Sobig.F resurgence

Errol Neal errol.neal at ENHTECH.COM
Fri Sep 5 17:13:04 IST 2003 

Man that's tough! You are rejecting thank you messages?
The best way to deal with this stuff is with this:


##
# enable these for DNS blacklist protection from spam
##
dnl FEATURE(`dnsbl',`bl.spamcop.net', `"550 Mail from " $&{client_addr} "
was rejected; please see http://www.spamcop.net/w3m?action=checkblock&ip="
$&{client_addr} "for additional details"')dnl
dnl FEATURE(`dnsbl',`proxies.relays.monkeys.com', `"550 Mail from "
$&{client_addr} " was rejected; please see
http://www.ordb.org/lookup/?host=" $&{client_addr} "for additional
details"')dnl
dnl FEATURE(`dnsbl',`relays.osirusoft.com', `"550 Mail from "
$&{client_addr} "was rejected; please see "')dnl
dnl FEATURE(`dnsbl',`rbl.maps.vix.com', `"550 Mail from " $&{client_addr} "
was rejected; please see http://mail-abuse.org/cgi-bin/lookup?"
$&{client_addr} "for additional details"')dnl
dnl FEATURE(`dnsbl',`dul.maps.vix.com')dnl
dnl FEATURE(`dnsbl',`blackholes.mail-abuse.org', `"550 Mail from "
$&{client_addr} " was rejected; please see
http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr} "for additional
details"')dnl
dnl FEATURE(`dnsbl',`dialups.mail-abuse.org', `"550 Mail from "
$&{client_addr}" was rejected; please see
http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr} "for additional
details"')dnl
dnl FEATURE(`dnsbl',`relays.mail-abuse.org',  `"550 Mail from "
$&{client_addr}" was rejected; please see
http://mail-abuse.org/cgi-bin/lookup?" $&{client_addr} "for additional
details"')dnl
dnl
dnl FEATURE(`rhsbl',`dsn.rfc-ignorant.org', `550 You do not accept bounces
violating RFC 821/2505/2821 - see http://www.rfc-ignorant.org/', `h')dnl
dnl FEATURE(`rhsbl',`postmaster.rfc-ignorant.org', `550 Mail rejected as
your domain does not have a working postmaster address - see
http://www.rfc-ignorant.org/', `h')dnl
dnl FEATURE(`rhsbl',`abuse.rfc-ignorant.org', `550 Mail rejected as your
domain does not have a working abuse address - see
http://www.rfc-ignorant.org/', `h')dnl
dnl FEATURE(`rhsbl',`whois.rfc-ignorant.org', `550 Mail rejected as your
whois information does not exist or is obviously fictitous - see
http://www.rfc-ignorant.org/', `h')dnl


Since most of these relays are already in rbls and dnsbl, it is easy to
just reject them on the basis of the relaying server at the rcpt as opposed
to the parsing message headers. This ways,
thank you messages from valid senders actually make it to your clients...



Errol Neal

At 10:39 PM 9/4/2003 -0500, you wrote:
>In sendmail.mc, I added this:
>
><snip>
>LOCAL_RULESETS
>
># Reject all mail with Sobig subjects.
>HSubject:               $>Check_subject
>D{Msobig1}That movie
>D{Msobig2}Wicked screensaver
>D{Msobig3}Your application
>D{Msobig4}Approved
>D{Msobig5}My details
>D{Msobig6}Details
>D{Msobig7}Thank you!
>D{Msobig8}Returned mail: see transcript for details
>D{Mmsg} Possible Sobig-F Virus - Please change subject
>
>SCheck_subject
>R${Msobig1} $*          $#error $: 550 ${Mmsg}
>RRE: ${Msobig1} $*      $#error $: 550 ${Mmsg}
>R${Msobig2} $*          $#error $: 550 ${Mmsg}
>RRE: ${Msobig2} $*      $#error $: 550 ${Mmsg}
>R${Msobig3} $*          $#error $: 550 ${Mmsg}
>RRE: ${Msobig3} $*      $#error $: 550 ${Mmsg}
>R${Msobig4} $*          $#error $: 550 ${Mmsg}
>RRE: ${Msobig4} $*      $#error $: 550 ${Mmsg}
>R${Msobig5} $*          $#error $: 550 ${Mmsg}
>RRE: ${Msobig5} $*      $#error $: 550 ${Mmsg}
>R${Msobig6} $*          $#error $: 550 ${Mmsg}
>RRE: ${Msobig6} $*      $#error $: 550 ${Mmsg}
>R${Msobig7} $*          $#error $: 550 ${Mmsg}
>RRE: ${Msobig7} $*      $#error $: 550 ${Mmsg}
>R${Msobig8} $*          $#error $: 550 ${Mmsg}
>RRE: ${Msobig8} $*      $#error $: 550 ${Mmsg}
></snip>
>
>This was suggested on the list several days back and has been working very
>well.
>May I remind you that the white gaps in text above are tabs and not simply
>spaces.
>Run your .mc through m4 and then restart MailScanner.
>
>Mike
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
>Of Nathan Johanson
>Sent: Thursday, September 04, 2003 10:25 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Sobig.F resurgence
>
>
>Mike,
>
>Just curious...
>What Sendmail rule are you using to block them?
>We've been rejecting the most offending IP addresses with the access
>database, but as you might expect... It's a little like a moving target.
>
>Nathan
>
>-----Original Message-----
>From: Mike Kercher [mailto:mike at CAMAROSS.NET]
>Sent: Thursday, September 04, 2003 8:19 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Sobig.F resurgence
>
>
>The flow here has been trickling but steady.  I am blocking LOTS of tehm
>with a sendmail rule though, so they never even make it to MailScanner.
>
>Mike
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
>Of David Hooton
>Sent: Thursday, September 04, 2003 10:02 PM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Sobig.F resurgence
>
>
>Hi All,
>
>A little off topic, but we've started noticing about a 10 fold increase in
>Sobig.F traffic over the last 48 hours.
>
>Is anyone else noticing this?
>--
>Regards,
>
>David Hooton
>Senior Partner
>Platform Hosting
>1300 85 HOST
>www.platformhosting.com
>
>
>========================================================================
>    This message has been scanned for viruses and unsafe content by
>    Platform Mail Security
>
>    To report SPAM forward the message to:    spam at mailsecurity.net.au
>    To report incorrectly tagged messages: notspam at mailsecurity.net.au
>
>    Platform Mail Security                     www.mailsecurity.net.au
>    Platform Hosting                           www.platformhosting.com
>
>========================================================================

Errol Neal, Systems/Network Administrator
eneal at enhtech.com
Enhanced Technologies Inc.
http://www.enhtech.com
703-924-0301 or 800-368-3249
703-924-0302 Fax

More information about the MailScanner mailing list