[Mimedefang] freshclam -- Is it a daemon?

Kelson kelson at speed.net
Wed May 4 14:29:45 EDT 2005


Chris Gauch wrote:
> We haven't seen any Sober.P get through ClamAV yet (freshclam updated the
> signatures just on time), but it's been a real nuisance the past 3-4 days
> and I know a lot of PCs and external networks are infected.  We went from
> receiving 100-300 viruses per day total (we do approx. 1 million
> messages/day volume), to 15,000 viruses per day total (99% of those being
> Sober.P).

Something I've found that helps cut down on the virus scanning:  When 
you receive a self-mailing virus, check the IP's reverse DNS for any 
signs that it might be a real mail server.  If not, block it for a short 
period of time.  We use 24 hours, and look for patterns like 
ip-add-re-ss-dsl.whatever vs. mail.something or mx.something.

In the past we used to get lots of repeats, usually to the same sets of 
addresses.  Blocking the IP really cuts down on the load -- our virus 
count only jumped by a factor of 10 on Monday -- and since we're 
scanning inbound mail, it rarely collides with our own users who would 
normally be sending mail.

In fact, the only time I can remember having a problem with it, one of 
our customers had received a copy of a virus (either defanged before the 
signature was added or from another source, I forget which) and had the 
sense not to open it... but forwarded it to their network consultant, 
asking "Is this a virus?"

The main nuisance Sober has caused here has been all the bogus bounces.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>



More information about the MIMEDefang mailing list