PS: it would also re-assure many of my hosting customers, when they see a virus coming in from a forged domain (e.g., their OWN domain). If they were to see the REVERSE DNS domain, rather than the "claimed" sender domain - they would be re-assured that it was NOT their OWN workstations that were infected.
It's a frequent call I get - which really is not necessary. I get these calls, even though my notice to them says that the sender is forged. I found, no one reads past the first sentence - and picks up the phone. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Saturday, December 27, 2003 03:30 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Request Remember, except for "public" (role) email addresses, the Virus comes from a workstation that had the recipient's email address in their address book. So - it's likely an "affiliated" company or a frequent correspondent. While the "from" address if forged, the Reverse DNS is NOT. There have been many cases where I was able to pinpoint the infected workstation at one of our regular trading partners just by seeing the reverse DNS. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Saturday, December 27, 2003 03:16 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.Virus] Request > In any case - it's much easier for an end user to see the Reverse DNS > domain name than to see an IP address and then have to try to figure > out who that IP address is associated with so that they can send an > email to the abuse department (in the occasional case, that someone is > bombarded by an infected > computer). I am sure the admin responsible for the mail server that is receiving the postmaster messages would be in a much better position to detect and react to bombardments, such as blocking the IP or contacting the appropriate entity if advisable. On my server, the only action I take on a forging virus is if an IP has sent more than 5 messages in 24 hours, it gets banned (Imail SMTP Control access) for 30 days. (If the user/ISP/Whoever cares enough to contact to find out why, they will be notified why.) Repeat offence is banned for 60 days. Third offence is permanent. In any case, if the virus is forging, attempts to contact the sender by the user is work at best, and the only reliable piece of information would be the remote IP or REVDNS, which again in most cases the REVDNS would require further searching and tracking down to find out the actual user at the time of the message being sent. But if you feel it best to give the user that kind of information, more power to you. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
