SOBER-I

James R. Stevens jstevens at ATHENSDISTRIBUTING.COM
Tue Nov 23 20:17:30 GMT 2004 

Since 11/19/2004 we have seen 40+ of the Sober-I. We process around 1000
emails on any given day. They seems to come from only 3 source IP's. We
are the Primary MX for the domain and are handling the amount of Viruses
just fine.

How many messages do you process per day? 

-----Original Message-----
From: Kevin Miller [mailto:Kevin_Miller at CI.JUNEAU.AK.US] 
Sent: Tuesday, November 23, 2004 2:05 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: SOBER-I

Alan Cragg - Lists wrote:
>
> Does anyone know of a better way to block this without having to block
> our secondary mail server?
> Is it a performance tuning issue? We are using MailScanner 4.35.11 and
> Sophos AV, not SAVI, and SA 3.0.1.

Had a similar situation a while back.  Instead of blocking my secondary,
I
used the access table in it's sendmail to drop inbound connections from
the
offending IP.  That way, I could continue to receive valid email on the
secondary from elsewhere but not plug the queues with virus laden
emails.  I
had the advantage, of course, of owning our secondary.

Do you have shell access to the secondary?  If not, I'd try to get your
ISP
to block that address.

I also notified the sender's ISP so they could notify the owner of the
infected machine.

Good luck...

...Kevin
--
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

-- 
This message has been scanned for viruses and
dangerous content by Athens Hyperion Scanner, and is
believed to be clean.




-- 
This message has been scanned for viruses and
dangerous content by Athens Hyperion Scanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list