Subject: Re: SPAM Alert: Email Address Harvesting
To: Richard Rauch <email@example.com>
From: Flo <firstname.lastname@example.org>
Date: 01/04/2004 23:59:03
I tested with a 3 MB message with a "bad word" in the header. The mail
as "bad" immediately, but the transfer doesn't stop.
Jan 4 23:50:20 server postfix/smtpd: connect from
Jan 4 23:50:21 server postfix/smtpd: 3CA6F1E998C:
Jan 4 23:50:25 server postfix/cleanup: 3CA6F1E998C: reject:
header Subject: online casino from mail.gmx.net[22.214.171.124];
from=<email@example.com> to=<firstname.lastname@example.org> proto=SMTP
helo=<mail.gmx.net>: Bah, go away!
Jan 4 23:51:09 server postfix/smtpd: disconnect from
Bad, I thought it disconnects immediately when a header check matches.
Richard Rauch wrote:
> Certainly I get a lot of Sven worm attempts. Like Flo, I have them filtered
> at the SMTP layer (along with all other DLL/PIF/etc. junk files).
> But spam is more annoying if it gets through (and while zero Sven viruses
> get through to me, I do get occasional spam).
> Aside to Flo: Does that really stop the virus before it uses up your band-
> width? My impression is that the whole message is received before the
> header checks are applied. By that time, the biggest bandwidth hit has
> already been taken. Conforming SMTP has no way to break the transmission
> during header transmission, as far as I know, since the whole message
> (header and body) is sent in one DATA block. Once you start to accept,
> you can't shut the transmitter off.
> I've noticed that I usually get a double-take from Sven attempts. One
> has a GIF attachment (rejected) the other has a Microsoft file attach
> of some kind (also rejected). If I get more than one such pair from
> a single IP, I am prone to tossing the IP into a local IPF blacklist.
> "ipfstat -hin | grep -v ^0" suggests that that's doing a good job.
> It's a bit draconian, and has blocked at least one legitimate email.
> But I got tired of seeing countless RBL lookups and lots of my
> (limited) DSL bandwidth chewed up for Sven viruses.
> I'm keeping the Microsoft Worm related IPF rules separate, so that I can
> eventually turn them off, when and if Sven becomes less of a problem.
> (I intend to keep the list, however, as I will probably want to block
> many of the same IP numbers for the next Microsoft virus. (^&)