On Wed, Aug 20, 2003 at 05:56:37PM -0400, jvanasco@??? wrote:
> So yes. We've discussed blocking sobig at length today.
And by blocking it you're adding to your threat #2. As I said earlier
today, you ideally want to blackhole these known virii so that you
yourself aren't contributing to the mass of inappropriate bounces.
exim 4.2x has a nice feature for this which can be used in the DATA
ACL - discard.
Eg, simplified example:
discard condition = ${if match {$header_subject:}{Re: Approved} {yes}{no}}
log_message = rejecting known virus ($header_subject:)
NB1. it would be nice if log_message replaced or supplemented the
message logged in main.log.
NB2. I recommend increasing the security of the condition check to
prevent false positives.
With that in place, I see the following in my logs:
2003-08-20 23:31:52 19pbUe-0001XX-Mz <= xxxxxxxx@???
H=xxxxxxx.gotadsl.co.uk (FEARLESSJUDY) [xxx.xxx.xxx.xxx] P=esmtp S=915
2003-08-20 23:31:52 19pbUe-0001XX-Mz => blackhole (DATA ACL discarded
recipients)
In all likely event, the guy at hotmail didn't send the message from
gotadsl.co.uk, so causing a bounce message to be sent to hotmail just
adds to the overall problem.
--
Russell King (rmk@???) The developer of ARM Linux
http://www.arm.linux.org.uk/personal/aboutme.html
