Devil Inside
01-27-2004, 07:22 AM
Ok here's the deal
I have one client that is gettin hit hard by the worm.
Each time I ban the IP addresses that they are coming from - they start coming from another IP address.
This is causing my mailqueue to get backed up.
I obviously need to get this domain off my server - or block mail from coming to it.
What should I do?
what do I tell the client if I kick him off our service. I'll certainly offer a full refund as I can not prove this to be their fault.
ideas?
thanks!
Pheaton
01-27-2004, 08:48 AM
is it just comming from the one client?
SCO worm is new virus released on Monday. There is really nothing you can do other than get some sort of mailscanner software, and block the ips the emails are coming from on your firewall.
xerophyte
01-27-2004, 09:16 AM
You can install mailcanner and clamAV on your server which will block most of the virus.
hope that helps.
Pheaton
01-27-2004, 09:43 AM
Originally posted by xerophyte
You can install mailcanner and clamAV on your server which will block most of the virus.
hope that helps.
Ill second that. We have that on our servers, and its doing a fine job of blocking everything.
RandallKent
01-27-2004, 01:31 PM
I'd use an AV scanner or refer him to another host.
sightz
01-27-2004, 02:30 PM
Originally posted by Devil Inside
Each time I ban the IP addresses that they are coming from - they start coming from another IP address.
I don't think banning IP addresses is a good way to block a virus that several million people have :rolleyes:
Add the following 3 lines to your .filter file and the messages will magically stop (until the virus mutates)
$message_body contains "Partial message is available."+++++++/dev/null
$message_body contains "cannot be represented in 7-bit ASCII encoding and has been sent as a binary"+++++++/dev/null
$message_body contains "contains Unicode characters and has been sent as a binary"+++++++/dev/null
eBoundary
01-27-2004, 02:35 PM
define "hit hard", how many emails are you talking about? I've got a mail server that handles mail for some 64k users and we're not seeing a whole lot more rubbish than we would on any other day.
achost_ca
01-27-2004, 02:45 PM
We've got clamav on our servers and its running fine, cleaning about 200 messages per hour that are infected, and its steadily increasing.
Devil Inside
01-27-2004, 05:20 PM
"hit hard" = the user went from being a low usage account to receiving 1-6 per minute that contained this worm.
Yes I have mailscanner installed and cleaning.
After banning 15 IPs I've at least managed to slow them down dramatically to where I'm not so much concerned anymore.
Thanks for all the input. :)
OH - and other accounts have now started receiving the virus...but very very low numbers. Maybe 1 - 2 per 6 hours.
-------
and since I'm still kinda newbish at this - .filter file = exim filter?
or would it be mailscanner filter file of some sort?
I'm on a cpanel system - exim.
thanks again!
