Klez-G - Warning postmaster@sender.com

Rose, Bobby brose at MED.WAYNE.EDU
Thu May 9 17:58:21 IST 2002 

So I guess the the virus writers have won.  Machines will get infected
and remain infected until the infected user's machine is struck by
lightning.

All I'm saying is that I'm doing my part at tracking down infected
machines within my domain when I get a copy of a v-message, why
shouldn't the masters of the other infected domains.  I can't very well
block the host addresses since the likelihood is that the addresses are
dynamic.

-----Original Message-----
From: Julian Field [mailto:jkf at ECS.SOTON.AC.UK] 
Sent: Thursday, May 09, 2002 11:33 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Klez-G - Warning postmaster at sender.com


At 16:15 09/05/2002, you wrote:
><snip>

I have to say, I'm siding with you on this one. It's not impossible to
write the postmaster at sending-domain.com message system.

But if people are going to turn it on and get MailScanner a bad name as
a result, then I obviously don't want to write it. I want more people to
be encouraged to use my software to help reduce the number of
virus-infected PC's in the world, not piss off overworked sysadmins (of
which I am one, if you want proof then take a look at
http://www.ecs.soton.ac.uk/~jkf/myjob.html ).

With the current Klez worm, and hence most of the worms that will follow
it, it is currently probably 90% likely that the sender address is
false. So 90% of the time you will target the wrong postmaster, which is
Not A Good Thing (tm).

I agree that up until now this was probably a useful feature, but its
usefulness has just been destroyed at a stroke by Klez.

>I would like to suggest a rate-limiting feature be introduced, so that 
>where warning messages are being returned to sender (or apparently 
>responsible postmaster, per original sender), only a certain number in 
>a given time period are generated.  This will help with the present 
>operation of the software, and should some feature as is being 
>discussed be implemented, it would help to allay huge numbers of 
>reports being sent to postmasters and just maybe then they might do 
>something about it.  But I think it a useful feature anyway.
>
>Or perhaps an aggregation of reports to a particular sender (or his 
>postmaster), so they only get one mail per fer hours or whatever is 
>appropriate.

This is starting to get "real hard" to implement...
--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list