Sober (Was Re: [Mimedefang] code 421 and filter_sender)

Gary Funck gary at
Tue Dec 6 21:56:58 EST 2005

> -----Original Message-----
> From: Paul Whittney
> Sent: Tuesday, December 06, 2005 5:35 PM
> However, for some sites that deal with a small number of domains that
> accept email, the first thought is to "block all that could be the virus",
> and then move to the next task of the day (or hour ;-). I've actually had
> good responses with checking the IP addresses that are sending to some
> of our domains, doing a whois on the IP, and calling/emailing the tech
> contact listed. Remember, the reason the emails are knocking on your
> server's door is that an infected machine has your users email address
> somewhere on their system (okay, thats a bit too simple, as it could be
> going through cached/saved files looking for emails, but still..).

Actually, more often than not, it is a "zombie" either controlled remotely
or acting as a relay/proxy, so my e-mail address isn't sitting on the
the mail originated from, but further upstream.

Interesting idea, though to dig out the originating IP address, and see
if it is anywhere in my extensive mail archive, trying to backtrack it
to the likely owner.

> Do it nicely, and not by saying "hey, you're infected, stop it!". Offer
> logs, if needed. What do you get out of it? Less infected emails! Isn't
> that the point? Deal with the problem, not the symptom. Its like Dshield
> for emails ;-P

We're getting plenty of e-mails auto-returned to our postmaster saying
they won't deliver the virus that postmaster at our site sent them.
Which is really a waste of time since our postmaster didn't send it.
If they honored our SPF record they'd know that because the incoming
address to their system is from some dsl or dial-up account half
way across the world, and not our site.  Better,
they could look at that received IP, dig up its MX, and send the
bounce back to a postmaster who might actually be able to do something
about it.

More information about the MIMEDefang mailing list