Viruses from one IP - trend?

Alex Neuman alex at nkpanama.com
Wed Jun 23 19:17:37 IST 2004 

I've had Vispan block those IP's at the MTA level, but I've been thinking of
modifying it (don't know perl so it's a bit trickier for me to do it) so
that it does an "iptables -A INPUT -p tcp --dport 25 -j REJECT -s $sourceip"
to block it, and after a while do the same with "-D INPUT" to unblock.

The problem with that is that the party on the other end can't send me
e-mail if it's, for example, a corporate firewall serving hundreds of users.
When done at the MTA level with Vispan they get a more explicit "Persistent
Virus Source" message on their side.


-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Kevin Old
Sent: Wednesday, June 23, 2004 8:49 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Viruses from one IP - trend?

Hello everyone,

I've been using MailScanner for quite some time and love it!  Thanks
to all who contribute to it.

I've recently seen a new trend on my mail server and wondered if
others experience it.  On two separate occations, I've started
receiving viruses from one IP that "chose" my server to "hammer" with
viruses.  The most recent "outbreak" had them coming at 7+ messages
per minute.  The virus caught by both ClamAV and F-Prot was Zafi.B.

Again, all of the messages were from the same IP (as reported in the
MailScanner report for each virus caught).  The only thing I found odd
was that in both cases the IP's that were reported weren't spoofed!
They were the actual IP's.

To remedy the situation, I ended up blocking all traffic from that IP
in my firewall and the "attacks" stop instantly.

Just wondering if anyone else had these experiences....

Thanks,
Kevin
--
Kevin Old
kevinold at gmail.com

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list