Craig Green wrote:
I tried this. Turns out a shocking number of ISPs and businesses don't
bother running AV software on their outbound servers and just blindly
relay their users' mail.
We got around this by only blacklisting virus senders under the
following conditions:
1. The IP sent a mass-mailing worm.
2. rDNS is missing, invalid, or clearly indicates a dynamic/consumer range.
3. The IP or rDNS is not found on a small whitelist.
So if a virus gets relayed through an ISP's mail server, it'll probably
trip rules 1 and 3, but not 2 (since it'll probably have rDNS that
points to mail.example.com, or mx5.example.com, etc. and not to, say,
adsl-1.2.3.4.example.com).
We also flush the list every 24 hours.
But then, we don't really use this list to block spam. It's more a
method of reducing the load on our virus scanner during outbreaks.
Block the IP temporarily, and if they send you a new copy of the virus
every five minutes, you only need to scan it once a day until they clean
the system or the virus stops sending.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
