[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] New approach to stopping viruses.

Subject: [cobalt-users] New approach to stopping viruses.
From: "Phil Beynon" <phil@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri Oct 10 11:30:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Hi all,

Since the main virus that seems to be coming in is this SwenA one right now
I decided this afternoon to try a new approach to nailing some of them.
All the admin messages from mailscanner get put into one folder on my system
here using Outlook 2000, each one of these contains amongst other things the
senders address.
One thing I had noticed was very often the same senders address would crop
up time and again, as also proven by the fact that when I had the notify
sender of detected virus facility running a lot came bouncing back as
mailbox full / over quota indicating their email address had been used many
times already.

I exported the Outlook folder as a .csv and used Excel to strip off any
unwanted fields, just leaving the body of the message. Now the email
addresses are always in the format <address@xxxxxxxxxx> so a new csv can be
created quite easily by changing using search and replace in Word on the >
to another < and then using these as delimiters to do a text to table, again
in Word. Now it is possible to select just the email addresses and paste it
back into Excel, deleting every second one as these are the recipient
addresses for the mails and I dont want to bar my own users. Now I filtered
the list alphabetically and removed all duplicates, made it into a text file
and then pasted it in to the field for reject emails on the Raq.
Already I am seeing a marked fall off in the number of hits that mailscanner
is reporting. What should be happening is Sendmail sees the header and just
rejects it outright without wasting resources.

My logic behind this is that whilst there is a possible chance that a
genuine mail could be rejected (as with any filtering) the way this virus is
operating is by selecting a target and spoofing the senders address, so the
only connection between the spoofed sender address and recipient is they
just happen to be in the infected persons address book.

Phil


** http://www.diygear.com THE Online DIY Toolstore For DIY & Business
** Infolink Electronic Systems Ltd. http://www.infolinkelectronics.co.uk
** Professional Web Design & Cobalt Hosting Solutions
** Sun Cobalt iForce Reseller - Canon Silver Reseller
** Contact: Sales@xxxxxxxxxxxxxxxxxxxxxxxxx
** Tel / Fax 0121 458 4894 (office) 0121 441 3558 (home)

Follow-Ups:
- RE: [cobalt-users] New approach to stopping viruses.
  - From: Phil Beynon

References:
- Re: [cobalt-users] [RaQ 4] HOWTO: Restore mail server aliases lost when site admin pages disappear
  - From: Ken Marcus - Precision Web Hosting

Prev by Date: [cobalt-users] Re: [RaQ 4] HOWTO: Restore mail server aliases lost when site admin pages disappear
Next by Date: [cobalt-users] {Scanned} Mail problems - help please
Previous by thread: [cobalt-users] Re: [RaQ 4] HOWTO: Restore mail server aliases lost when site admin pages disappear
Next by thread: RE: [cobalt-users] New approach to stopping viruses.

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index