Targeting Malware

Antony Stone Antony.Stone at
Thu Nov 12 08:17:52 GMT 2009

On Thursday 12 November 2009 07:52, Pete Russell wrote:

> This works fine, until, you get some one with a new malware.

> We often get 40k of these same email being sent each day, in the past MS
> and SA just stopped them, now they seem to beat it a little more and we
> have to create custom rules (not very gracefully).

> Should i go with DCC or pyzor to target these emails, any other
> suggestions?

Limit the number of IP connection requests to the mail server from each client 
to a reasonable value (eg: maximum one email per minute or so)?

This could be done with a firewall-type system such as IPtables, or with the 
connection-rate limits of a recent sendmail (presumably other MTAs as well).

Alternatively use a Network IDS to detect massive traffic from isolated IP 
addresses and raise an alert / throttle back that client until it's been 
investigated?  That's probably a good thing to do anyway, since if you have 
problems with malware-infected machines sending thousands of emails, you 
probably get problems with other sorts of malware too, which create local 
broadcast traffic, traffic to random IPs, port scans etc., and it would be 
good to pick this up so the machines can be taken off the network too.



If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.

                                                     Please reply to the list;
                                                           please don't CC me.

More information about the MailScanner mailing list