I agree with Scott but I took it a step further. I setup a SOBIG filter and forwarded the so big email to a special account. I then looked at the connecting ip and added that to my trap. I then tracked down the owner of the ip and notified a host on their network had the virus. What will not be blocked are the emails that you will get that are bouce messages and virus warnings from server where your users emails have been spoofed.
2 weeks a go we were being hit by at lease 10 machines sending us SOBIG emails. Now we are only receiving them from 1 machine. If you do not try to notify them then they are going to infect other machines which can cause you to be hit from other IP addresses you will also continue to receive the bounce and virus warning emails. Here is my filter REMOTEIP 0 IS x.x.x.x SUBJECT 0 CONTAINS Re: Details SUBJECT 0 CONTAINS Re: Approved SUBJECT 0 CONTAINS Re: Re: My details SUBJECT 0 CONTAINS Re: Thank you! SUBJECT 0 CONTAINS Re: That movie SUBJECT 0 CONTAINS Re: Wicked screensaver SUBJECT 0 CONTAINS Re: Your application SUBJECT 0 CONTAINS Thank you! SUBJECT 0 CONTAINS details Kevin Bilbee > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry > Sent: Thursday, September 04, 2003 8:32 AM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.JunkMail] Using Declude to block Sobig Virus > > > > >I need some suggestions on how to block the Sobig virus from even being > >processed by Declude. The amount of processes are so high it is causing > >extreme latency and causing SMTP to not respond as well as time out. ANY > >help is highly appreciated. > > The best way is to go through the viruses that are received, sort them by > IP, and use IMail's SMTP Control Access file to block the worst offenders. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers. > Declude Virus: Catches known viruses and is the leader in mailserver > vulnerability detection. > Find out what you have been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
