Since almost all modern virus carry their own SMTP engine, almost none will be flagged as outgoing and will be caught as incoming when they try to send their payload to other users on the system.
I use the SENDONLYIFIP in a series of .eml files to catch messages originating from local IP subnets and direct them to a special email address. This way I even flagged viruses from customers who run their own mail servers as they try to infect our servers ;-) My only problem is that I seem to have run into a wall as to the number of .eml files I can have. Last week I added another one to flag a customer who uses us for email but doesn't reside on our IP range, and declude stopped sending out the postmaster.eml file, though it continued to process others. :-( Renaming the file I had just added made the mail flow again. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Greg Little > Sent: Tuesday, April 27, 2004 3:46 PM > To: [EMAIL PROTECTED] > Subject: Re: [Declude.Virus] Virus counts? > > > I use a much more "low tech" technique for this. > Declude E-Mails me (and a couple of other techs) every time > it finds a > virus, Vulnerability or Banned Ext. . > This is around a 1,000 per day lately. (Most of which are just more > Netsky or Vulnerability junk to ignore) > > In the body of the e-mail I dump a variable (as I recall it is in the > standard templates), but I can get the detail if needed. > That variable returns Incoming or Outgoing. > Once you get that far, I recommend setting up rules within > your e-mail > program to route certain e-mail to a Folder that will get > your attention. > (also Banned Extensions should get the same treatment, > because these may > be normal user work that is getting trapped or a very new virus.) > > Let us know which part you need help with. (lots of folks can help) > > Greg > > > Bob McGregor wrote: > > >thanks greg, if you are using unxutils, would you mind > sharing how you put the incoming/outgoing together? > > > >We have very few infections (so far) from within our school > distrcit but when they do occur, it would be nice to know > it.... I t's a great add! > > > >bob > > > > > > > --- > [This E-mail scanned for viruses by Findlay Internet] > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
