On or about 08:50 PM 1/1/01 +0100, Piotr Kasztelowicz was caught in a dark
alley speaking these words:
>On 1 Jan 2001, Mark Delany wrote:
>
>> badmailfrom won't work on this. See the archives for discussions on
>> why not (it checks Return-Path).
>
>Not good idea on ORBS spamer's list can be found peoples, who
>don't write spam - for instace I.
The problem is, this isn't spam -- it's a virus. If you start blocking IP's
from wherever you get this, you will start blocking a *lot* of non-relaying
sites. This isn't relaying. This is a case of honest (albeit IMNSHO
clueless) people sending out a copy of a virus they don't know they have.
The virus sending out copies of itself to known good email addresses isn't
my major problem, tho. The virus also sends itself to godawful strings of
non-Internet related characters (like "<a>slkjjsdl@#.jskd") which is
causing a very high load of double-bounces - with me being the postmaster,
I'm getting a very large (to the order of 2-5 every *second*) number of
these in my mailbox.
One bad thing about this virus is it wipes out (almost) every piece of
useful data that you could use to track down the person who has the virus.
The only useful stuff is what qmail logs - namely the HELO string, the
originating IP address & time. (And the HELO string is useless if the user
doesn't change the "Host" DNS setting from "oemcomputer" to the user's real
ID.)
Now, a .qmail file which filters on that idiot "[EMAIL PROTECTED]" and
either a) sends that mail to the bit-bucket (which is by now overflowing...
:-) or b) filters out the Received: header with the HELO line in it and
stuffs it into a separate file would be a great boon...
If I have a chance I'll bone up on .qmail files (one thing I don't like
about qmail is it doesn't crash. "Set it and forget it" which is what
usually happens... ;-) and write it myself, but I don't have the time just
yet.
I do have a perl script somewhere that does the HELO filter in (b) above,
but it's a separate proggie - not an inline filter. (Oh, on larger files,
it won't run under NT's perl, either. Hope you have a *nix box handy...)
HTH,
Roger "Merch" Merchberger
=====
Roger "Merch" Merchberger -- [EMAIL PROTECTED]
SysAdmin - Iceberg Computers
===== Merch's Wild Wisdom of the Moment: =====
Sometimes you know, you just don't know sometimes, you know?
