[linux-elitists] sobig.f: Microsoft Windows virus, not computer virus

Karsten M. Self kmself@ix.netcom.com
Sun Aug 31 16:31:59 PDT 2003


on Sun, Aug 31, 2003 at 12:15:16PM -0700, Marc MERLIN (marc@merlins.org) wrote:
> On Sat, Aug 23, 2003 at 07:05:45PM +0000, Drew Streib wrote:
> > On Sat, Aug 23, 2003 at 11:58:56AM -0700, Aaron Lehmann wrote:
> > > Got a simple pattern to stop these, like a procmail rule? My account
> > > is getting 200MB (2000) of them a day. Spamassassin has been filing
> > > them away into the suspected spam folder, but they're taking up a lot
> > > of diskspace and spamassassin time.
> > 
> > Exim filter rules follow. See the exim filter specification for how
> > to enable these (very very easy).
> > 
> > These could also be put in one regexp very easily. I just filter on 
> > the known filenames for sobig.f.
> 
> So, the grand total of sobig.f that hit my system, is exactly: 0
> 
> Why?
> /var/lib/exim4/config.autogenerated:
> 
> Because of the following ACLs:
> 
>   deny    message       = "HELO/EHLO required by SMTP RFC"
>           condition     = ${if eq{$sender_helo_name}{}{yes}{no}}
> .ifdef TEERGRUBE
>           delay         = TEERGRUBE
> .endif
> 
>   deny    message       = "Invalid domain or IP given in HELO/EHLO"
>          !condition     = ${if match{$sender_helo_name}{\\\.}{yes}{no}}
> .ifdef TEERGRUBE
>           delay         = TEERGRUBE
> .endif
> 
> All of sobig got hit by the second one because it sent a windows
> unqualified name

Marc:

Are your existing SA / teergrube / exim docs current for thsi
configuration?

    http://marc.merlins.org/linux/exim/sa.html

Teergrube is IMO one of the best modes of preventing spam attacks.  Very
good stuff.

Much better than, say, challenge-response systems.

    http://kmself.home.netcom.com/Rants/challenge-response.html

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    Defeat EU Software Patents!                         http://swpat.ffii.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20030901/85f0a8d2/attachment.pgp 


More information about the linux-elitists mailing list