OT: "OMG YOU SENT TEH VIRUSESS"

Craig Daters craig at WESTPRESS.COM
Wed Jun 15 21:45:47 IST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Jun 15, 2005, at 10:24 AM, Matt Kettler wrote:

> I personally don't think it's bad form to gently warn them about 
> sending such
> things.
>
> I also take the step of warning the admin if it continues, and outright
> blacklisting their server with an /etc/mail/access entry if I get more 
> than 5
> from them in a 24 hour period.
>
> Once warned, I treat such things as nothing short of intentional
> misconfiguration to support DDoS attacks, and I treat the offending 
> networks
> accordingly.
>
> Although I've not seen such a case so far, I don't think it would be
> inappropriate to call an upstream provider and request they be 
> shutdown if the
> load ever broke 2000 attempts/hr (about 1 every 2 seconds). At that 
> point it's
> turned into an outright flooding attack.
>
> While all that might sound a little extreme, how many of you would 
> block traffic
> from a known smurf amplifier that kept being used to hit your network? 
> To me,
> there's no difference between a post-delivery virus/spam autoresponder 
> and a
> smurf amplifier, it's just TCP/SMTP based instead of ICMP/echo.
>

I agree with Matt, and I found a good solution for handling floods to 
be "Vispan" (http://www.while.homeunix.net/mailstats). This throttles 
flood attacks and will modify the Sendmail access file appropriately. 
It is very configurable, and after a set time limit will remove IP 
addresses it has added. I found this to really come in handy for "Virus 
Warning" messages. It also provides very nice graphical statistics for 
your mailserver. It can be set to add a mailserver's IP address to the 
access file if it sees X amount of messages from that server in X 
amount of minutes. It can be set to email someone when it adds to the 
access database or not.

Since I have upgraded to RHEL4, I have had trouble getting it installed 
however, so I am without it at the moment and missing it :) Maybe this 
can help you Jason?

- ---
Craig Daters (craig at westpress.com)
Systems Administrator

West Press
1663 West Grant Road
Tucson, Arizona 85745

(520) 624-4939 x208
(520) 624-2715 fax
www.westpress.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQrCTfxBVT8XLuTbnEQKHAgCgxJ0zV5dngKa9Lu5BONtwkyzDqYwAoORa
ylcmOMQyMG6vKseR8cnj6qxS
=zE33
-----END PGP SIGNATURE-----


--
Please note: It is the policy of West Press that all e-mail
sent to and from any @westpress.com address may be recorded
and monitored. Unless it is West Press related business,
please do not send any material of a private, personal,
or confidential nature to this or any @westpress.com
e-mail address.

This message has been scanned for UCE (spam), viruses,
and dangerous content, and is believed to be clean 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list