fre, 30.04.2004 kl. 22.36 skrev guenther: > > I'm at present refusing 2-3 per day *claiming* to be from this list (my > > Postfix logs say so). The reason's long and involved, but I can't > > readily check whether this is "backscatter" (Wietse Venema word for > > false MAIL FROM:s) or whether they really do come from the Evo list. > > Nope, this is not just you. There are some worms getting through this > list. Seems, there is at least one infected Micros~1 Windows machine > that has collected this lists email address and Jeffs... > > (Yep, IIRC most of them forged Jeff as being the sender.)
They never get far enough for me to be able to see from whom the From: is. The envelope sender (MAIL FROM:) is [EMAIL PROTECTED] [...] > Blocking all attachments would be a very bad idea IMHO. Stripping those > infamous attachments would at least save bandwidth and protect anyone > reading this list with MS clients. Simply rejecting those mails would > actually keep the list clean but has another bad impact. [1] That's policy as decided by management and ITS. One AV vendor at least, Sophos, recommends banning all attachments - and that means an smtp reject (55x), in which case there's no bounce or backscatter (that's what I do on this rig). The submitting MTA/zombie/proxy/open relay sits with the problem - in my case my ISP, but I've o.k.ed this with him. I'm rejecting 20-40% of all my mail at the moment, of which again about 98-99% is spam or virus. I have a direct reject policy, since I can't run amavisd-new or SpamAssassin on this tiny rig - but I do at clients' sites. Postfix 2.1 and SA-Exim 4/3.1 can smtp reject with a 55x, but at the same time secretly analyze, save and quarantine rejected mail, and notify the recipient about what's happened, so that no mail needs to get lost. > Tony, as you are knowledgeable about this issues, any specific advice to > the list admins? > [1] Automatically generated reply messages as response to received > worms is not the solution for years... Bounced messages or notification should *never* be sent "back to the sender" (an smtp reject is not a bounce), since the envelope sender address (MAIL FROM:) is almost always forged. For the record, on this rig (smtp server, IMAP server, Gnome desktop) and for attachments I simply use 4 or 5 different mime header check pcre regexps that Postfix's 'cleanup' daemon puts each mail through before accepting from the client MTA. Thanks! --Tonni -- We make out of the quarrel with others rhetoric but out of the quarrel with ourselves, poetry. mail: billy - at - billy.demon.nl http://www.billy.demon.nl _______________________________________________ evolution maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution
