[Mimedefang] freshclam -- Is it a daemon?
Chris Gauch
cgauch at digicon.net
Wed May 4 16:01:58 EDT 2005
Kelson Vibber wrote:
> Something I've found that helps cut down on the virus scanning: When
> you receive a self-mailing virus, check the IP's reverse DNS for any
> signs that it might be a real mail server. If not, block it for a short
> period of time. We use 24 hours, and look for patterns like
> ip-add-re-ss-dsl.whatever vs. mail.something or mx.something.
>
> In the past we used to get lots of repeats, usually to the same sets of
> addresses. Blocking the IP really cuts down on the load -- our virus
> count only jumped by a factor of 10 on Monday -- and since we're
> scanning inbound mail, it rarely collides with our own users who would
> normally be sending mail.
>
> In fact, the only time I can remember having a problem with it, one of
> our customers had received a copy of a virus (either defanged before the
> signature was added or from another source, I forget which) and had the
> sense not to open it... but forwarded it to their network consultant,
> asking "Is this a virus?"
>
> The main nuisance Sober has caused here has been all the bogus bounces.
Exact same story at our location -- a few of our clients received so many
bogus bounces that we had to block several domains and host IPs (some of
which I am sure are legitimate). Some of our smaller business offices were
inundated with thousands of bounces thanks to all of the networks/PCs out
there infected with Sober. The largest hassle on our part is fielding the
calls from dimwitted clients who believe the 4-line, text-only bounces
actually might contain the virus...
- Chris
------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net
More information about the MIMEDefang
mailing list