[Mimedefang] Another silly idea
Kelson
kelson at speed.net
Tue May 2 14:46:21 EDT 2006
Craig Green wrote:
> I tried this. Turns out a shocking number of ISPs and businesses don't
> bother running AV software on their outbound servers and just blindly
> relay their users' mail.
We got around this by only blacklisting virus senders under the
following conditions:
1. The IP sent a mass-mailing worm.
2. rDNS is missing, invalid, or clearly indicates a dynamic/consumer range.
3. The IP or rDNS is not found on a small whitelist.
So if a virus gets relayed through an ISP's mail server, it'll probably
trip rules 1 and 3, but not 2 (since it'll probably have rDNS that
points to mail.example.com, or mx5.example.com, etc. and not to, say,
adsl-1.2.3.4.example.com).
We also flush the list every 24 hours.
But then, we don't really use this list to block spam. It's more a
method of reducing the load on our virus scanner during outbreaks.
Block the IP temporarily, and if they send you a new copy of the virus
every five minutes, you only need to scan it once a day until they clean
the system or the virus stops sending.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list