On Fri, 11 Jun 2004, Liron Newman wrote: > Goesta Smekal wrote: > > >I do a similar thing for two months : Every mail reportet to be infected gets a > >second treatment: > > > >* look for originating IP (of SMTP envelope, _not_ headers) > >* resolve its domain > >* get the MX for that domain > >* if the IPs are not equal, block the host, since it is an infected, non MX > >host. > > > >This approach works _very_ fine (not a single complain ever since, opposed to > >three complaints due to RDNS check, which started the same time) the SMTP load > >actually is _reduced_ and the "SNDRIP=EIPSPAM" is constantly rising :-) .... and > >of course the virus/day rate is sinking. > > > >Since hosts that send you a virus nowadays are very likely sending you the same > >stuff again soon, blacklisting (IMHO) is a valid option combined with scanning. > > > > > > > Actually a great idea, because 99.999% of the people who would have a > legitimate use for sending you SMTP directly (Running a mailserver or > whatever) are computer-literate enough to avoid getting hit by all that > virus junk.. So the chances of blocking anyone who's running a > mailserver at home (Like me, and yes, my ISP allows that) are slim to > none, and if he's blocked, he deserves it..
I personally use an even simpler approach in my post-data filter. If the message has only one Received: header (the XMail one) *and* contains a suspicious extension attachment, it's a worm/virus. It works 100% here, w/out even going to DNS checks. Not that I care much about viruses though, since Pine always did the Right Thing for me. - Davide - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
