Viruses from one IP - trend? {Scanned}
Scott Silva
ssilva at SGVWATER.COM
Wed Jun 23 16:57:18 IST 2004
Vispan will do it automagigally.
Been using it for a couple of months, and it has cut the mail load about 30%
or more.
----- Original Message -----
From: "Matthew K Bowman" <mkbowman at NEO.RR.COM>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Wednesday, June 23, 2004 8:43 AM
Subject: Re: Viruses from one IP - trend? {Scanned}
Kevin Old wrote:
>Hello everyone,
>
>I've been using MailScanner for quite some time and love it! Thanks
>to all who contribute to it.
>
>I've recently seen a new trend on my mail server and wondered if
>others experience it. On two separate occations, I've started
>receiving viruses from one IP that "chose" my server to "hammer" with
>viruses. The most recent "outbreak" had them coming at 7+ messages
>per minute. The virus caught by both ClamAV and F-Prot was Zafi.B.
>
>Again, all of the messages were from the same IP (as reported in the
>MailScanner report for each virus caught). The only thing I found odd
>was that in both cases the IP's that were reported weren't spoofed!
>They were the actual IP's.
>
>To remedy the situation, I ended up blocking all traffic from that IP
>in my firewall and the "attacks" stop instantly.
>
>Just wondering if anyone else had these experiences....
>
>Thanks,
>Kevin
>--
>Kevin Old
>kevinold at gmail.com
>
>-------------------------- MailScanner list ----------------------
>To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
>Before posting, please see the Most Asked Questions at
>http://www.mailscanner.biz/maq/ and the archives at
>http://www.jiscmail.ac.uk/lists/mailscanner.html
>
>
>
>
Yes indeed. Same virus too. I actually got blasted from 2 different IP
addresses and did a couple of things
1. blacklisted their IP forcing the email to be tagged as {SPAM?} and
spam action to delete
2. put their IP in /etc/mail/access with 'DENY'
Is there a way to automatically block floods of virus from 1 IP addres.
perhps a new action called 'Virus Flood'
Actions are delete, quarantine etc?
Maybe there is and I've overlooked this..Apologies if thats the case.
Matthew
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list