At 10:39 2003-08-20 -0700, Bart Schaefer wrote:
We're now /dev/null-ing our flood of Sobig.F's, but we're still getting a
lot of silly "you may be infected" auto-responses (of course, we're not
infected, the worm is forging the sender address, as a simple rDNS on
the sending IP would demonstrate).
Does anyone happen to already have a set of recipes to catch these?
Sent by Declude, NAV for Exchange, RAV, etc. etc. ...
Most of which tend to be from some specific LHS address component at the
domain. When I was getting a flurry of those on a discussion list server,
I simply set up entries in the access db to reject the messages at SMTP
time with a statement about not sending such notifications when the virus
was known to use forgery - it wasn't a generic catch-all, but it worked
well enough to stem the flood of BS notifications which we were receiving.
Messages to Abuse@ are explicitly defined as OK, so actual attempts to
report problems to an abuse contact, rather than to the forged sender,
would still get through.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail