Re: [AMaViS-user] Temporary blocking IP of virus senders

Thu, 01 Dec 2005 13:46:08 -0800 

On Thu, Dec 01, 2005 at 03:16:19PM +0200, [EMAIL PROTECTED] wrote:
> Hi,
> 
> I thought of temporary (lets say for 6-24 hours) blocking the IP of the 
> senders NOT THE PROVIDERS!

Great Idea! But unfortunately viruses _are_ very often relayed via ISPs like
yahoo, msn & co. It will even break forwarding. Why? Because at 
check_client_access postfix has the ISP MTA as talk-partner. Not the originating
client.
 
Just an example:

Received: from mx0.gmx.net (mx0.gmx.de [213.165.64.100])                        
        by robtone.ek-muc.de (Postfix) with SMTP id 70A41C3896                  
        for <[EMAIL PROTECTED]>; Thu,  1 Dec 2005 09:43:22 +0100 (CET)          
Received: (qmail 22805 invoked by alias); 1 Dec 2005 08:43:21 -0000             
Delivered-To: GMX delivery to [EMAIL PROTECTED]                                 
   
Received: (qmail invoked by alias); 01 Dec 2005 08:43:16 -0000                  
Received: from unknown (HELO mail.mqin.com) [61.232.3.183]                      
  by mx0.gmx.net (mx013) with SMTP; 01 Dec 2005 09:43:16 +0100                  
Received: (qmail 17377 invoked by uid 510); 1 Dec 2005 12:23:00 +0900           

If we would temp block 61.232.3.183 he could still send viruses via relaying
to gmx because postfix talks to 213.165.64.100 _ONLY_.
If we would block 213.165.64.100 then we are blocking an ISP. This goes for
many ISP.

If you know it better, write a log-scanner script which does what you want.

Please keep in mind - I've tried out an obviously even more failsafe solution:
rejecting based on "sender-ip" - but I was able a) to find ways to get 
around it and b) to block stuff unauthorized remotely.


-- 
    Robert Felber (PGP: 896CF30B)
    Munich, Germany


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Reply via email to