Looking at my disk stats, my mail storage spool has grown by 15% in the past week not due the deluge of viruses which I can block and reject, but in large part to those idiotic "Hi, I am sorry in a happy idiotic way to inform you that the message you sent has a virus" messages.... As almost all of them forge their email address, what is the point of warning the "sender." Even better, I wake up this am to 285 (and growing) messages below telling me that someone at skynet is trying to send me a virus message and it cc's 64 other people. Nice.
---Mike
our queue appears to increasing linearly since about last tuesday, since then
its increased 3000%, theres a huge dip midday saturday (it goes down to one
third its size in about 4hrs) then rapidly jumps up to higher than its pre-dip
value
thats messages tho, queue spool size hasnt gone up all that much, maybe 200%
no idea about our storage spools...
very odd!!
Steve
Enough people are sufficiently annoyed by antivirus
notifications/advertisements that they're starting to ask for DNSBLs of
systems that send them. I suspect before long, there will be some.
But this really doesn't seem to be NANOG material. Try spam-l or
spamtools.
And at least one of those other 64 will next time actually get a virus,
where all those addresses will get used to seed the address scraper.
Remember that hitting 'delete' usually doesn't actually wipe it off the
disk in most MUAs....
When the traffic blip caused by the A/V tools is bigger than the
traffic blip caused by the actual virus, it's an operational issue.
jlewis@lewis.org wrote:
Enough people are sufficiently annoyed by antivirus
notifications/advertisements that they're starting to ask for DNSBLs of systems that send them. I suspect before long, there will be some.
Already thought about it (and dismissed it)
But this really doesn't seem to be NANOG material. Try spam-l or spamtools.
It could be - it is a network issue - particually where so many people feel the need to reply with virus 'reports'... I know the virus mails and the virus reports certainly caused some issues network wise at Telstra recently.
/ Mat
Looking at my disk stats, my mail storage spool has grown by 15% in the
past week not due the deluge of viruses which I can block and reject, but
in large part to those idiotic "Hi, I am sorry in a happy idiotic way to
inform you that the message you sent has a virus" messages.... As almost
all of them forge their email address, what is the point of warning the
"sender." Even better, I wake up this am to 285 (and growing) messages
below telling me that someone at skynet is trying to send me a virus
message and it cc's 64 other people. Nice.
# MyDoom craziness
:
* ^Subject:.*(\
\{Spam\?\} Warning: E-mail viruses detected|\
Anti-Virus Notification|\
BANNED FILENAME|\
Disallowed attachment type found in sent message|\
File blocked - ScanMail for Lotus|\
InterScan NT Alert|\
Message deleted|\
NAV detected a virus|\
Norton AntiVirus detected|\
RAV AntiVirus scan|\
Returned due to virus|\
Skynet Mail Protection|\
Symantec AntiVirus|\
Undeliverable: test|\
VIRUS \(.*\) IN MAIL FROM YOU|\
VIRUS \(.*\) IN MAIL TO YOU|\
VIRUS IN YOUR MAIL|\
Virus Detected by Network Assoc|\
Virus Notification|\
Virus found in a message you sent|\
Virus found in sent message\
)
$TRASH
: # MyDoom craziness
: :
: * ^Subject:.*(\
Actually, Mydoom has a very detectable signature. It has both X-Priority
and X-MSMail-Priority headers, but *neither* a X-Mailer nor X-MimeOLE
header.
These conditions make, for instance, SpamAssassin catch the worm easily.
Based on all the available mailboxes I can scan from here, such a check
should kill only Mydoom [and some spam].
Rolled that into a milter, and poof!