[H-GEN] Email filtering

Greg Black gjb at gbch.net
Wed Sep 24 06:53:44 EDT 2003


[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On 2003-09-24, David Duffy wrote:

> With the current wave of virus emails (Microsoft lookalikes),
> what's the best way to automatically reject/clobber them?
> I guess I could use a procmail rule (tried but failed!) but I'd
> rather reject them in the first place instead of accepting them
> only to drop them later on in the chain. That raises another
> question; if I reject an email using the access file, how much
> of that email makes it onto my system? Just the header?

The question is not clear, but I'm going to assume that you're
talking about the SMTP server at mail.audiovisualdevices.com.au
since that's a real SMTP server and it looks like it belongs to
you.

If you reject the connections based on their IP address, then
none of the mail gets through to you.  But, with these specific
messages, that is not generally possible or desirable.

If you want to reject the messages based on their content, you
have to read at least enough content to determine that the
message should be dropped.  As a human, having now seen several
hundred of these, I feel confident that I can do it.  But I'd be
reluctant to program such a thing because of the risk of false
positives.  Since you're using Sendmail 8.11.6, you might like
to try the sendmail lists to see if people have come up with
techniques that they feel comfortable with.  I don't use
sendmail (which has just had yet another security hole found),
so I can't advise more than that.

In my case, I expect that this particular flood will die off in
the next few days and so I don't plan to attack it in any more
aggressive way than using SpamAssassin to reject anything with a
Microsoft executable in its payload.  This does mean that I've
received several tens of MB of unwanted email, but so far it's a
cost I can bear.

Whatever you do, don't bounce the messages -- that will only
make things worse and won't help anybody.  If you identify them,
just drop them on the floor.

Cheers, Greg

-- 
Greg Black <gjb at gbch.net> <http://www.gbch.net/gjb.html>
GPG signed mail preferred; further information in headers.

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/



More information about the General mailing list