Re: [Exim] Blocking sobig.f

Top Page
This message is part of the following thread:
M--\the complete thread tree sorted by date
M-\MMike Meredith at <-
M\MMMGiolla Decair at ->
Delete this message
Reply to this message
Author: Chris Edwards
Date:  
To: exim-users
Subject: Re: [Exim] Blocking sobig.f
| Yesterday we rejected almost 100000 messages that were virus warnings
| sent no a non-existant email address at our domain. I think it's very
| stupid to sent virus warnings (excluding those generated at smtp time)

We've been noticing the sites who send bogus virus allegations
counterfeiting sender address of `postmaster' at the site of the victim
being falsely accused.

The sample below came from mailscanner running at visuallink.com, who have
*no business* originating email as postmaster@???

I'm sad to see mailscanner has now incorporated this `feature'.

( N.B. I know viruses are forging "X-MailScanner: Found to be clean"
header. This is unrelated. )

--
Chris Edwards, Glasgow University Computing Service.




-----Original Message-----

Log:

2003-08-19 17:11:14 19p94j-00041j-00 <= postmaster@???
H=mx4.visuallink.com [206.151.68.188] P=esmtp S=1346

Msg: 

Received: from mx4.visuallink.com ([206.151.68.188]
        by hillhead.cent.gla.ac.uk with esmtp (Exim 4.10)
        id 19p94j-00041j-00
        for a.xxxx@???; Tue, 19 Aug 2003 17:11:13 +0100
Received: from localhost.localdomain (mx [127.0.0.1])
        by localhost.localdomain (8.12.8/8.12.8) with ESMTP id h7JFCSq1031253
        for <a.xxxx@???>; Tue, 19 Aug 2003 11:12:28 -0400
Received: (from root@localhost)
        by localhost.localdomain (8.12.8/8.12.8/Submit) id h7JFCR9n031247;
        Tue, 19 Aug 2003 11:12:27 -0400
Date: Tue, 19 Aug 2003 11:12:27 -0400
Message-Id: <200308191512.h7JFCR9n031247@???>
From: "MailScanner" <postmaster@???>
To: <a.xxxx@???>
Subject: Warning: E-mail viruses detected
X-MailScanner: Found to be clean


Our virus detector has just been triggered by a message you sent:-
To: <jack@???>
Subject: Your details
Date: Tue Aug 19 11:12:27 2003

One or more of the attachments are on the list of unacceptable attachments
for this site and will not have been delivered.

Consider renaming the files or putting them into a "zip" file to avoid
this constraint.

The virus detector said this about the message:
Report: Shortcuts to MS-Dos programs are very dangerous in email
(document_all.pif)

--
MailScanner
Email Virus Scanner
www.mailscanner.info




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] SMTP AUTH with MySQL, nearly workingRe: [Exim] where is this evident security option in Exim ?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)