<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
<br>
<br>
Antony Stone wrote:<br>
<blockquote type="cite"
cite="mid200309011607.h81G7X506276@onyx.rockstone.co.uk">
<pre wrap="">On Monday 01 September 2003 4:45 pm, Spicer, Kevin wrote:
</pre>
<blockquote type="cite">
<pre wrap="">John Williams wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Please forgive me if I've missed this post, but is there a way to
look at the IP address of incoming mail and filter/blacklist it based
on that?
</pre>
</blockquote>
<pre wrap="">Add it to sendmails access database. However, maybe you also have genuine
email from that IP? Best way to block sobig is to use sendmail subject
matching, search the archives for a set of rules.
</pre>
</blockquote>
<pre wrap=""><!---->
Unlikely you'll get genuine mail from that IP address, because Sobig sends
directly from infected client to (low priority) MX listed mail server,
bypassing client's normal outbound mail server.
Genuine emails from that client should go via the client's local (or ISP)
mail server first, so you won't end up blocking them.
</pre>
</blockquote>
Does anybody actively build lists of IP's sending out SoBig? We are
currently analysing our logs hourly and then taking the top 10
offenders and putting them in an Exim blocking list, in the hope that
it will take **some** load off our servers.<br>
<br>
My thought's are along the same lines of Antony's. i.e Sobig uses it's
own SMTP engine so we shouldn't be seeing these IP's anyhow.<br>
<br>
Dan<br>
<blockquote type="cite"
cite="mid200309011607.h81G7X506276@onyx.rockstone.co.uk">
<pre wrap="">
Antony.
--
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.
In poetry, it is the exact opposite.
- Paul Dirac
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
____________________________________
Daniel Bird
Network & Systems Manager
St. George's Hospital Medical School
Tooting
London SW17 0RE
P: +44 20 8725 2897
F: +44 20 8725 3583
E: <a class="moz-txt-link-abbreviated" href="mailto:dan@sghms.ac.uk">dan@sghms.ac.uk</a>
____________________________________
Hex dump: Where witches put used curses...
"#define QUESTION ((bb) || !(bb)) - Shakespeare." </pre>
</body>
</html>