How big was it? I've gotten nearly half a gigabyte of it and bounces from it in the past two days, in 16617 messages. (About 10% of the incoming traffic from this damn thing is in bounce messages from well-meaning mail filters, traffic I could really do without, thanks) There's probably more, but there's a limit to the number of elements I feel like throwing into the filter regexes for my procmail log.
I'm really thinking a short-time autogenerated blackhole route manager tied into my mail filters is in order--if someone sends one of these damn viruses they get a 1 day timeout. (No packets for you, mister!) Given that I was seeing the same IP address delivering 5 or 6 of these damn things at a time I think that might well have cut down on the noise.
I'm getting closer to wanting ISPs to generally block outbound port 25 except to the local mailserver, even though that'll be damned inconvenient to me. I will pay for a static IP and low-grade business line if need be. (I've already got the static IP, and I will, reluctantly, pay more for outbound port 25 capabilities if it means that my DSL provider, and all the others, generally block 25...)
This probably means a wave of spam from the zombie machines is coming too. You can't imagine how thrilled that prospect makes me... :(
Update I apparently added too soon--it looks like procmail doesn't record the size of the entire message when it's sent to /dev/null, so the 12.5K that were directy binned only showed header sizes in the log not full message size. Looks like the total bytecount is off by about a factor of five...
Posted by Dan at August 21, 2003 02:36 PM | TrackBack (0)I took a drastic approach to sobig. I limited incoming mail to 64k. All the 'net old timers know that's all that's ever been guaranteed anyway. :-)
-Dom
Posted by: Dominic Mitchell at August 25, 2003 05:02 AM