[Mimedefang] Another silly idea

Kelson kelson at speed.net
Tue May 2 14:46:21 EDT 2006


Craig Green wrote:
> I tried this.  Turns out a shocking number of ISPs and businesses don't 
> bother running AV software on their outbound servers and just blindly 
> relay their users' mail.

We got around this by only blacklisting virus senders under the 
following conditions:

1. The IP sent a mass-mailing worm.
2. rDNS is missing, invalid, or clearly indicates a dynamic/consumer range.
3. The IP or rDNS is not found on a small whitelist.

So if a virus gets relayed through an ISP's mail server, it'll probably 
trip rules 1 and 3, but not 2 (since it'll probably have rDNS that 
points to mail.example.com, or mx5.example.com, etc. and not to, say, 
adsl-1.2.3.4.example.com).

We also flush the list every 24 hours.

But then, we don't really use this list to block spam.  It's more a 
method of reducing the load on our virus scanner during outbreaks. 
Block the IP temporarily, and if they send you a new copy of the virus 
every five minutes, you only need to scan it once a day until they clean 
the system or the virus stops sending.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>



More information about the MIMEDefang mailing list