Re: [Exim] MyDoom filtering?

David Woodhouse wrote:

> On Fri, 2004-01-30 at 20:30 +0100, Giuliano Gavazzi wrote:
>
>>why would his deny cause bounces? They are sent by a virus and the
>>virus is certainly not going to create a bounce!
>
>
> The ones with Message-ID have probably gone through an intermediate
> server -- possibly an MX backup on the receiving side, or an outgoing
> smarthost on the sending side. That intermediate box could send a
> bounce.

The servers I'm using it on are all either primary and secondary or at
least secondary MX for domains. In theory, at least, they should not
have passed through an intermediate source, and this matches up with my
logs as the all the rejects appear to be on DUL/ADSL IP ranges.

I use a simple deny rather than a blackhole in case the rules were too
loose and started creating false positives. If I just silently dropped
them, the only way to know if I'm killing valid mail is to inspect the
dropped mails which isn't practical for me(~100-150k rejects per server
so far today. Ouch, putting that number in perspective, about 1/8th of
the mail coming in is MyDoom nonsense).

I wouldn't be surprised if I implemented the Message-ID check badly,
explaining why I was getting so few hits. This was one of the first
times I actually tried to do something vaguely complicated with Exim's
ACL's, so I'm no expert :).

Matt