Re: [Exim] What to do with messages that seem to be virus-in…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Suresh Ramasubramanian
Datum:  
To: Alan J. Flavell
CC: Exim users list
Betreff: Re: [Exim] What to do with messages that seem to be virus-infected?
On Sat, Mar 06, 2004 at 10:41:52PM +0000, Alan J. Flavell wrote:
> On Sat, 6 Mar 2004, Fred Viles wrote:
>
> > On 6 Mar 2004 at 16:54, Alan J. Flavell wrote about
> > | Some virus writers have responded by
> > | using the client's normal mail-submission mechanisms, i.e using the
> > | local mail server as a relay.
> >
> > How does the virus figure out the smarthost's address?
>
> To be honest, I can't answer that question, but what I had assumed was
> that the virus used whatever API it is that Windows/OE/whatever uses
> for launching mail, and left the rest of the machinery to get on with
> it, using whatever mail relay it's been configured to use.


That is one way - using MAPI

The other way is far simpler. Find the domain name of the IP of the infected
host (say if the infected host is on ip-10-0-0-5.cablemodem.example.com,
parse out example.com from there). Then do "nslookup -q=mx example.com" and
try to send out all its payloads through example.com's mx servers.

The fix for this is

1. Split your inbound and outbound servers (physically 2 different
machines/clusters, or maybe two different daemons / ports on the same box,
with different ACLs etc)

2. Ensure that your inbound MX hosts do _not_ relay for your customer dialup
/ cable etc IP addresses. Only your outbound mailservers must relay for such
IPs.

--
linux@??? (Suresh Ramasubramanian)
jaharkes@ravel:/usr/src$ mv linux Gnu/Linux
mv: cannot move `linux' to `Gnu/Linux': No such file or directory
    jaharkes @ cs.cmu.edu in reply to RMS on linux.kernel