Security Basics mailing list archives
Re: creating DNSBL for blocking email virus, need suggestion
From: Rob Hughes <rob () robhughes com>
Date: Sun, 21 Nov 2004 08:35:10 -0600
On Sat, 2004-11-13 at 12:10 +0700, Markus wrote:
how if the computer that infected by virus and send email virus is in a network/LAN? the LAN's server public IP will be blocked, and then all computer in that network can't send email to my school network. can we know local IP 198.x.x.x for that computer?
You're right. But blocking 1918 addresses isn't a solution either, since many networks use those same addresses for their internal hosts. About all you can do is pick a pain point and decide when too many infected mails come from a given server, then block it. Further, individual user systems shouldn't be sending out email. All email from a network should go through a central server so that it can be scanned. Allowing users to send email directly from their systems and/or not scanning outgoing mail is sloppy administration and lax security, almost to the point of criminality IMO.
how long do you think an IP should remain in the blacklist? because blacklist can't know if the infected computer already cleaned by its user/admin.
I'd really suggest that you use some of the free RBLs out there. They have automated systems that let admins submit removal requests when they get their network cleaned up. A good source for these is openrbl.org. Rob.
Current thread:
- creating DNSBL for blocking email virus, need suggestion Markus (Nov 15)
- Re: creating DNSBL for blocking email virus, need suggestion Rob Hughes (Nov 22)
- <Possible follow-ups>
- RE: creating DNSBL for blocking email virus, need suggestion Mike (Nov 16)
- RE: creating DNSBL for blocking email virus, need suggestion Matvei Kliuchnikov (Nov 16)