Auteur: Alan J. Flavell Datum: Aan: Exim users list Onderwerp: Re: [Exim] Blocking phony MS Security update emails
On Fri, 9 Jan 2004, Christoph Kliemt wrote:
> get exiscan and block all emails that contain executables.
We do that, sure, but there's still a considerable traffic from
misguided[1] sending MTAs that - instead of blocking the offending
junk - are laundering-out the dangerous content (which would be easy
to recognise and to block), and inserting a wide range of variations
on the theme of "this customer of ours tried to send you a virus, so
we decided to make ourselves a pestilential nuisance to you instead of
helping our customer", which are very hard to keep at bay.
I've got a special subdivision[2] of Hades ready for these MTAs, but
there's a continual stream of fresh candidates.
And when I tried just a bit too hard to recognise the laundered
shrapnel that was being offered to us by the above idiots, I managed
to provoke a few false-positive rejections of mail that had no
relevance to the viruses in question, but just happened to use a few
of the tell-tale phrases which appear.
Sigh.
[1] I'd express that with considerably more emphasis if this wasn't
a public forum :-}
[2] as in:
F=<MAILER-DAEMON@???> rejected RCPT
<flavell@???>: This sender is blocked for sending bogus virus
alerts,
(That particular abuse has been going on for months, as postings to
news.admin.net-abuse.sightings reveal)