Re: [Declude.JunkMail] Using Declude to block Sobig Virus
I need some suggestions on how to block the Sobig virus from even being processed by Declude. The amount of processes are so high it is causing extreme latency and causing SMTP to not respond as well as time out. ANY help is highly appreciated. The best way is to go through the viruses that are received, sort them by IP, and use IMail's SMTP Control Access file to block the worst offenders. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Using Declude to block Sobig Virus
You would need to block it before Imail receives it. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James R. Skivers Sent: Thursday, September 04, 2003 8:19 AM To: [EMAIL PROTECTED] Cc: 'R. Scott Perry'; [EMAIL PROTECTED] Subject: [Declude.JunkMail] Using Declude to block Sobig Virus I need some suggestions on how to block the Sobig virus from even being processed by Declude. The amount of processes are so high it is causing extreme latency and causing SMTP to not respond as well as time out. ANY help is highly appreciated. Regards, James R. Skivers Network Administrator Web One Inc. [EMAIL PROTECTED] http://astra1.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Using Declude to block Sobig Virus
Title: Message The one thing I've been doing since the "invasion" began was use our secondary mail server to block the IP's of infected machines. Most of the infected messages seem to come through this machine first. We're running Sendmail (with webmin interface; a lot easier to admin a linux box)and just editing /etc/mail/access file and adding the ip's seems to have cut back significantly. I've added the ip's of blocked computers just to show how bad it's gotten for us. 68.198.54.158REJECT68.21.239.190REJECT66.121.151.50REJECT12.24.245.12REJECT65.16.62.133REJECT68.21.234.46REJECT24.159.60.200REJECT206.241.2.71REJECT64.147.6.241REJECT67.81.61.57REJECT64.30.194.34REJECT68.36.190.124REJECT68.52.195.199REJECT63.164.145.33REJECT64.238.101.148REJECT68.156.224.121REJECT24.170.148.211REJECT131.123.194.222REJECT65.106.147.178REJECT64.42.16.202REJECT24.211.10.41REJECT200.71.130.17REJECT167.206.206.195REJECT66.127.198.198REJECT162.40.222.119REJECT208.40.28.196REJECT24.208.129.78REJECT207.225.67.82REJECT159.247.3.210REJECT62.203.100.247REJECT67.121.153.139REJECT61.171.135.186REJECT166.102.18.250REJECT208.191.162.43REJECT66.207.240.194REJECT67.22.187.165REJECT66.0.236.20REJECT67.124.159.88REJECT172.195.161.72REJECT218.74.215.84REJECT218.4.189.195REJECT67.123.8.79REJECT24.192.246.239REJECT67.35.8.41REJECT67.124.156.242REJECT218.154.254.90REJECT68.211.150.190REJECT216.78.60.164REJECT24.56.47.175REJECT209.145.206.61REJECT68.154.104.93REJECT24.51.83.89REJECT61.11.73.184REJECT68.158.221.166REJECT209.114.230.52REJECT207.233.213.6REJECT143.111.23.145REJECT68.42.36.205REJECT12.224.192.252REJECT68.211.189.49REJECT192.216.156.19REJECT24.228.47.53REJECT68.36.3.18REJECT209.42.33.176REJECT67.124.41.187REJECT61.77.77.26REJECT62.56.134.108REJECT68.211.254.102REJECT67.34.231.144REJECT68.154.105.182REJECT68.75.177.204REJECT199.8.235.219REJECT64.204.5.34REJECT24.51.80.32REJECT68.74.150.211REJECT218.148.9.3REJECT68.42.56.220REJECT208.61.30.204REJECT12.248.55.60REJECT202.69.84.212REJECT61.171.70.153REJECT24.53.88.127REJECT64.223.33.234REJECT66.68.84.60REJECT67.34.240.3REJECT68.158.34.212REJECT68.158.98.7REJECT162.40.32.115REJECT66.228.145.47REJECT209.90.85.25REJECT213.136.106.126REJECT217.164.73.133REJECT61.189.204.100REJECT200.67.179.81REJECT61.189.203.191REJECT217.164.72.55REJECT61.189.203.246REJECT217.164.72.29REJECT68.211.224.163REJECT200.67.179.50REJECT68.80.143.188REJECT209.142.243.81REJECT204.117.50.140REJECT68.154.64.14REJECT162.83.176.132REJECT65.73.95.99REJECT196.21.128.1REJECT67.80.139.111REJECT68.154.70.39REJECT139.55.233.177REJECT162.40.37.192REJECT62.80.224.31REJECT203.129.202.18REJECT162.40.38.232REJECT162.40.35.90REJECT217.23.38.139REJECT68.211.233