sobig virus

[S Mohan]

If your groupwise server was accessible on the Internet, then would it have
been pumping out messages directly on the Internet? This is normally the
case. Then outgoing messages would not have been scanned unless the
groupwise server was forwarding all outgoing mail to the MS server.

My 2c worth.

Mohan

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
Behalf Of Antony Stone
Sent: Thursday, August 21, 2003 10:23 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: sobig virus


On Thursday 21 August 2003 5:31 pm, Joe Stuart wrote:

> In our setup we have a server running Sendmail, Mailscanner, SA and
> f-prot that has a MX value of 10. Mail is recieved on that server and
> then transports it to a groupwise server that delivers it to the
> clients. The groupwise server was in the DNS with a MX value of 100 that
> I had no idea about.  Since it appeared that mail was coming in without
> being scanned we went in and closed the groupwise server off to the
> outside world. Then the viruses stopped coming in.  If there are any
> suggestions on how things could be setup better I'm open to ideas

Well, apart from removing the MX record pointing directly at the groupwise
server, I would set up the firewall (your groupwise server *is* behind a
firewall, isn't it?) so that it cannot be contacted directly from the
outside
world in any case.

People scan the Internet all the time for web servers and mail servers to
try
to break into, relay through, etc., so I would recommend that your firewall
allows access from outside to the MailScanner machine only (if MS is inside
the firewall), or else allows access to the groupwise server from the
MailScanner machine only (if MS is outside the firewall).

Never give the Internet access to anything it shouldn't see - because people
will find it and investigate it if they can!

Antony.

--

Software development can be quick, high-quality, or low-cost.

The customer gets to pick any two out of three.