Antony.Stone at mailscanner.open.source.it
Thu Nov 12 08:17:52 GMT 2009
On Thursday 12 November 2009 07:52, Pete Russell wrote:
> This works fine, until, you get some one with a new malware.
> We often get 40k of these same email being sent each day, in the past MS
> and SA just stopped them, now they seem to beat it a little more and we
> have to create custom rules (not very gracefully).
> Should i go with DCC or pyzor to target these emails, any other
Limit the number of IP connection requests to the mail server from each client
to a reasonable value (eg: maximum one email per minute or so)?
This could be done with a firewall-type system such as IPtables, or with the
connection-rate limits of a recent sendmail (presumably other MTAs as well).
Alternatively use a Network IDS to detect massive traffic from isolated IP
addresses and raise an alert / throttle back that client until it's been
investigated? That's probably a good thing to do anyway, since if you have
problems with malware-infected machines sending thousands of emails, you
probably get problems with other sorts of malware too, which create local
broadcast traffic, traffic to random IPs, port scans etc., and it would be
good to pick this up so the machines can be taken off the network too.
If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.
Please reply to the list;
please don't CC me.
More information about the MailScanner