Bagel.H

[Julian Field]

At 16:19 03/03/2004, you wrote:
> >> Some machine on our network has been infected by Worm.Bagel.J and
> >> other variants. This is spawning a whole lot of mails with password
> >> encrypted zip files which contain infected executables.
> >>
> >> We are using MailScanner-4.21 along with clamav-0.67-1.
> >>
> >> Anybody face a similar problem? Any pointers would be great.
> >
> >Find its IP, deny access to SMTP port via iptables.
> >
>
>Better yet, unplug it from the network until you get it
>cleaned.

If you are using sendmail, take a look at the IPBlock code in
CustomConfig.pm. You can create a configuration file which specifies how
many messages per hour to accept from various hosts and networks. If a host
on any of the defined networks exceeds its hourly rate, it is automatically
blocked for the rest of that hour using sendmail's access database. At the
end of the hour, the blocks are removed and mail can flow again, until a
limit is exceeded again. It logs an entry every time a machine is blocked
for exceeding its limit.

So you can say that, for example, you expect at most 30 messages per hour
from any internal computer, except for bigger limits (3000?) from your mail
servers.

It will stop you being flooded by mail from infected PCs until you get a
chance to clean them.
--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654