Bob McElrath said: > Jacob Anawalt [EMAIL PROTECTED] wrote: >> >> Bob McElrath said: >> > Jacob Anawalt [EMAIL PROTECTED] wrote: >> >> I guess that's as effective for reducing the bulk of your inbox as >> >> sending >> >> "550 executables not accepted", especially if you don't have control >> >> over >> >> the mail server and you match this virus with 100% accuracy. >> >> >> >> Either way, /dev/null or 550 after DATA crlf.crlf you've recieved the >> >> whole message. >> > >> > "550 executables not accepted" would obviously be a superior solution. >> > How do you do it? My google searches and list archive searches turned >> > up nothing... >> > >> >> I use postfix v1.x, so I implement the body_checks regexp method, >> matching >> the MS executable MIME 'fingerprint' mentioned here: >> >> http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml >> >> It's been a while since I used Sendmail and even when I used I didn't >> understand most of the settings, but there's got to be something >> similar. > > Darn, I was hoping (aren't we all) for a way to reject it before the > whole thing is sent. You know...it wouldn't be hard to scan the input > for the EXE header and close the connection as soon as it's seen. Then > you'd only download 1k or so rather than 150k...
While you _could_ do that, and if you _knew_ the mail had been sent directly from some Windowz end user system and not relayed through a valid server (I've noticed a couple of "we dropped the virus but sent you the message anyway" swen messages in my inbox) then I guess that would be just fine, might as well throw up a firewall rule to block their next attempts or have your mail server send 550 reject at the next connection. If it's a real server, I thought that it would just try the connection again because it didn't get a yes 250 or a no 5xx or even a maybe later 3-4xx, and you might not want to firewall or reject all email from a mailserver just because one of their users is infected. Anyone, please correct me if I'm wrong here. Doesn't protocol dictate that if I accept HELO, MAIL FROM and RCPT TO that I'm suppose to accept the whole of DATA before I can say 'not ok'. Wouldn't a "connection reset by peer" just cause the sending server (if it wasn't a dumb virus smtp session) to resend later? > >> P.S. I notice you use [EMAIL PROTECTED] Is this email address only for list >> traffic? I'm toying w/ the idea of doing that and only accepting email >> to >> that address that comes from the list. Topic: Anti-Spam ideas for >> usenet/list harvested email addresses. > > Yes, I'm reciving 80k copies of Swen because of the debian/usenet > gateway, and one time when I didn't use bob+debian. :( So none of the email is to bob+debian? Nice to know that Swen writer didn't try too hard. Maybe others won't and people who can should use +/- in their email address. > > The "plus" addresses (anything on the right side of the plus, and the > plus can be a minus too) is RFC compliant and sendmail automatically > ignores the RHS of the +/-. It's supposed to be "local delivery" > information -- like which mailbox to put it into. Of course > [EMAIL PROTECTED] is not a valid email and that's what most harvesters > pick up. Occasionally I see attempts in my logs to deliver to such > addresses. Be aware though that many web-forms out there are broken and > don't accept the + in an email field. (For which I usually make an > alias using an underscore) > > Only accepting email that comes from the list to the +debian address > wouldn't work because of people (like yourself) that reply to my mails. > Hey! I thought I'd been very careful on this thread to only send directly to the list. I even double checked just now. :P While I did get your cc'd reply faster than the one you sent to the list, I would have gotten the one from the list all the same, and your cc'd reply would have bounced with the error code I suggested in that other thread. I've got some new (possibly poor) thoughts on how to get people my directy-response email w/o resorting to typing it into the body of the mail message in some 'safe' manner, but I wan't to keep it in the "Anti-spam" thread. -- Jacob Trying out SquirrelMail -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