.11REJECT67.64.6.246REJECT208.180.60.231REJECT68.159.166.134REJECT67.86.70.25REJECT24.99.10.242REJECT209.53.213.216REJECT138.88.207.116REJECT66.76.141.52REJECT208.57.145.28REJECT66.123.232.6REJECT66.13.214.118REJECT68.43.11.199REJECT207.232.103.155REJECT208.57.105.248REJECT68.153.69.21REJECT66.190.154.21REJECT4.41.189.36REJECT24.218.40.135REJECT216.170.5.59REJECT68.113.10.240REJECT24.199.82.174REJECT68.58.112.228REJECT172.128.42.74REJECT206.230.185.42REJECT65.57.29.48REJECT156.110.31.162REJECT172.175.113.206REJECT24.126.130.151REJECT208.255.242.58REJECT66.76.135.192REJECT65.64.25.225REJECT67.34.236.66REJECT162.40.37.6REJECT
RE: [Declude.JunkMail] Using Declude to block Sobig Virus
Yeah I was thinking about using our Cisco and throwing in an access list to deny SMTP from the source IP, only problem with that is we're a large ISP and would be blocking mainly our own users who have received the virus via hotmail or yahoo accounts. (Tier 1 call volume go *boom*) ^_^ James R. Skivers Network Administrator Web One Inc. [EMAIL PROTECTED] http://astra1.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, September 04, 2003 10:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Using Declude to block Sobig Virus You would need to block it before Imail receives it. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James R. Skivers Sent: Thursday, September 04, 2003 8:19 AM To: [EMAIL PROTECTED] Cc: 'R. Scott Perry'; [EMAIL PROTECTED] Subject: [Declude.JunkMail] Using Declude to block Sobig Virus I need some suggestions on how to block the Sobig virus from even being processed by Declude. The amount of processes are so high it is causing extreme latency and causing SMTP to not respond as well as time out. ANY help is highly appreciated. Regards, James R. Skivers Network Administrator Web One Inc. [EMAIL PROTECTED] http://astra1.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Using Declude to block Sobig Virus
Title: Message Thanks, that sounds doable. We have almost the exact same setup, Ill give that a try and throw that on our BMX box. James R. Skivers Network Administrator Web One Inc. [EMAIL PROTECTED] http://astra1.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Maze - Hostmaster Sent: Thursday, September 04, 2003 10:44 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Using Declude to block Sobig Virus The one thing I've been doing since the invasion began was use our secondary mail server to block the IP's of infected machines. Most of the infected messages seem to come through this machine first. We're running Sendmail (with webmin interface; a lot easier to admin a linux box)and just editing /etc/mail/access file and adding the ip's seems to have cut back significantly. I've added the ip's of blocked computers just to show how bad it's gotten for us. 68.198.54.158REJECT 68.21.239.190REJECT 66.121.151.50REJECT 12.24.245.12REJECT 65.16.62.133REJECT 68.21.234.46REJECT 24.159.60.200REJECT 206.241.2.71REJECT 64.147.6.241REJECT 67.81.61.57REJECT 64.30.194.34REJECT 68.36.190.124REJECT 68.52.195.199REJECT 63.164.145.33REJECT 64.238.101.148REJECT 68.156.224.121REJECT 24.170.148.211REJECT 131.123.194.222REJECT 65.106.147.178REJECT 64.42.16.202REJECT 24.211.10.41REJECT 200.71.130.17REJECT 167.206.206.195REJECT 66.127.198.198REJECT 162.40.222.119REJECT 208.40.28.196REJECT 24.208.129.78REJECT 207.225.67.82REJECT 159.247.3.210REJECT 62.203.100.247REJECT 67.121.153.139REJECT 61.171.135.186REJECT 166.102.18.250REJECT 208.191.162.43REJECT 66.207.240.194REJECT 67.22.187.165REJECT 66.0.236.20REJECT 67.124.159.88REJECT 172.195.161.72REJECT 218.74.215.84REJECT 218.4.189.195REJECT 67.123.8.79REJECT 24.192.246.239REJECT 67.35.8.41REJECT 67.124.156.242REJECT 218.154.254.90REJECT 68.211.150.190REJECT 216.78.60.164REJECT 24.56.47.175REJECT 209.145.206.61REJECT 68.154.104.93REJECT 24.51.83.89REJECT 61.11.73.184REJECT 68.158.221.166REJECT 209.114.230.52REJECT 207.233.213.6REJECT 