It sounds good to me, Pete. May I humbly suggest that this be a new result code, e.g. 046? Until now, Message Sniffer has been very parsimonious with the new categories, but this looks like one that will be here for a long time.
Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, December 21, 2004 6:38 AM To: [EMAIL PROTECTED] Subject: [sniffer] Change in coding policies Hello Sniffer Folks, Backscatter from rejected virii and joe-jobs has become a very significant problem. Up to now we have tried as much as possible to avoid coding for NDRs and other such backscatter - though some pattern matches have been unavoidable. Generally it is a very bad idea these days for a server to send a response of any kind when a virus is captured since most virii forge the sender information. Similarly, bounces from joe-jobs and dictionary attacks are also a problem. These kinds of messages tend to be more of a problem than a solution and the volume has now reached extreme levels (IMO). From now on, we are going to start coding rules to capture these kinds of messages. The rules that we do code for these messages will go into the malware group. For example, we will be introducing rules that watch for bounces that contain large numbers of failed addresses - indicating a probable dictionary attack / joe-job; and we will be coding rules for most virus bounces when they reach our spamtraps or are submitted to us as spam - since clearly the return address on the bounce indicates that the sender information must have been forged (bounce going to a spamtrap). If there is some need on your system to receive these messages then the best strategy will be to create local white rules to let these through. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html