[Mimedefang] Blocking IP #

Thu May 5 12:05:01 EDT 2005

> -----Original Message-----
> From: mimedefang-bounces at lists.roaringpenguin.com [mailto:mimedefang-
> bounces at lists.roaringpenguin.com] On Behalf Of Joey McKnight
> Sent: Thursday, May 05, 2005 11:50 AM
> To: mimedefang at lists.roaringpenguin.com
> Subject: [Mimedefang] Blocking IP #
> 
> Can you block emails using the access file in mimedefang.  I'm getting
> hammered by
> virus, thankfully the filter server is stopping them all.
> 
> 
> Thanks in advance.
> 

Good luck blocking each and every IP sending Sober.P viruses (I'm sure
that's the one you're dealing with the most, as we've seen our virus
activity go 20-fold since Monday). Some of those IPs may be spoofed or
"zombie" networks that are constantly changing.  You can take measures in
both MIMEDefang and Sendmail to eliminate *some* of the virus activity.
I've found that setting the "greet delay" in Sendmail 8.13.x holds off some
viruses, greylisting also works quite well in forcing the infected PCs to
retransmit the message.  Another good suggestion that I received yesterday
was to validate whether the PC is actually a *real* mail server with a valid
DNS name (mail.<something>.com/net/org instead of
location.ip-x-x-x-some-isp.net).

A particular client of ours has only 5 accounts on his own Sendmail SMTP
server and threw out 300,000 instances of Sober.P yesterday.  We have
thousands of accounts on our server that does about 1 million messages/day
and we threw out roughly 16,000 Sober.P messages yesterday (which is
definitely 100x the amount of viruses that we normally discard on any given
day).  The client's mail server is running an ancient version of Sendmail
and is poorly configured, so I'm sure that has something to do with the
number of viruses his server must deal with and discard.   

- Chris

------------------------------------------
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
http://www.digiconcommunications.com
cgauch at digicon.net