[Esd-l] Useful virus trap
John D. Hardin
jhardin at impsec.org
Tue Jun 15 06:02:57 PDT 2004
On Tue, 15 Jun 2004, Marcus Williams wrote:
> Not sure if this is of any use to anyone, but it works really well
> here...
>
> Basically, mail from our domain (quintic.co.uk) never comes from a
> machine called quintic.co.uk, so the received lines in all
> incoming emails should never contain a "HELO quintic.co.uk"
>
> What I have noticed is a fair few viruses use the "HELO
> recipient.domain" as the identifying domain when sending automated
> virii to us
That general model can be very useful - e.g. reject messages where the
HELO is from your domain and the client's IP is from the outside.
This sort of thing is best done in the MTA, so that the message can be
rejected right away rather than accepting it and filtering it later,
but it's still useful to have in procmail - remember, defense in
depth.
You should also look into publishing SPF records, and enabling SPF
checks in your MTA.
Thanks!
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org FALaholic #11174 pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The [assault weapons] ban is the moral equivalent of banning red
cars because they look too fast.
-- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
91 days until the "Scary-Looking Guns" ban expires
More information about the esd-l
mailing list