[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] How to de-queue mail? Sobig virus message
- Subject: Re: [cobalt-users] How to de-queue mail? Sobig virus message
- From: Glenn Parsons <gparsons@xxxxxxxxxxxxx>
- Date: Wed Jan 15 13:41:00 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
At 03:00 PM 1/15/2003 -0600, you wrote:
On Wednesday 15 January 2003 01:49 pm, Glenn Parsons wrote:
> I run (send)mail on a Cobalt RaQ3. I am repetedly receiving unable to
> deliver messages from sendmail on my mail server since someone sent the
> sobig virus to one of my users. The MailScanner caught it, but it is still
> trying to send to big@xxxxxxxxx
>
> What is the best method to deal with this. I can see the process for the
> message:
Glenn,
This is a two way street - meaning I deal with it from two directions.
First, I create an access entry (/etc/mail/access) that denies "big@xxxxxxxx"
for virus content;
Okay. I added boss.com to my /etc/mail/access
Second, I create an "alias" for "big@xxxxxxxx" (/etc/mail/aliases) that
redirects that email to "/dev/null" (bit bucket) so that if any [more] get
through the server will simply throw them away.
I get:
/etc/aliases: line 70: big@xxxxxxxxxxx cannot alias non-local names
when I rebuild my aliases database. Which makes sense.
Your reasoning is exactly what I was thinking. The methodology didn't work,
however. Did I miss something?
I also have several addresses in the alias file that are "guaranteed" to fail
(and hence go to postmaster) to catch some of the trojan horse messages that
get sent back to the "owner" (of the trojan that is). My intent being to
catch these first and let my customer know they have been breached before
someone else gets their username/password and such...
EG: mail-gerant.com, fairesuivre.com, ml1.net and sergio52@xxxxxxx for
just a few I "know" trojan information is sent to....
--
Larry Smith
SysAd ECSIS.NET
sysad@xxxxxxxxx
Thanks, Larry!
Glenn