
        return ('TEMPFAIL',  "$recipcount recipients is wormsign.",
'421', '4.2.1');
    }

This doesn't work if sendmail's MaxRecpientsPerMessage is set to a
lower value than used here.




More information about the MIMEDefang mailing list