143.111.23.145REJECT 68.42.36.205REJECT 12.224.192.252REJECT 68.211.189.49REJECT 192.216.156.19REJECT 24.228.47.53REJECT 68.36.3.18REJECT 209.42.33.176REJECT 67.124.41.187REJECT 61.77.77.26REJECT 62.56.134.108REJECT 68.211.254.102REJECT 67.34.231.144REJECT 68.154.105.182REJECT 68.75.177.204REJECT 199.8.235.219REJECT 64.204.5.34REJECT 24.51.80.32REJECT 68.74.150.211REJECT 218.148.9.3REJECT 68.42.56.220REJECT 208.61.30.204REJECT 12.248.55.60REJECT 202.69.84.212REJECT 61.171.70.153REJECT 24.53.88.127REJECT 64.223.33.234REJECT 66.68.84.60REJECT 67.34.240.3REJECT 68.158.34.212REJECT 68.158.98.7REJECT 162.40.32.115REJECT 66.228.145.47REJECT 209.90.85.25REJECT 213.136.106.126REJECT 217.164.73.133REJECT 61.189.204.100REJECT 200.67.179.81REJECT 61.189.203.191REJECT 217.164.72.55REJECT 61.189.203.246REJECT 217.164.72.29REJECT 68.211.224.163REJECT 200.67.179.50REJECT 68.80.143.188REJECT 209.142.243.81REJECT 204.117.50.140REJECT 68.154.64.14REJECT 162.83.176.132REJECT 65.73.95.99REJECT 196.21.128.1REJECT 67.80.139.111REJECT 68.154.70.39REJECT 139.55.233.177REJECT 162.40.37.192REJECT 62.80.224.31REJECT 203.129.202.18REJECT 162.40.38.232REJECT 162.40.35.90REJECT 217.23.38.139REJECT 68.211.233.11REJECT 67.64.6.246REJECT 208.180.60.231REJECT 68.159.166.134REJECT 67.86.70.25REJECT 24.99.10.242REJECT 209.53.213.216REJECT 138.88.207.116REJECT 66.76.141.52REJECT 208.57.145.28REJECT 66.123.232.6REJECT 66.13.214.118REJECT 68.43.11.199REJECT 207.232.103.155REJECT 208.57.105.248REJECT 68.153.69.21REJECT 66.190.154.21REJECT 4.41.189.36REJECT 24.218.40.135REJECT 216.170.5.59REJECT 68.113.10.240REJECT 24.199.82.174REJECT 68.58.112.228REJECT 172.128.42.74REJECT 206.230.185.42REJECT 65.57.29.48REJECT 156.110.31.162REJECT 172.175.113.206REJECT 24.126.130.151REJECT 208.255.242.58REJECT 66.76.135.192REJECT 65.64.25.225REJECT 67.34.236.66REJECT 162.40.37.6REJECT
RE: [Declude.JunkMail] Using Declude to block Sobig Virus
Simply because my goal is to block it before Declude or my server has a chance to process it. James R. Skivers Network Administrator Web One Inc. [EMAIL PROTECTED] http://astra1.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Star Sent: Thursday, September 04, 2003 10:56 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Using Declude to block Sobig Virus I need some suggestions on how to block the Sobig virus from even being processed by Declude. The amount of processes are so high it is causing extreme latency and causing SMTP to not respond as well as time out. ANY help is highly appreciated. The best way is to go through the viruses that are received, sort them by IP, and use IMail's SMTP Control Access file to block the worst offenders. Why not use the Declude BLACKLIST feature? -- Dan --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using Declude to block Sobig Virus
The best way is to go through the viruses that are received, sort them by IP, and use IMail's SMTP Control Access file to block the worst offenders. Why not use the Declude BLACKLIST feature? Because the IMail SMTP Control Access file will prevent the connection from even occurring, which will save on bandwidth (about 100K per virus blocked). It also saves some other resources, such as CPU usage, that would be used if it was received and scanned. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Using Declude to block Sobig Virus
