Hi there, On Wed, 30 May 2012, Cedric Knight wrote:
What I'm looking for is a way to avoid having to report new malware variants so frequently.
You need iptables, a long GreetPause, a multi-line 'HELO' greeting, greylisting, and maybe a few milters. Drop connections with dodgy SMTP greetings, mail from weird senders and any sender from freemail domains that you've never heard of. Firewall the IPs for a few days. Here's the milter list in my sendmail installations: # Input mail filters O InputMailFilters=greylist, rcptfilter, spfmilter, chainmail, milter-regex, clmilter, mailfrom, mimedefang Our greylist makes you wait, well quite a while. Our GreetPause is, well, quite long. A few systems cant even cope with those, but if people want to run broken mail systems that's their problem. When it comes to policing mail, I'm a little to the right of Attila the Hun. :) In my experience, far and away the best way to prevent unwanted mail is to refuse connections from places that are known to send the stuff. We currently block over 84,000 assorted networks (from /24 to /8) and about 3,000 individual IPs because they have attempted to send spam and/or malicious mail to us. Here for example is the list of countries (deduced by GeoIP from the IP address) from which we don't normally accept mail: AE, AR, AU, AZ, BD, BG, BR, BY, CL, CN, CO, CZ, DK, DO, EE, ES, FI, GE, GR, HN, HR, HU, ID, IL, IN, IQ, IT, JP, KR, KW, KZ, LK, LT, LU, LV, ME, MK, MX, PH, PK, PL, PR, PT, RO, RS, RU, SA, TW, UA, VN One or two still get through, every few months. Obviously different situations call for different setups. For example I wouldn't say that Australia is worse then the USA or the UK for spam per unit IP address space, but I know beyond a shadow of a doubt that if anyone tries to send mail to us from Australia, it's unwanted. So they don't get the opportunity.
Wouldn't more spamtraps that feed virus samples directly to AV analysts help?
Are you new to this? :) Just think about the numbers involved. For every person trying to stop spam and malicious mail there are a couple of thousand trying to make a fast buck. Those 'analysts' are doing all they can; they're doing a tremendous job but on its own it isn't enough and, while ever people are the way they are, it never will be enough. The DNS/RBLs can only do so much, because if they are too aggressive they get a reputation for blocking genuine mail and people would stop using them. Plenty of spamtraps exist already, and we have links to them for example on our Websites, but it doesn't stop us getting of the order of 10,000 attempts daily to send us spam and malicious mail. When you're a mail administrator you're always on the back foot, and nobody loves you. You have to learn to live with that. :) -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
