Viruses from one IP - trend? {Scanned}
Rob Freeman
sysadmin at FLEETONE.COM
Wed Jun 23 17:11:43 IST 2004
Vispan
http://www.while.homeunix.net/mailstats/
Rob
----- Original Message -----
From: "Kevin Old" <kevinold at GMAIL.COM>
To: <MAILSCANNER at JISCMAIL.AC.UK>
Sent: Wednesday, June 23, 2004 11:04 AM
Subject: Re: Viruses from one IP - trend? {Scanned}
> Please forgive my ignorance, but I've not heard about Vispan. What is
> it? A search on google for Vispan didn't turn up anything.
>
> Kevin
>
> On Wed, 23 Jun 2004 08:57:18 -0700, Scott Silva <ssilva at sgvwater.com>
wrote:
> >
> > Vispan will do it automagigally.
> > Been using it for a couple of months, and it has cut the mail load about
30%
> > or more.
> >
> > ----- Original Message -----
> > From: "Matthew K Bowman" <mkbowman at NEO.RR.COM>
> > To: <MAILSCANNER at JISCMAIL.AC.UK>
> > Sent: Wednesday, June 23, 2004 8:43 AM
> > Subject: Re: Viruses from one IP - trend? {Scanned}
> >
> > Kevin Old wrote:
> >
> > >Hello everyone,
> > >
> > >I've been using MailScanner for quite some time and love it! Thanks
> > >to all who contribute to it.
> > >
> > >I've recently seen a new trend on my mail server and wondered if
> > >others experience it. On two separate occations, I've started
> > >receiving viruses from one IP that "chose" my server to "hammer" with
> > >viruses. The most recent "outbreak" had them coming at 7+ messages
> > >per minute. The virus caught by both ClamAV and F-Prot was Zafi.B.
> > >
> > >Again, all of the messages were from the same IP (as reported in the
> > >MailScanner report for each virus caught). The only thing I found odd
> > >was that in both cases the IP's that were reported weren't spoofed!
> > >They were the actual IP's.
> > >
> > >To remedy the situation, I ended up blocking all traffic from that IP
> > >in my firewall and the "attacks" stop instantly.
> > >
> > >Just wondering if anyone else had these experiences....
> > >
> > >Thanks,
> > >Kevin
> > >--
> > >Kevin Old
> > >kevinold at gmail.com
> > >
> > >-------------------------- MailScanner list ----------------------
> > >To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> > >Before posting, please see the Most Asked Questions at
> > >http://www.mailscanner.biz/maq/ and the archives at
> > >http://www.jiscmail.ac.uk/lists/mailscanner.html
> > >
> > >
> > >
> > >
> > Yes indeed. Same virus too. I actually got blasted from 2 different IP
> > addresses and did a couple of things
> >
> > 1. blacklisted their IP forcing the email to be tagged as {SPAM?} and
> > spam action to delete
> > 2. put their IP in /etc/mail/access with 'DENY'
> >
> > Is there a way to automatically block floods of virus from 1 IP addres.
> > perhps a new action called 'Virus Flood'
> > Actions are delete, quarantine etc?
> >
> > Maybe there is and I've overlooked this..Apologies if thats the case.
> >
> > Matthew
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/ and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> > -------------------------- MailScanner list ----------------------
> > To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> > Before posting, please see the Most Asked Questions at
> > http://www.mailscanner.biz/maq/ and the archives at
> > http://www.jiscmail.ac.uk/lists/mailscanner.html
> >
>
>
> --
> Kevin Old
> kevinold at gmail.com
>
> -------------------------- MailScanner list ----------------------
> To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
> Before posting, please see the Most Asked Questions at
> http://www.mailscanner.biz/maq/ and the archives at
> http://www.jiscmail.ac.uk/lists/mailscanner.html
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list