On [Thu, 03.06. 14:43], alex wrote: > Tracy wrote: > > > At 08:22 6/3/2004, you wrote: > > > > > >>This is a CRAZY idea ! > >>In a few time you have banned 50% or more of internet traffic ! > >>alex wrote: > > > > > > > > It's actually not a crazy idea, because a very large percentage of the > > virus traffic on the Internet originates from end-user boxes (machines that > > were never intended to be mail servers, nor to deliver mail directly to > > MTAs). A lot of places are already blocking dynamic address machines anyway > > (I block by RDNS on patterns that tend to indicate end user machines, such > > as "adsl-99-25-74-211.dsl.blvloh.ameritech.net"). Since these kinds of > > machines are 1) not intended to deliver mail, and 2) prohibited by their > > ISP's Terms Of Service or Acceptable Use Policies from running mail > > servers, there is no reason not to block them. And since these machines > > That's not entirely true, my isp allows me to setup my own mailserver though > our hostnames are something like adsl-111.111.111.111.xs4all.nl :) > > But I agree with you that it is a very useful filter. Folks, just ignore me if you think I'm riding a dead cow ...
I do a similar thing for two months : Every mail reportet to be infected gets a second treatment: * look for originating IP (of SMTP envelope, _not_ headers) * resolve its domain * get the MX for that domain * if the IPs are not equal, block the host, since it is an infected, non MX host. This approach works _very_ fine (not a single complain ever since, opposed to three complaints due to RDNS check, which started the same time) the SMTP load actually is _reduced_ and the "SNDRIP=EIPSPAM" is constantly rising :-) .... and of course the virus/day rate is sinking. Since hosts that send you a virus nowadays are very likely sending you the same stuff again soon, blacklisting (IMHO) is a valid option combined with scanning. just my two cents Goesta -- Wiener Hilfswerk - EDV 1072 Wien, Schottenfeldgasse 29 Tel: 512 36 61 DW 407 / Fax 512 36 61 33 -- Attached file included as plaintext by Ecartis -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQMlaweEKFiIqAG4fAQIlZQf/bmyazXfi+J61B36FPG+oGS2upnF/4Z8r S8gfduo0o5eUh6uWJD42HtPfYebjdJqqUEXSFRUcECujTDAD3Xsiobi3AjauTjIX L1v82EbGRnoV6khBBdbTLkOThQb3Uifaf6OcO8yPmvPWJgWMO+palNqgTJes8jTs l8jY+qpnQ4+LNlLjvb4/7rnO6ep1J5+cys1R5NxcbNyn41RqeVht6QN4dhiBOvtX PkmVeaxj7nZ5xgA5jiooZSEbFCXwS0YQpZwoGtDmVojr/EQauxHvfnK6Sa6kXgqZ cGVJcVeh1z0H8Imxw5mxQIa43ZGggnRQ59bH5fl72as25wjjL2LEjQ== =ngu/ -----END PGP SIGNATURE----- - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]