NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2003-09

Re: .exe, and other attachments

From: Tony Earnshaw (tonnibilly.demon.nl)
Date: Sun Sep 21 2003 - 17:34:08 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matthias Andree wrote:

>>1: In the ongoing so-called "Swen/W32/gibe.f" (rubbish, there are at
>>least 4 differently sized .exe executables involved) at least in the
>>beginning a good deal of the drekk was coming from "innocent" home- and
>>broadband users. Scaring them out of their wits with rejections is the
>>only way to let each one know that something is wrong.
>
> Is there any evidence that this worm (or set of worms) will actually
> display delivery failures

Yes. 'Received' trail, reject_non_fqdn_hostname,
reject_unknown_sender_domain. If those are false, then bad luck - but
I've been checking the whole day and Swen sends from real, genuine
addresses. Otherwise I couldn't do the above.

> or use the "true" sender address of the
> "infected" user?

Yes. As above.

And I get to see in advance what's coming, so I can be that much ahead
of them. Mail to postmaster and abuse is always let through, whatever
their domain.

> Unless there is, bouncing isn't any more visible (to
> the infected user) than accepting and discarding their mail. What they
> don't see, they won't admit they have.

I don't bounce, I smtp reject. And no, I don't accept the message for
analysis (when I can help it), I simply refuse (550) the sender's domain
in the first place (when I can avoid it, which I can in 80% of all
cases, since I know in advance what is coming from whom). I check for
non-existent domains. Swen that does make it past the MAIL FROM: or RCPT
TO: phase (20%) gets smtp 550 refused by the Postfix proxy, anyway -
never bounced or discarded.

>>2: Some of the executables are up to 290 KB large and I'm getting up to
>>400 executables from 14 KB to 290 KB per day at the moment. No way I'm
>>going to let those into my narrow-bandwidth system for analysis and
>>discarding.
>
> Understandable. If I didn't have DSL, I'd have filtered after Subject
> with popsneaker or something as well. I wonder if Bayesian mail
> filtering after headers and like 10 body lines only would work. "TOP n
> 10" (POP3) comes to mind. But this is off-topic for this list.

I reject on a domain basis and make exceptions. I can afford to, not
many can.

--Tonni

--
Tony Earnshaw

Millom kaksar eg litet kann trivast, millom jamningar helst er eg nøgd

http://www.billy.demon.nl
Mail: tonnibilly.demon.nl

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]