From owner-freebsd-current@FreeBSD.ORG Thu Aug 21 22:29:15 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5020F16A4BF for ; Thu, 21 Aug 2003 22:29:15 -0700 (PDT) Received: from mail.westbend.net (ns1.westbend.net [216.47.253.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0120A43FEA for ; Thu, 21 Aug 2003 22:29:12 -0700 (PDT) (envelope-from hetzelsw@westbend.net) Received: from ADMIN00 (admin00.westbend.net [216.47.253.17]) by mail.westbend.net (8.12.9/8.12.9) with SMTP id h7M5QVRx025891; Fri, 22 Aug 2003 00:27:10 -0500 (CDT) (envelope-from hetzelsw@westbend.net) Message-ID: <001401c3686e$1a4051e0$11fd2fd8@westbend.net> From: "Scot W. Hetzel" To: "Brandon S. Allbery KF8NH" , "Bill Moran" References: <3F429EC2.1080406@potentialtech.com> <1061330786.1842.4.camel@pyanfar.ece.cmu.edu> Date: Thu, 21 Aug 2003 23:44:30 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) X-Spam-Status: No, hits=-0.5 required=8.0 tests=QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_02_03, SUBJECT_IS_LIST,USER_AGENT_OE version=2.43 cc: current@freebsd.org Subject: Re: Regarding recent spam on the list X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2003 05:29:15 -0000 From: "Brandon S. Allbery KF8NH" > On Tue, 2003-08-19 at 18:03, Bill Moran wrote: > > Just curious if anyone knows the origin of all these auto-responses, etc. > > > > I'm seeing a lot of these on every list I'm subscribed to (not all of them > > FreeBSD related) so I was wondering if some Windows trojan is running rampant > > and using these list addresses as return addys? > > It's W32/SoBig.F@MM. It's spreading *fast*.... > The first day it appeared, I received 8000+ virus and virus warning messages in my inbox. The only way I could stop it from filling my inbox was to change my e-mail address, and place a permanent failure code in the access table for the old address. But, our mail server was still getting a Denial of Service, since it would max out the connections to both our primary and secondary mail servers. Today I believe I have solved the problem. I wrote a couple of scripts, that retrieves the IP address from the maillog for all servers/virus infected systems that are using the old email address. Then I setup IPFW to deny access to port 25 for these IP addresses. So far IPFW is dening access to our mail servers for 30,000 Class C's (/24). Scot