Date: Thu, 21 Aug 2003 23:44:30 -0500 From: "Scot W. Hetzel" <hetzelsw@westbend.net> To: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>, "Bill Moran" <wmoran@potentialtech.com> Cc: current@freebsd.org Subject: Re: Regarding recent spam on the list Message-ID: <001401c3686e$1a4051e0$11fd2fd8@westbend.net> References: <3F429EC2.1080406@potentialtech.com> <1061330786.1842.4.camel@pyanfar.ece.cmu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu> > On Tue, 2003-08-19 at 18:03, Bill Moran wrote: > > Just curious if anyone knows the origin of all these auto-responses, etc. > > > > I'm seeing a lot of these on every list I'm subscribed to (not all of them > > FreeBSD related) so I was wondering if some Windows trojan is running rampant > > and using these list addresses as return addys? > > It's W32/SoBig.F@MM. It's spreading *fast*.... > The first day it appeared, I received 8000+ virus and virus warning messages in my inbox. The only way I could stop it from filling my inbox was to change my e-mail address, and place a permanent failure code in the access table for the old address. But, our mail server was still getting a Denial of Service, since it would max out the connections to both our primary and secondary mail servers. Today I believe I have solved the problem. I wrote a couple of scripts, that retrieves the IP address from the maillog for all servers/virus infected systems that are using the old email address. Then I setup IPFW to deny access to port 25 for these IP addresses. So far IPFW is dening access to our mail servers for 30,000 Class C's (/24). Scot
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001401c3686e$1a4051e0$11fd2fd8>