Jim Flanagan wrote:
Hi all,
I'd like some advise on how to handle worm and phishing emails coming to one user on my postfix server. For about 3 weeks now, Clam-AV is advising that emails have been detected and not delivered due to them containing a worm. In this case it is Worm.Mydoom.M. About 8 to 10 a day are arriving, with ClamAV advising that the trace is to 2 different IP addresses. Ripe shows both to be registered thru an outfit in Paris (La Defense). I sent an email to the listed report-to email address but no reply. The worms keep crawling! I do get similar messages about phishing, but not near as many, and not from the same repeated IP addresses.
If you are accepting the mails directly via smtp (not polled via fetchmail or getmail etc.) then you have the option to reject the client. Or do you get normal mails from that ip aside of the daily ration of viruses? About one year ago I had a particular ip address in portugal that sent a bunch of viruses to my server. It used a sender address AND a recipient address from my domain. The sender address was rejected, and all was well. Then the worm was apparantly upgraded because he started to send the mail partly directly partly through his ISP (who did not check outgoing mail for viruses or spam). The mail that came via the provider was rejected, then came back again as bounce to the falsified sender address, again to my domain. Since I didn't want to blacklist the complete provider I used a header check to look for the originating ip address in the mail header. If it came from my good old chap the virus spreader, the mail was rejected again. That kept the mail out of my server and the game continued for some month. Then apparently the virus was detected and removed and the virus mails stopped. Sandy -- List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com