It sounds good to me, Pete.

May I humbly suggest that this be a new result code, e.g. 046?  Until
now, Message Sniffer has been very parsimonious with the new categories,
but this looks like one that will be here for a long time. 

Andrew 8)

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Tuesday, December 21, 2004 6:38 AM
To: [EMAIL PROTECTED]
Subject: [sniffer] Change in coding policies


Hello Sniffer Folks,

  Backscatter from rejected virii and joe-jobs has become a very
  significant problem.

  Up to now we have tried as much as possible to avoid coding for
  NDRs and other such backscatter - though some pattern matches have
  been unavoidable.

  Generally it is a very bad idea these days for a server to send a
  response of any kind when a virus is captured since most virii forge
  the sender information.

  Similarly, bounces from joe-jobs and dictionary attacks are also a
  problem.

  These kinds of messages tend to be more of a problem than a solution
  and the volume has now reached extreme levels (IMO).

  From now on, we are going to start coding rules to capture these
  kinds of messages. The rules that we do code for these messages will
  go into the malware group.

  For example, we will be introducing rules that watch for bounces
  that contain large numbers of failed addresses - indicating a
  probable dictionary attack / joe-job; and we will be coding rules
  for most virus bounces when they reach our spamtraps or are
  submitted to us as spam - since clearly the return address on the
  bounce indicates that the sender information must have been forged
  (bounce going to a spamtrap).

  If there is some need on your system to receive these messages then
  the best strategy will be to create local white rules to let these
  through.

Thanks,
_M

Pete McNeil (Madscientist)
President, MicroNeil Research Corporation
Chief SortMonster (www.sortmonster.com)



This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Reply via email to