Thread: Let's see if this helps ... more anti-virus/anti-spam ...
I've just moved some anti-virus/anti-spam checks a bit closer to the
source, and am now rejecting the following before it even gets to the
anti-virus checking, and/or majordomo:
/^Subject: Thank you!/ REJECT
/^Subject: Re: Thank you!/ REJECT
/^Subject: Re: Wicked screensaver/ REJECT
/^Subject: Wicked screensaver/ REJECT
/^Subject: Re: Re: My details/ REJECT
/^Subject: Re: That movie/ REJECT
/^Subject: That movie/ REJECT
/^Subject: Re: Approved/ REJECT
/^Subject: Approved/ REJECT
/^Subject: Re: Details/ REJECT
/^Subject: Re: Your application/ REJECT
/^Subject: Your application/ REJECT
/^Subject: Re: Your details/ REJECT
/^Subject: Your details/ REJECT
/^Subject: Details/ REJECT
Which seems to be the subject's that are rejected to the whole Sobig virus
... right now, there are ~2000 messages in Majordomo's queue to be
processed, probably about 90% with the above subjects, that is really
really slowing down delivery/processing of *legit* messages to the lists
... hopefully this will keep alot of the garbage out of the queues and get
the lists back on track ...
Just a situation report as to why things are looking soo slow ...
Right now, amavis has processed the following so far today:
neptune# awk '{print $7}' /var/log/amavisd | sort | uniq -c
305 BAD
171 BANNED
22554 INFECTED
8854 Passed,
hopefully adding the header_checks into postfix will keep the INFECTED
from growing much more *cross fingers*
Am keeping a close watch on things and will see how it fairs ...
'k, I'm using Postfix here ... there are a whack of 'anti-*' checks that I *can* enable that deal with reverse DNS and a bunch of other things, but I found when I tried that ages back that there was alot of mail being rejected from legit sources :( On Wed, 27 Aug 2003, Richard Welty wrote: > On Wed, 27 Aug 2003 19:55:36 -0300 (ADT) "Marc G. Fournier" <scrappy@hub.org> wrote: > > > > > I've just moved some anti-virus/anti-spam checks a bit closer to the > > source, and am now rejecting the following before it even gets to the > > anti-virus checking, and/or majordomo: > > i don't know what MTA you're using, but if it supports syntax checks on the > HELO/EHLO strings, you might want to look at blocking strings that don't > include a "." in the middle. the RFCs require this to be either an FQDN or > a literal IP, and most of the virus stuff is coming from M$ hosts that use > the BIOS name (not a FQDN) in their HELO strings. > > i found i could reject the bulk of the Sobig stuff after receiving a HELO. > > richard > -- > Richard Welty rwelty@averillpark.net > Averill Park Networking 518-573-7592 > Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security > > >
On Thu, 28 Aug 2003, Marc G. Fournier wrote: > > 'k, I'm using Postfix here ... there are a whack of 'anti-*' checks that I > *can* enable that deal with reverse DNS and a bunch of other things, but I > found when I tried that ages back that there was alot of mail being > rejected from legit sources :( Hmmm...I don't mail much but that would bounce me out the door I believe. Of course I could [and probably should] configure things so that the mail hub uses the right address to get the reverse lookup to succeed but that makes my setup less logical regarding interface bindings and names. -- Nigel J. Andrews > > On Wed, 27 Aug 2003, Richard Welty wrote: > > > On Wed, 27 Aug 2003 19:55:36 -0300 (ADT) "Marc G. Fournier" <scrappy@hub.org> wrote: > > > > > > > > I've just moved some anti-virus/anti-spam checks a bit closer to the > > > source, and am now rejecting the following before it even gets to the > > > anti-virus checking, and/or majordomo: > > > > i don't know what MTA you're using, but if it supports syntax checks on the > > HELO/EHLO strings, you might want to look at blocking strings that don't > > include a "." in the middle. the RFCs require this to be either an FQDN or > > a literal IP, and most of the virus stuff is coming from M$ hosts that use > > the BIOS name (not a FQDN) in their HELO strings. > > > > i found i could reject the bulk of the Sobig stuff after receiving a HELO.