OT: "OMG YOU SENT TEH VIRUSESS"

Matt Kettler mkettler at EVI-INC.COM
Wed Jun 15 18:24:05 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Jason Balicki wrote:
> Like a lot of you, I'm on a lot of mailing lists.
> 
> Because of this, I get a large amount of garbage
> mail.  One particular type of garbage mail is
> mis-configured mail scanning suites that send
> "virus received" warning messages.  You all know
> why this is bad, so I won't discuss this.  I'll
> just say that it annoys me greatly -- especially
> when my users receive them and I have to go
> through the incredibly boring explanation of
> what happened yet again.
> 
> What I'd like to know, though, is what the general
> consensus is in regards to dealing with these.  Is
> it bad form to track down the admin and explain
> (gently) that it's a bad idea to send these?

I personally don't think it's bad form to gently warn them about sending such
things.

I also take the step of warning the admin if it continues, and outright
blacklisting their server with an /etc/mail/access entry if I get more than 5
from them in a 24 hour period.

Once warned, I treat such things as nothing short of intentional
misconfiguration to support DDoS attacks, and I treat the offending networks
accordingly.

Although I've not seen such a case so far, I don't think it would be
inappropriate to call an upstream provider and request they be shutdown if the
load ever broke 2000 attempts/hr (about 1 every 2 seconds). At that point it's
turned into an outright flooding attack.

While all that might sound a little extreme, how many of you would block traffic
from a known smurf amplifier that kept being used to hit your network? To me,
there's no difference between a post-delivery virus/spam autoresponder and a
smurf amplifier, it's just TCP/SMTP based instead of ICMP/echo.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list