[Mimedefang] freshclam -- Is it a daemon?
Kelson
kelson at speed.net
Wed May 4 14:29:45 EDT 2005
Chris Gauch wrote:
> We haven't seen any Sober.P get through ClamAV yet (freshclam updated the
> signatures just on time), but it's been a real nuisance the past 3-4 days
> and I know a lot of PCs and external networks are infected. We went from
> receiving 100-300 viruses per day total (we do approx. 1 million
> messages/day volume), to 15,000 viruses per day total (99% of those being
> Sober.P).
Something I've found that helps cut down on the virus scanning: When
you receive a self-mailing virus, check the IP's reverse DNS for any
signs that it might be a real mail server. If not, block it for a short
period of time. We use 24 hours, and look for patterns like
ip-add-re-ss-dsl.whatever vs. mail.something or mx.something.
In the past we used to get lots of repeats, usually to the same sets of
addresses. Blocking the IP really cuts down on the load -- our virus
count only jumped by a factor of 10 on Monday -- and since we're
scanning inbound mail, it rarely collides with our own users who would
normally be sending mail.
In fact, the only time I can remember having a problem with it, one of
our customers had received a copy of a virus (either defanged before the
signature was added or from another source, I forget which) and had the
sense not to open it... but forwarded it to their network consultant,
asking "Is this a virus?"
The main nuisance Sober has caused here has been all the bogus bounces.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list