Re: [Exim] Blocking phony MS Security update emails

Top Page

Reply to this message
Author: Alan J. Flavell
Date:  
To: Exim users list
Subject: Re: [Exim] Blocking phony MS Security update emails
On Fri, 9 Jan 2004, Christoph Kliemt wrote:

> get exiscan and block all emails that contain executables.


We do that, sure, but there's still a considerable traffic from
misguided[1] sending MTAs that - instead of blocking the offending
junk - are laundering-out the dangerous content (which would be easy
to recognise and to block), and inserting a wide range of variations
on the theme of "this customer of ours tried to send you a virus, so
we decided to make ourselves a pestilential nuisance to you instead of
helping our customer", which are very hard to keep at bay.

I've got a special subdivision[2] of Hades ready for these MTAs, but
there's a continual stream of fresh candidates.

And when I tried just a bit too hard to recognise the laundered
shrapnel that was being offered to us by the above idiots, I managed
to provoke a few false-positive rejections of mail that had no
relevance to the viruses in question, but just happened to use a few
of the tell-tale phrases which appear.

Sigh.

[1] I'd express that with considerably more emphasis if this wasn't
a public forum :-}

[2] as in:

F=<MAILER-DAEMON@???> rejected RCPT
<flavell@???>: This sender is blocked for sending bogus virus
alerts,

(That particular abuse has been going on for months, as postings to
news.admin.net-abuse.sightings reveal)