> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:mimedefang- > [EMAIL PROTECTED] On Behalf Of Paul Murphy > Sent: Thursday, May 05, 2005 1:24 PM > To: [email protected] > Subject: RE: [Mimedefang] Blocking IP # > > I've seen 4 copies of Sober.P (one was zipped) in 48 hours, from 740 > messages. > The reason its so low is because I use greylisting - all of these were > generated > by systems which bounced a message back to us which purported to come from > our > domain. All had invalid addresses as senders, and all were detected as > viruses > by Clamav. > > On the question of the effectiveness of greylisting, here's some details > of the > traffic I've seen through the MySQL implementation of greylisting on our > system > (http://www.bl.org/~jpk/md-greylist/) found by querying the database for > everything which has a 'new' entry and then filtering for only those which > are > knocking more than 5 times from the same sender/IP pair: >
<...snip...> > 11 rows in set (0.63 sec) > > As you'll see, the higher numbers are clearly being spewed from a virus > mailer. > Interestingly, it appears that this one tries 30 random recipient > addresses per > sender address, and then gives up - the "piona.com" sender also tried > "sales", > which we bounced as a banned address rather than as an unknown user. The > other > entry is a scatter-gun spammer who never came back. I completely agree with Paul there. I'd say greylisting itself blocks about 90% of those auto-virus mailings coming from infected PCs and small mail servers on the net. Greylisting has had a huge positive impact on our mail system -- we log mail-in and our gateway servers only really have to deal with 8000 out of 30000 emails received per hour due to invalid senders and/or spam exploit software never retransmitting messages. - Chris ------------------------------------------ Chris Gauch Systems Administrator Digicon Communications, Inc. http://www.digiconcommunications.com [EMAIL PROTECTED] _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
