On [Fri, 11.06. 08:56], Tracy wrote: > At 03:09 6/11/2004, Goesta Smekal wrote: > >I do a similar thing for two months : Every mail reportet to be infected > >gets a > >second treatment: > > > >* look for originating IP (of SMTP envelope, _not_ headers) > >* resolve its domain > >* get the MX for that domain > >* if the IPs are not equal, block the host, since it is an infected, non MX > >host. > > > >This approach works _very_ fine (not a single complain ever since, opposed to > >three complaints due to RDNS check, which started the same time) the SMTP load > >actually is _reduced_ and the "SNDRIP=EIPSPAM" is constantly rising :-) > >.... and > >of course the virus/day rate is sinking. > > This will break rather spectacularly on some larger ISP traffic, since many > larger ISPs (AOL, RoadRunner, Comcast, a number of others) do not send > their mail from the same machines which receive it. MX records are for > machines that receive mail - while a *lot* of places also send mail from > the same machines, a lot of places (especially high volume sources of mail) > do not. Well, actually you are right in a technical point of view and , sure, it is NOT RFC what I do.
But from the more pragmatic approach I must say it works well, without a complaint (as I stated in my initial posting) at all. (we get about 1000 mails a day) Why ? Because those, sending mails out via unlisted servers are either infected ;-) or running public mail services and are either virus protected or the default SMTP gateway for people and thus _don't_ get used by todays malware. Goesta -- Wiener Hilfswerk - EDV 1072 Wien, Schottenfeldgasse 29 Tel: 512 36 61 DW 407 / Fax 512 36 61 33 -- Attached file included as plaintext by Ecartis -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQM1MRuEKFiIqAG4fAQKv6wf/Twu5YuvufyW+DHqk3BxT6bH6H91mdndu ui5lpNgzrvWUyb0JySam3aSxWEBoA1Qpd+AAPOzLFsygxSEB0w5y4qb1girdG207 xGqusQ5UBGTzgTHE1G7IpWYWp4cT0AVEsBBMmQm3vRsNL9K8zlQYLMTWkYYw5vN0 2Ve6Egxr1aFqOAIhv9sCE5Hpcv+TwTz+Evm5ODHVTm5oB8oR8sshERfCt55kZOVR gLX6H90hLHjTYS6zZKKrKDM8R0D3HpvPU0O8TF0wRSIkhc1nPTFuxnTnJlul2Or4 7F1JPnGRdOO6kZm5gvwFHqs3P6ruaZY61UILV5TEu3eRmnglszeP8w== =7OmD -----END PGP SIGNATURE----- - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]