Author: Alan J. Flavell Date: To: Exim users list Subject: Re: [Exim] Blocking sobig.f
On Thu, 21 Aug 2003, Tim Jackson wrote:
> I don't think I've seen that but, as with Chris's mention yesterday of
> virus scanners faking postmaster@victim addresses, that really does make
> me want to wring the neck of some programmers. Really, if they think stuff
> like that is OK, they have no business writing software that is
> sold/intended to be part of an organisation's security.
Indeed. As I spotted a Usenet acquaintance (Jim Ley) remarking just
now on a newsgroup:
| There's nothing clueful people can do to stop the idiots, there are
| things clueful people can do to stop some of the fallout, instead of
| ~100 virus warnings, I should not have seen any...
which I think says it very well.
> Thanks, I've added those :) Maybe I should maintain this list on my
> website...? Anyone else find it useful?
It's a generous offer, if you're willing (maybe others should send you
a private mail to confirm their interest before you decide to go for
it?)
> > I'm thinking that any envelope-sender which begins "NAVMSE-" can be
> > killed on sight, ??
>
> Is that what the Norton AV for Sexchange sets its envelope sender to?
I guess so. I've blacklisted a whole wodge of them here, one by one
as their stuff came in. I was thinking of writing a spam-rating
snippet for it. Just at random:
Incidentally, re. Chris E's remark on counterfeiting the intended
recipient as envelope sender, I'm pretty sure that one cluster of
incidents that we spotted in our log had developed from a site that
tried to send us an anti-virus report complete with a copy of the
virus, we rejected it and then they tried to compose a fresh
anti-virus report for their own report which we'd rejected, again the
report came with a copy of the virus, which we again rejected... you
get the drift.
Oh well, if one can't take a joke then one has no business getting
into this game, I suppose.
