Sobig afterthoughts

[Tony Johansson]

Hello,

While afterthoughts might be misleading as we still get lots of viruses, it
may still be a appropriate title.

The site I manage normally receive about 10.000 emails per day. With Sobig
we (so far) have gotten over 50.000 infected messages in about 72 hours. We
have two MailScanners that both cope with the load with no problems.
(thanks Julian!)

Now for the thoughts. As we had not problems with incoming email, I didnt
really dig into where all these viruses came from. Today curiousity got the
better of me and I did a litte research on the mail logs. While viruses
came from a wide range of addresses, one particular address was responsible
for over 10.000 viruses over 48 hours. I checked and it was still active,
still sending us viruses.

The machine was on a local (Swedish ISP) and was totally exposed to the
internet, I could even view its netbios name. I was pretty surprised that I
could "net send" a popup message to the machine, telling the person sitting
at it that it perhaps would be a good idea to get some anti-virus going. I
was even more surprised that the machine went offline only seconds after my
message, evidently someone got the message... The machine hasnt been seen
since it our mail logs.

Wouldn't it be a good idea to:
1. Have an option in MailScanner where you could perform an action
(ipfilter?/add address to your MTAs access table?/interact with firewall)
if a single ipaddress sends you say 10 viruses?

2. Have an option where you could send a SMB message to a ipaddress each
10? viruses they send you. This would certainly not get through to most
senders but the effort against potential win should make it worth it,
wouldnt it?


regards, Tony