On Fri, 2004-01-30 at 21:10, Eric J Merkel wrote:
>
> No we are not using SA. I will look into mounting the MS incoming directory
> on a tempfs. Do you have any recommendation on how much RAM I should set
> aside for the tmpfs?
You don't need to worry about that, tmpfs looks after itself in that
regard (unlike using a ramdisk). Just add this to /etc/fstab
none /var/spool/MailScanner/incoming tmpfs defaults 0 0
Then do
service MailScanner stop
mount /var/spool/MailScanner/incoming
service MailScanner start
> I do not have it set to deliver cleaned/disinfected messages. I do have a
> fair number of bounced spam messages from unknown user accounts on our
> system. Right now I have a script clean out the mqueue every 10 minutes of
> all invalid bounce messages.
Might be worth grabbing the addresses of the invalid recipients and
adding them to your access database
To: user at domain.com REJECT
Doing this really reduced the load on my system.
>
> > There were some useful sendmail rules (both subject and recipient)
> > posted to the list which can help to block MyDoom.
> >
>
> I just joined the list today so I didn't get a chance to see those filters.
> Do you have the subject of those messages so I can look them up in the
> archive?
I just realised I posted the subject rules that I used for Sobig, so I
should probably post updated ones for MyDoom. Here they are
LOCAL_RULESETS
## Common Virus Subjects
##
HSubject: $>Check_Subject
D{VMsg}" - This message may contain a virus - This subject is associated
with a known virus, for genuine mail please resend with different
subject text."
SCheck_SubjectRerror $#error $: 550 5.7.0 ${VMsg}
Rhello $#error $: 550 5.7.0 ${VMsg}
Rhi $#error $: 550 5.7.0 ${VMsg}
Rmail delivery system $#error $: 550 5.7.0 ${VMsg}
Rmail transaction failed $#error $: 550 5.7.0 ${VMsg}
Rserver report $#error $: 550 5.7.0 ${VMsg}
Rstatus $#error $: 550 5.7.0 ${VMsg}
Rtest $#error $: 550 5.7.0 ${VMsg}
These should be added to the end of your sendmail.mc and the sendmail.cf
rebuilt.
The list of users is in a post entitled 'MyDoom Countermeasures' posted
to the list on Jan28 by Jeff Falgout. I added these to my system,
adding my domains after the @. Whether these are of use to you rather
depends on your username naming policy.
BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material. If you have received this in error, please contact the
sender and delete this message immediately. Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited. BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.