not sure if you can do this but I only allow smtp traffic(port 25) out of our network from our defined servers at the firewall... that way those that attempt with their own smtp engine go no where.
however, we have had a couple infections that do use the known mail server. however with remoteip they are identified easily as it's from our internal 10.x network. On Tuesday, April 27, 2004 3:45 PM, Donn Bly <[EMAIL PROTECTED]> wrote: >Since almost all modern virus carry their own SMTP engine, >almost none will be flagged as outgoing and will be caught as >incoming when they try to send their payload to other users on >the system. > >I use the SENDONLYIFIP in a series of .eml files to catch >messages originating from local IP subnets and direct them to a >special email address. This way I even flagged viruses from >customers who run their own mail servers as they try to infect >our servers ;-) > >My only problem is that I seem to have run into a wall as to >the number of .eml files I can have. Last week I added another >one to flag a customer who uses us for email but doesn't reside >on our IP range, and declude stopped sending out the >postmaster.eml file, though it continued to process others. >:-( Renaming the file I had just added made the mail flow >again. > >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of Greg Little >> Sent: Tuesday, April 27, 2004 3:46 PM >> To: [EMAIL PROTECTED] >> Subject: Re: [Declude.Virus] Virus counts? >> >> >> I use a much more "low tech" technique for this. >> Declude E-Mails me (and a couple of other techs) every time >> it finds a >> virus, Vulnerability or Banned Ext. . >> This is around a 1,000 per day lately. (Most of which are just more >> Netsky or Vulnerability junk to ignore) >> >> In the body of the e-mail I dump a variable (as I recall it is in the >> standard templates), but I can get the detail if needed. >> That variable returns Incoming or Outgoing. >> Once you get that far, I recommend setting up rules within >> your e-mail >> program to route certain e-mail to a Folder that will get >> your attention. >> (also Banned Extensions should get the same treatment, >> because these may >> be normal user work that is getting trapped or a very new virus.) >> >> Let us know which part you need help with. (lots of folks can help) >> >> Greg >> >> >> Bob McGregor wrote: >> >> >thanks greg, if you are using unxutils, would you mind >> sharing how you put the incoming/outgoing together? >> > >> >We have very few infections (so far) from within our school >> distrcit but when they do occur, it would be nice to know >> it.... I t's a great add! >> > >> >bob >> > >> > >> >> >> --- >> [This E-mail scanned for viruses by Findlay Internet] >> >> --- >> [This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus". The archives can be found >at http://www.mail-archive.com. >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.Virus mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.Virus". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
