blocking an email based on it's IP

Tue Sep 2 00:43:50 IST 2003

Antony Stone wrote:

>On Monday 01 September 2003 4:45 pm, Spicer, Kevin wrote:
>
>
>
>>John Williams wrote:
>>
>>
>>>Please forgive me if I've missed this post, but is there a way to
>>>look at the IP address of incoming mail and filter/blacklist it based
>>>on that?
>>>
>>>
>>Add it to sendmails access database.  However, maybe you also have genuine
>>email from that IP?   Best way to block sobig is to use sendmail subject
>>matching, search the archives for a set of rules.
>>
>>
>
>Unlikely you'll get genuine mail from that IP address, because Sobig sends
>directly from infected client to (low priority) MX listed mail server,
>bypassing client's normal outbound mail server.
>
>Genuine emails from that client should go via the client's local (or ISP)
>mail server first, so you won't end up blocking them.
>
>
Does anybody actively build lists of IP's sending out SoBig? We are
currently analysing our logs hourly and then taking the top 10 offenders
and putting them in an Exim blocking list, in the hope that it will take
**some** load off our servers.

My thought's are along the same lines of  Antony's. i.e Sobig uses it's
own SMTP engine so we shouldn't be seeing these IP's anyhow.

Dan

>Antony.
>
>--
>
>In science, one tries to tell people
>in such a way as to be understood by everyone
>something that no-one ever knew before.
>
>In poetry, it is the exact opposite.
>
> - Paul Dirac
>
>
>

--
____________________________________

Daniel Bird
Network & Systems Manager
St. George's Hospital  Medical School
Tooting
London SW17 0RE

P: +44 20 8725 2897
F: +44 20 8725 3583
E: dan at sghms.ac.uk
____________________________________

Hex dump: Where witches put used curses...
"#define QUESTION ((bb) || !(bb)) - Shakespeare."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030902/0bb5faf4/attachment.html