Klez-G - Warning postmaster@sender.com

Julian Field jkf at ecs.soton.ac.uk
Thu May 9 18:08:33 IST 2002 

At 17:58 09/05/2002, you wrote:
>So I guess the the virus writers have won.  Machines will get infected
>and remain infected until the infected user's machine is struck by
>lightning.

Something like that, yes.

>All I'm saying is that I'm doing my part at tracking down infected
>machines within my domain when I get a copy of a v-message, why
>shouldn't the masters of the other infected domains.

And I've a nasty feeling at some point fairly soon you are likely to stop
doing this as most of them will be false alarms.

>-----Original Message-----
>From: Julian Field [mailto:jkf at ECS.SOTON.AC.UK]
>Sent: Thursday, May 09, 2002 11:33 AM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Klez-G - Warning postmaster at sender.com
>
>
>At 16:15 09/05/2002, you wrote:
> ><snip>
>
>I have to say, I'm siding with you on this one. It's not impossible to
>write the postmaster at sending-domain.com message system.
>
>But if people are going to turn it on and get MailScanner a bad name as
>a result, then I obviously don't want to write it. I want more people to
>be encouraged to use my software to help reduce the number of
>virus-infected PC's in the world, not piss off overworked sysadmins (of
>which I am one, if you want proof then take a look at
>http://www.ecs.soton.ac.uk/~jkf/myjob.html ).
>
>With the current Klez worm, and hence most of the worms that will follow
>it, it is currently probably 90% likely that the sender address is
>false. So 90% of the time you will target the wrong postmaster, which is
>Not A Good Thing (tm).
>
>I agree that up until now this was probably a useful feature, but its
>usefulness has just been destroyed at a stroke by Klez.
>
> >I would like to suggest a rate-limiting feature be introduced, so that
> >where warning messages are being returned to sender (or apparently
> >responsible postmaster, per original sender), only a certain number in
> >a given time period are generated.  This will help with the present
> >operation of the software, and should some feature as is being
> >discussed be implemented, it would help to allay huge numbers of
> >reports being sent to postmasters and just maybe then they might do
> >something about it.  But I think it a useful feature anyway.
> >
> >Or perhaps an aggregation of reports to a particular sender (or his
> >postmaster), so they only get one mail per fer hours or whatever is
> >appropriate.
>
>This is starting to get "real hard" to implement...
>--
>Julian Field                Teaching Systems Manager
>jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
>Tel. 023 8059 2817          University of Southampton
>                              Southampton SO17 1BJ

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list