Simply state you are blocked because your computer is infected with a virus. Once your computer is cleaned, we will unblock. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of James R. Skivers Sent: Thursday, September 04, 2003 9:03 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Using Declude to block Sobig Virus Yeah I was thinking about using our Cisco and throwing in an access list to deny SMTP from the source IP, only problem with that is we're a large ISP and would be blocking mainly our own users who have received the virus via hotmail or yahoo accounts. (Tier 1 call volume go *boom*) ^_^ James R. Skivers Network Administrator Web One Inc. [EMAIL PROTECTED] http://astra1.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Thursday, September 04, 2003 10:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Using Declude to block Sobig Virus You would need to block it before Imail receives it. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James R. Skivers Sent: Thursday, September 04, 2003 8:19 AM To: [EMAIL PROTECTED] Cc: 'R. Scott Perry'; [EMAIL PROTECTED] Subject: [Declude.JunkMail] Using Declude to block Sobig Virus I need some suggestions on how to block the Sobig virus from even being processed by Declude. The amount of processes are so high it is causing extreme latency and causing SMTP to not respond as well as time out. ANY help is highly appreciated. Regards, James R. Skivers Network Administrator Web One Inc. [EMAIL PROTECTED] http://astra1.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re: [Declude.JunkMail] Using Declude to block Sobig Virus
If I am using Declude as a gateway and block the offending IP, will I not also have to block the IP in the real mail server as well? Doug Because the IMail SMTP Control Access file will prevent the connection from even occurring, which will save on bandwidth (about 100K per virus blocked). It also saves some other resources, such as CPU usage, that would be used if it was received and scanned. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Using Declude to block Sobig Virus
If I am using Declude as a gateway and block the offending IP, will I not also have to block the IP in the real mail server as well? Doug IMail actually hands off the mail to Declude after running it's filters. The recommendation apparently will reject the messages based on IP during the SMTP handshaking so the messages themselves will never even arrive on your box. The processing order is as follows: 1. IMail's Control Access file (to block IPs) 2. IMail's Kill List (to block return addresses) 3. Declude Virus 4. Declude Hijack 5. Declude JunkMail 6. IMail's filters Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Using Declude to block Sobig Virus
I agree with Scott but I took it a step further. I setup a SOBIG filter and forwarded the so big email to a special account. I then looked at the connecting ip and added that to my trap. I then tracked down the owner of the ip and notified a host on their network had the virus. What will not be blocked are the emails that you will get that are bouce messages and virus warnings from server where your users emails have been spoofed. 2 weeks a go we were being hit by at lease 10 machines sending us SOBIG emails. Now we are only receiving them from 1 machine. If you do not try to notify them then they are going to infect other machines which can cause you to be hit from other IP addresses you will also continue to receive the bounce and virus warning emails. Here is my filter REMOTEIP 0 IS x.x.x.x SUBJECT 0 CONTAINS Re: Details SUBJECT 0 CONTAINS Re: Approved SUBJECT 0 CONTAINS Re: Re: My details SUBJECT 0 CONTAINS Re: Thank you! SUBJECT 0 CONTAINS Re: That movie SUBJECT 0 CONTAINS Re: Wicked screensaver SUBJECT 0 CONTAINS Re: Your application SUBJECT 0 CONTAINS Thank you! SUBJECT 0 CONTAINS details Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of R. Scott Perry Sent: Thursday, September 04, 2003 8:32 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Using Declude to block Sobig Virus I need some suggestions on how to block the Sobig virus from even being processed by Declude. The amount of processes are so high it is causing extreme latency and causing SMTP to not respond as well as time out. ANY help is highly appreciated. The best way is to go through the viruses that are received, sort them by IP, and use IMail's SMTP Control Access file to block the worst offenders. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.