Author: Kevin W. Reed Date: To: exim-users Subject: Re: [Exim] Mydoom and virus signature updates
Dan Egli said: > Well, I know Mcafee's dailydats had it when we got hit at 10:00am local
> time (UTC-6). ClamAv probably had it shortly also, but I don't know. I
> haven't been hit with it yet. I just looked in my virusmails dir and I
> have a few copies of Gibe, one of Bagle, and one of Netsky/SomeFool.
>
> To date I don't have a MyDoom.o instance on the machine. As much as I
> respect ClamAV I'm really thinking I'm going to put the mcafee unix
> virusscan on the system again, to provide an extra layer of protection.
We are blocking based upon a number of issues, some of which were being
done before the outbreak.
o helo check on our domain.name A ton of them present the domain name
as a helo when they connect.
o Blacklist of postmaster@ourdomains replyto@ourdomains
mail-daemon@ourdomains. There is no reason for someone outside our
network to send mail FROM any of those to us. This only blocks
sites connecting to us, not our sites or clients sending to us.
o Script to check extensions in Zip file. blocks normal cmd, com, pif
scr, bat that might be contained in a zip file.
o Script modified to deny any zip in a zip.
o Spam assassin change to up the FORGED_MUA_OUTLOOK to beyond spam threshold
on that specific finding.
Other than a few Double Zip's that got in on Sunday, but were wacked down
by the Exchanges Antigen, nothing has come though since.
The problem has been a big non-issue to us so far, but a ton of mail is
being blocked as a result of the rules we use with no real collateral
damage seen.