i've followed all the discussion on here about RBLs, blocking relays, only relaying for client IPs, and i think i've managed to lock down my mailserver so it's pretty much (well, maybe 90%) spam free. i'm certainly getting a lot less, and my email address is plastered all over my websites. i've got spam covered, and it's only a matter of tweaking now. many thanks to the list for services rendered.
but how about worms? (worms? viruses? that's so out of left field! what makes you bring that up now?)
is there any functionality in SIMS or a third party app that works in conjunction with SIMS to filter email based on, say file attachment types?
Not really. You could probably design a mail system around the special hooks in Autoshare and code up special message handling that filtered on content before getting the mail to user mailboxes, but that would be a Very Big Project.
something as simple as no .exe, .scr .pif... because most of the worm traffic i've seen looks like legitimate email (though it's forged headers, which confuses me.. i thought sims caught forged headers most of the time?) - it wouldn't even need to filter based on content, just look at file attachments and their names, and i'd be satisfied.
anyhoo, any help would be greatly appreciated.
SIMS doesn't catch anything in message data, whether it is in the headers or the body of the message. Defining 'forgery' in a way that ANY MTA can catch without catching perfectly legitimate way is not possible, because there is no way to know what addresses are legitimate for a particular source.
I have found that the combination of the CBL (http://cbl.abuseat.org) and my rather extreme local blacklist (http://www.scconsult.com/blacklist.shtml) is catching most of the current flood of Sobig wormmail. It would seem that my tendency to toss big blocks of addresses around open proxy or worm spam sources pays off. That is NOT a suggestion that anyone else use my list in particular, but rather that if you maintain a local blacklist you might get good results from the same sort of approach. The rationale is simple: a machine that sends you spam that makes it appear to be an open proxy or wormmail is most likely a carelessly managed Windows machine in someone's home in the midst of an address block that is essentially all similar systems (aside from the occasional Mac...) whose owners have no reason to ever send directly to any mail server other than their provider's. It's a bit harsh, but playing the odds really does work and if you can accept the fact that you might have to poke holes in those ranges at some point, it is quite workable to assume (for example) that blocks of undifferentiated DSL and cable connections are never going to have anything but worms and proxy spam.
--
Bill Cole [EMAIL PROTECTED]
############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
