Re: [Exim] Mydoom and virus signature updates

Top Page
Delete this message
Reply to this message
Author: Kevin Reed
Date:  
To: exim-users
Subject: Re: [Exim] Mydoom and virus signature updates
[Try it again with the subscribe user this time]

Dan Egli said:
> Well, I know Mcafee's dailydats had it when we got hit at 10:00am local

time (UTC-6). ClamAv probably had it shortly also, but I don't know. I
haven't been hit with it yet. I just looked in my virusmails dir and I
have a few copies of Gibe, one of Bagle, and one of Netsky/SomeFool.
>
> To date I don't have a MyDoom.o instance on the machine. As much as I

respect ClamAV I'm really thinking I'm going to put the mcafee unix
virusscan on the system again, to provide an extra layer of protection.

We are blocking based upon a number of issues, some of which were being
done before the outbreak.

o helo check on our domain.name A ton of them present the domain name
as a helo when they connect.
o Blacklist of postmaster@ourdomains replyto@ourdomains
mail-daemon@ourdomains. There is no reason for someone
outside our network to send mail FROM any of those to us.
This only blocks sites connecting to us, not our sites or
clients sending to us.
o Script to check extensions in Zip file. blocks normal cmd, com, pif
scr, bat that might be contained in a zip file.
o Script modified to deny any zip in a zip.
o Spam assassin change to up the FORGED_MUA_OUTLOOK to beyond spam
threshold on that specific finding.

Other than a few Double Zip's that got in on Sunday before clamAv updated,
we never see a virus catch now since they never get to that check.

The problem has been a big non-issue to us so far, but a ton of mail is
being blocked as a result of the rules we use with no real collateral
damage seen.