Kelson Vibber wrote: > Something I've found that helps cut down on the virus scanning: When > you receive a self-mailing virus, check the IP's reverse DNS for any > signs that it might be a real mail server. If not, block it for a short > period of time. We use 24 hours, and look for patterns like > ip-add-re-ss-dsl.whatever vs. mail.something or mx.something. > > In the past we used to get lots of repeats, usually to the same sets of > addresses. Blocking the IP really cuts down on the load -- our virus > count only jumped by a factor of 10 on Monday -- and since we're > scanning inbound mail, it rarely collides with our own users who would > normally be sending mail. > > In fact, the only time I can remember having a problem with it, one of > our customers had received a copy of a virus (either defanged before the > signature was added or from another source, I forget which) and had the > sense not to open it... but forwarded it to their network consultant, > asking "Is this a virus?" > > The main nuisance Sober has caused here has been all the bogus bounces.
Exact same story at our location -- a few of our clients received so many bogus bounces that we had to block several domains and host IPs (some of which I am sure are legitimate). Some of our smaller business offices were inundated with thousands of bounces thanks to all of the networks/PCs out there infected with Sober. The largest hassle on our part is fielding the calls from dimwitted clients who believe the 4-line, text-only bounces actually might contain the virus... - Chris ------------------------------------------ Chris Gauch Systems Administrator Digicon Communications, Inc. http://www.digiconcommunications.com [EMAIL PROTECTED] _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
