[Mimedefang] Greylist-busting ratware?

nathan r. hruby nhruby at uga.edu
Fri Apr 21 09:30:29 EDT 2006

On Thu, 20 Apr 2006, John Rudd wrote:

> On Apr 20, 2006, at 16:34, nathan r. hruby wrote:
>> - ratware infected boxen on campus use campus relays which relay by IP.
>>   They spew, we queue.  Badness for everyone.
> We no longer have our student-residential IP block in our relay domain for 
> this reason.  They were, by far, our biggest source of this problem.

Sadly, our resnet only accounts for about 50% of these incidents.  We see
nailed desktops, roaming laptops of professors and visiting folk, lab
machines, etc....  On occasion we even see misconfigured machines that are
open relays abused in this fashion :(

We have policy in the works to disable most of this and go to SMTP AUTH,
but it'll be a few more months until that happens and we'll still need to
make provisions for automated non-authing systems (unix machines running
an MTA, web scripts, etc... all of which will be filtered through
MIMEDefang, to stay on topic).

>> - Inbound ratware using SMTP AUTH to authenticate as a real user
> Hm.  We haven't seen this at all yet.  That's not a good sign.

Yeah.  We were *thrilled* to see this happening.  *Thrilled* I tell you.

nathan hruby <nhruby at uga.edu>
uga enterprise information technology services
core services  support
"In 1972 a crack commando unit was sent to
  prison by a military court for a crime they
  didn't commit...."

More information about the MIMEDefang mailing list