August, 19, 2003 archives

having a mail server that checks your incoming (and outgoing!) mail for viruses is a very good thing.

having a mail server that sends bounce messages in response to viruses that are known to forge the message sender is a very, very bad thing.

as far as i can tell, i have received exactly zero copies of the latest sobig virus today because it has been blocked by various mail filters doing their job (mostly the klez_filter plugin for qpsmtpd). i have, however, received hundreds of bounce messages from mail servers as the result of the damn thing.

(by way of stats, my mail server rejected 42 mails with the klez_filter plugin. the lists.mysql.com server rejected 2377. i wish i had a little more time to play with tuning the spam filters on both machines, because the cat-and-mouse nature of it can be entertaining, but i unfortunately have better things to do.)

the register hints at the chaos caused by auto-responding to viruses that spoof the sender, and jupitermedia got hit especially hard because it also uses admin@internet.com.

sobig's built-in smtp server appears to get tripped up by the check_earlytalker plugin for qpsmtpd.

to deal with some of the worm-induced bounces hitting lists.mysql.com, i implemented a simple check_badbounceto plugin to identify addresses that should not receive bounces because they don't send mail. it seems to have been fairly effective.