Subject: Re: SPAM Alert: Email Address Harvesting
To: Flo <netbsd@wolfnode.de>
From: Richard Rauch <rkr@olib.org>
List: current-users
Date: 01/04/2004 14:34:19
Certainly I get a lot of Sven worm attempts. Like Flo, I have them filtered
at the SMTP layer (along with all other DLL/PIF/etc. junk files).
But spam is more annoying if it gets through (and while zero Sven viruses
get through to me, I do get occasional spam).
Aside to Flo: Does that really stop the virus before it uses up your band-
width? My impression is that the whole message is received before the
header checks are applied. By that time, the biggest bandwidth hit has
already been taken. Conforming SMTP has no way to break the transmission
during header transmission, as far as I know, since the whole message
(header and body) is sent in one DATA block. Once you start to accept,
you can't shut the transmitter off.
I've noticed that I usually get a double-take from Sven attempts. One
has a GIF attachment (rejected) the other has a Microsoft file attach
of some kind (also rejected). If I get more than one such pair from
a single IP, I am prone to tossing the IP into a local IPF blacklist.
"ipfstat -hin | grep -v ^0" suggests that that's doing a good job.
It's a bit draconian, and has blocked at least one legitimate email.
But I got tired of seeing countless RBL lookups and lots of my
(limited) DSL bandwidth chewed up for Sven viruses.
I'm keeping the Microsoft Worm related IPF rules separate, so that I can
eventually turn them off, when and if Sven becomes less of a problem.
(I intend to keep the list, however, as I will probably want to block
many of the same IP numbers for the next Microsoft virus. (^&)
--
"I probably don't know what I'm talking about." http://www.olib.org/~rkr/