From: "Bryan Phinney" <[EMAIL PROTECTED]> > On Thursday 16 December 2004 20:09, JoeHill wrote: > > > > Ideally what I want to do is to get my server to just say "Bog off" > > > when the delivery attempt is made. > > > > Well, AFAIK, the only way to do that is with a bounce, and there's the rub. > > Actually, not necessarily. In Postfix, if you setup to reject the message you > basically send a reject code 554 which tells the originating server that the > mail is rejected. It does NOT bounce to the FROM address, it actually drops > the mail at the connecting server. So, if this is a virus propagating > machine, it is the one receiving the bounce, not the spoofed address.
Humble (moi! humble?) request, please be careful with terminology, even if AOL and Microsoft are sloppy as hell. Bounce sends a message back to the purported sender, [EMAIL PROTECTED] Rejects simply reject it from the server forwarding the email to your mailbox. The purported sender is not involved and never sees the failure unless something ELSE, like the sending server, informs him of the error. > If you are using fetchmail or the like and pulling mail from a server, you are > indeed unable to drop the connection machine, however, most mail servers that > relay are set to simply drop mail when they receive a 554 reject code, so no > bounce message is ever sent, the mail just drops. Of course, some might > actually try to send a reject to the From address assuming that is the > originator, but with all the mail viruses today, most mail servers don't > bother. 100% correct. If you use fetchmail you're stuck. Filtering is all you can do. I reiterate SARE is WONDERFUL. > However, for viruses, it is impossible to issue a 554 on connect because the > only way to know it is a virus is to download the body and by the time you > get all of the mail, it is simply too late to reject it. So, the only choice > is to drop it yourself unless you want to go to the trouble of manually > bouncing the mail to the From which would be pointless. Mostly true. If you do notice them coming from a single IP address in your mail logs you can use iptables to drop the packets on the floor. > > Something to check out: > > > > http://agriroot.aua.gr/~nikant/nkvir/ > > > > Just add it to your .procmailrc, follow the instructions to make sure it's > > config'd properly, and you can /dev/null them if you want (though it's not > > recommended). I've been using this recipe for over a year and only had one > > false positive. > > Also, you could install and run Amavis, amavis-new, etc. along with clamav > which has Mandrake RPM's available. That will provide virus detection and > filtering and gives you the option of disregarding all notification and > dumping viruses or you can collect them and impress your friends. > > I have 8 different ones now, including 4 variations on the same virus. I am > competing against my friend that runs Windows, but I am starting to doubt > that I will ever catch up. I guess Windows really is just better at some > things than Linux. ;-} nkvir is sufficient to capture many varieties of viruses. I dump them. But I've had far more than eight distinct viruses caught. If I used only linux for working and recreation I'd not bother with Windows virus detection. If I ran an ISP I'd forward the virus unless the user specifically requests some form of AV protection at the ISP. I'd likely suggest they use something like Norton which can provide AV filtering on incoming email. This is for the same reason that I advocate SpamAssassin type scoring rather than elimination for an ISP. (Of course, I use ssl for speaking to a secure pop and imap server pair on our mail server. So AV filtering is mostly a human operation. Fortunately SA tags almost all of them as spam as a side effect.) If that is 8 different LINUX attacking viruses "I'm impressed." {^_-}
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
