SOBER-I

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Wed Nov 24 08:37:39 GMT 2004


Alan

two things that may help..

1) check on the inbound MTA for delivery to non-existant addresses.
Varies between MTA's on how to do this, but I reject 66% of email on
this alone (malware and spam covers more than 99% of the rejected stuff,
rest tends to be typo's of email addresses).

2)Someone posted a plugin for SA on the SA users email list, that adds a
new rule for email received from a secondary MX when the primary has
recieved a direct email within the last X seconds.
http://article.gmane.org/gmane.mail.spam.spamassassin.general/59589/match=plugin


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


Alan Cragg - Lists wrote:
> Hello All,
>
> First time poster many time reader.
>
> Since Friday I am getting flooded with e-mails infected with Sober-I
> virus. They all seem to be from one source and they are relaying through
> our secondary Mail Server (Our ISP supplies the secondary).
>
> It seems the one user can bring our server to its knees and the inbound
> queue just backs up.
> As a remedy I have to reject e-mails from the secondary server using the
> access file in sendmail.
>
> Does anyone know of a better way to block this without having to block
> our secondary mail server?
> Is it a performance tuning issue? We are using MailScanner 4.35.11 and
> Sophos AV, not SAVI, and SA 3.0.1.
>
> The machine is running Redhat 8.0 and is a XEON 2.4GHz CPU with 1GB RAM.
> Connection is only a T1.
>
> Thanks for any assistance,
>
> Alan Cragg
>
>
> CONFIDENTIALITY NOTICE.
> The information contained in this communication is confidential and/or
> proprietary business or technical data. If you are not the intended
> recipient, you are hereby notified that any use, dissemination, copying
> or distribution of this communication is strictly prohibited. If you
> have received this communication in error, please immediately notify us by
> telephone (604) 472-2300, or electronically by return message, and
> delete or destroy all copies.
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list