On Apr 5, 2005 3:33 PM, Tony Finch <[EMAIL PROTECTED]> wrote: > > AFAIK bots use the MX of a parent domain of the infected machine's > hostname to find an outgoing relay, not SPF. This is based on an > incident I dealt with in September, and the Spamhaus article > http://www.spamhaus.org/news.lasso?article=158 > Fortunately it isn't too hard to lock down MXs to incoming only. >
Some bots do that. Others just grab the smtp server (and AUTH settings if any) from your MUA - easier if its Outlook / OE - and send using that smarthost. Just that when you have SMTP AUTH usernames in your logs, and virus sign, it is quite easy to locate and lock down that user, or maybe use your radius server to drop his login session, then restrict his next login to a walled garden VLAN, or maybe cut it off altogether till the issue is fixed. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
