[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200309251436.06261.dr@kyx.net>
Date: Thu, 25 Sep 2003 14:36:06 -0700
From: Dragos Ruiu <dr@....net>
To: "Nick Fisher" <bugtraq@...kdafish.com>
Cc: bugtraq@...urityfocus.com, Mike Zupan <mzupan@...o.com>
Subject: Re: Ruh-Roh SOBIG.G?
On September 25, 2003 08:48 am, Nick Fisher wrote:
> As you point out above, one of the biggest problems with SoBig was the
> bandwidth usage. As such wouldn't it be better to DISCARD the messages and
> not REJECT them? SoBig spoofs return addresses, why do you have to clog my
> mail server with bounce messages just because SoBig was spoofing one of my
> customers addresses?
On September 25, 2003 08:32 am, Mike Zupan wrote:
> I don't know if its just me but why add to the problem. Don't REJECT it
> just DISCARD it. I've got more bounced mail coming from email that is
> getting spoofed that mailservers are rejected then the actuall virus
> itself. I set up a discard and already discarded 550 emails.
Well SOBIG's mail relay is hardly well behaved. I thought REJECT was more
appropriate. SOBIG won't send bounces on REJECT, and that way other people
who get caught by this will get some diagnostic (since it is the sender relay
that sends the bounce).
BTW I've put a copy of my received samples and analysis files at
http://dragos.com/sobig.tgz
cheers,
--dr
--
pgpkey http://dragos.com/ kyxpgp
Powered by blists - more mailing lists