Targeting Malware
Denis Beauchemin
Denis.Beauchemin at USherbrooke.ca
Thu Nov 12 13:44:02 GMT 2009
Antony Stone a écrit :
> On Thursday 12 November 2009 07:52, Pete Russell wrote:
>
>
>> This works fine, until, you get some one with a new malware.
>>
>
>
>> We often get 40k of these same email being sent each day, in the past MS
>> and SA just stopped them, now they seem to beat it a little more and we
>> have to create custom rules (not very gracefully).
>>
>
>
>> Should i go with DCC or pyzor to target these emails, any other
>> suggestions?
>>
>
> Limit the number of IP connection requests to the mail server from each client
> to a reasonable value (eg: maximum one email per minute or so)?
>
> This could be done with a firewall-type system such as IPtables, or with the
> connection-rate limits of a recent sendmail (presumably other MTAs as well).
>
> Alternatively use a Network IDS to detect massive traffic from isolated IP
> addresses and raise an alert / throttle back that client until it's been
> investigated? That's probably a good thing to do anyway, since if you have
> problems with malware-infected machines sending thousands of emails, you
> probably get problems with other sorts of malware too, which create local
> broadcast traffic, traffic to random IPs, port scans etc., and it would be
> good to pick this up so the machines can be taken off the network too.
>
>
> Regards,
>
>
> Antony.
>
>
Pete,
Another tool you could use to limit the number of emails is
milter-limit. I use it on my outgoing and incoming MailScanner servers
and it really does a great job!
milter-limit is free. You can find it here:
http://www.snertsoft.com/sendmail/milter-limit/
Denis
--
_
°v° Denis Beauchemin, analyste
/(_)\ Université de Sherbrooke, S.T.I.
^ ^ T: 819.821.8000x62252 F: 819.821.8045
More information about the MailScanner
mailing list