Fwd: RE: Dealing with MailScanner overloads

Antony Stone Antony at SOFT-SOLUTIONS.CO.UK
Sun Sep 14 09:50:40 IST 2003 

On Sunday 14 September 2003 9:38 am, Julian Field wrote:

> What do you all think of this suggestion? Any ideas for improvements or
> useful ways to implement it?
>
> 'm thinking along the lines of adding entries to the sendmail access db. I
> can't remember if I need to restart sendmail after changing the access db,
> but a way of avoiding having to do that would be good.

You don't need to restart sendmail, no - just makemap on the access.db.

Blocking with sendmail's access.db would have the advantage over iptables
that you'd see a meaningful entry in the log file when such a message was
rejected, so this would still enable sysadmins to see why a mail didn't
arrive when it was expected.   Also, it's not safe to assume everyone has
iptables running on their mail server (it also becomes Linux-specific).

The only question I have is regarding the relay address as being the right
one to block.   For example, I run a primary mail server with my ISP acting
as secondary MX.   All my Sobig.F emails went to their mail server, because
Sobig.F went for the highest MX value, and then got relayed on to me.

This code would then result in me blocking my own fallback MX server, and I
think this is not an uncommon situation?

So, this idea may be useful to some people in some situations, certainly,
however for Sobig.F I think it would only have helped the people running a
primary MX without a backup relay, or else running MailScanner on their
backup relay as well.

If we assume that future viruses may similarly target secondary (or highest
MX) mail servers, we should be careful not to create some automated tool
which can break that secondary-to-primary connection.

Antony.

--

"I'm doing a (free) operating system (just a hobby, won't be big and
professional like gnu) for 386(486) AT clones.

It is NOT portable , and it probably never will support anything other than
AT-harddisks, as that's all I have :-(."

 - Excerpt from posting to comp.os.minix by Linus Torvalds, 25 Aug 1991

More information about the MailScanner mailing list