Re: [Exim] Mydoom and virus signature updates

Pàgina inicial
Delete this message
Reply to this message
Autor: Kjetil Torgrim Homme
Data:  
A: Kevin Reed
CC: exim-users
Assumpte: Re: [Exim] Mydoom and virus signature updates
On tir, 2004-07-27 at 14:17 -0700, Kevin Reed wrote:
> We are blocking based upon a number of issues, some of which were being
> done before the outbreak.
>
>  o helo check on our domain.name  A ton of them present the domain name
>    as a helo when they connect.


we do this as well.

>  o Blacklist of postmaster@ourdomains replyto@ourdomains
>    mail-daemon@ourdomains.  There is no reason for someone
>    outside our network to send mail FROM any of those to us.


replyto doesn't exist, bounces to mailer-daemon are blocked, but we
allow postmaster. I'm not too worried about my own mailbox anyway.

>  o Script to check extensions in Zip file.  blocks normal cmd, com, pif
>    scr, bat that might be contained in a zip file.


how do you do this? I would at least like to stop ZIP files containing
executable files with names with two or more consecutive whitespace ...

>  o Script modified to deny any zip in a zip.
>  o Spam assassin change to up the FORGED_MUA_OUTLOOK to beyond spam
>    threshold on that specific finding.


we got burned previously by users (incl. the head of IT at the
University) running the latest and greatest Outlook from Microsoft beta
program, which changed the algorithm for the Message-ID, so I don't
think we'll do that :-)

> The problem has been a big non-issue to us so far, but a ton of mail is
> being blocked as a result of the rules we use with no real collateral
> damage seen.


it's probably been a non-issue here, too. I'm just getting a bit edgy.
--
Kjetil T.