[Esd-l] Re: [Esa-l] SoBig local rule - updated
John D. Hardin
jhardin at impsec.org
Sat Aug 30 12:13:25 PDT 2003
On Fri, 29 Aug 2003, Jonathan Hutchins wrote:
> John,
>
> I got a lot of complaints about missed mail when I implemented
> that rule - more than can really be attributed to infected
> systems. I've backed it out for now, but have there been other
> reports of false positives?
Yours is the only such report that I have seen.
I think it'll be easier to have separate rules for the direct attack
and the bounces.
Everyone: please take a look at the recommended local rules at
http://www.impsec.org/email-tools/local-rules.procmail - it now
contains two rules, one for direct SoBig.F and one for bounces that do
not attach the original message using MIME. I've tested it against
messages taken from my quarantine and it seems to work well.
The default is to make direct attacks silently disappear. The volume
is simply too great, and the from addresses are forged. If you don't
want to adopt this stance, change the DISCARD to NONOTIFY and comment
out the clearing of SECURITY_NOTIFY_SENDER.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
63 days until Matrix Revolutions
More information about the esd-l
mailing list