[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] New approach to stopping viruses.

Subject: RE: [cobalt-users] New approach to stopping viruses.
From: "Phil Beynon" <phil@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon Oct 13 06:45:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

> Hi all,
>
> Since the main virus that seems to be coming in is this SwenA one
> right now
> I decided this afternoon to try a new approach to nailing some of them.
> All the admin messages from mailscanner get put into one folder
> on my system
> here using Outlook 2000, each one of these contains amongst other
> things the
> senders address.
> One thing I had noticed was very often the same senders address would crop
> up time and again, as also proven by the fact that when I had the notify
> sender of detected virus facility running a lot came bouncing back as
> mailbox full / over quota indicating their email address had been
> used many
> times already.
>
> I exported the Outlook folder as a .csv and used Excel to strip off any
> unwanted fields, just leaving the body of the message. Now the email
> addresses are always in the format <address@xxxxxxxxxx> so a new
> csv can be
> created quite easily by changing using search and replace in Word on the >
> to another < and then using these as delimiters to do a text to
> table, again
> in Word. Now it is possible to select just the email addresses
> and paste it
> back into Excel, deleting every second one as these are the recipient
> addresses for the mails and I dont want to bar my own users. Now
> I filtered
> the list alphabetically and removed all duplicates, made it into
> a text file
> and then pasted it in to the field for reject emails on the Raq.
> Already I am seeing a marked fall off in the number of hits that
> mailscanner
> is reporting. What should be happening is Sendmail sees the
> header and just
> rejects it outright without wasting resources.
>
> My logic behind this is that whilst there is a possible chance that a
> genuine mail could be rejected (as with any filtering) the way
> this virus is
> operating is by selecting a target and spoofing the senders
> address, so the
> only connection between the spoofed sender address and recipient is they
> just happen to be in the infected persons address book.
>
> Phil

As an addendum to this I've only seen 41 new hits from SwenA since doing
this, representing a fall of >85% in what I was previously seeing - you can
just see them getting 550 rejects by tailing the maillog file!

Phil


** http://www.diygear.com THE Online DIY Toolstore For DIY & Business
** Infolink Electronic Systems Ltd. http://www.infolinkelectronics.co.uk
** Professional Web Design & Cobalt Hosting Solutions
** Sun Cobalt iForce Reseller - Canon Silver Reseller
** Contact: Sales@xxxxxxxxxxxxxxxxxxxxxxxxx
** Tel / Fax 0121 458 4894 (office) 0121 441 3558 (home)

References:
- [cobalt-users] New approach to stopping viruses.
  - From: Phil Beynon

Prev by Date: Re: [cobalt-users] daily processes hang with STAT D (was: How many sites on a Cobalt Raq550)
Next by Date: [cobalt-users] Logrotate Problem 550
Previous by thread: [cobalt-users] New approach to stopping viruses.
Next by thread: [cobalt-users] Re: [RaQ 4] HOWTO: Restore mail server aliases lost when site admin pages disappear

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index