Viruses from one IP - trend?
Martin Sapsed
m.sapsed at BANGOR.AC.UK
Thu Jun 24 09:56:35 IST 2004
Matthew K Bowman wrote:
> Kevin Old wrote:
>> I've been using MailScanner for quite some time and love it! Thanks
>> to all who contribute to it.
>>
>> I've recently seen a new trend on my mail server and wondered if
>> others experience it. On two separate occations, I've started
>> receiving viruses from one IP that "chose" my server to "hammer" with
>> viruses. The most recent "outbreak" had them coming at 7+ messages
>> per minute. The virus caught by both ClamAV and F-Prot was Zafi.B.
>>
>> Again, all of the messages were from the same IP (as reported in the
>> MailScanner report for each virus caught). The only thing I found odd
>> was that in both cases the IP's that were reported weren't spoofed!
>> They were the actual IP's.
>>
>> To remedy the situation, I ended up blocking all traffic from that IP
>> in my firewall and the "attacks" stop instantly.
>>
> Yes indeed. Same virus too. I actually got blasted from 2 different IP
> addresses and did a couple of things
>
> 1. blacklisted their IP forcing the email to be tagged as {SPAM?} and
> spam action to delete
> 2. put their IP in /etc/mail/access with 'DENY'
>
> Is there a way to automatically block floods of virus from 1 IP addres.
> perhps a new action called 'Virus Flood'
> Actions are delete, quarantine etc?
I've seen several mentions of Vispan but no-one appears to have
mentioned the IPBlock code in CustomConfig.pm which massages a sendmail
access.db for you (i.e. does number 2 above automgically).
I've never used it myself but there's probably stuff about it in the
MAQ/archives.
Cheers,
Martin
--
Martin Sapsed
Information Services "Who do you say I am?"
University of Wales, Bangor Jesus of Nazareth
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list