Filtering virus-related e-mails?

[Grant Edwards]

Would it be possible for the python mailing list to filter out
the "virus-warning" emails rather than posting them to the
newsgroup?

 

[Michael Hudson]

Would it be possible for the python mailing list to filter out
the "virus-warning" emails rather than posting them to the
newsgroup?

Possibly, but I think the admins are busier trying to stop the network
cables and the server melting due to the load... maybe now they've
done that they can turn to secondary effects. I gather virus warning
emails are quite hard to filter due to each virus program having a
different format.

Posting here is probably not the optimal way of making this request,
BTW.

(Earlier on today, Greg Ward brought up exim on the new version of the
starship; within ten minutes, the number of SMTP connections had maxed
out. Ten minutes after instituting the clever hack that saved
mail.python.org, about 250 hosts were being rejected at the firewall
level).

Cheers,
mwh

 

[Grant Edwards]

Possibly, but I think the admins are busier trying to stop the network
cables and the server melting due to the load... maybe now they've
done that they can turn to secondary effects. I gather virus warning
emails are quite hard to filter due to each virus program having a
different format.

That's too bad. It makes them part of the problem as well.

(Earlier on today, Greg Ward brought up exim on the new version
of the starship; within ten minutes, the number of SMTP
connections had maxed out. Ten minutes after instituting the
clever hack that saved mail.python.org, about 250 hosts were
being rejected at the firewall level).

Ouch.

 

[=?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Would it be possible for the python mailing list to filter out
the "virus-warning" emails rather than posting them to the
newsgroup?

Filtering out all the posts with the word "virus" in the subject
line helps a log.

Regards,

Chema.

- --
Esta dirección de correo NO se lee. Quita "-news" para contestar
This e-mail address is NOT being read. Take out "-news" to reply
Web & GPG key: http://chema.homelinux.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/TRC89P6GbSlI+hkRAmdYAKDOR2+4ZgI/h/0BTeprD+1mHIEyywCeNlPk
U0JP3Zai4mBsW/xsCBxqv9Q=
=stWi
-----END PGP SIGNATURE-----

 

[Francois Pinard]

[Michael Hudson]

I gather virus warning emails are quite hard to filter due to each virus
program having a different format.

As my own name has been much (ab)used in `From' lines for such virus, I've
been receiving a great deal of such rejects for many days. It peeked at
around 5000 per day, but this is now decreasing.

Despite I use a few filtering devices already (spambayes is one of them!), a
lot was going through, and I had to spend the last two days for teaching my
-- unpublished -- filters how to do a better job for that overwhelming mass
of meta-email about viruses that was (incorrectly) sent back to me. The
thing now seem efficient enough, yet still, a few are slipping through.

I've nothing against sharing my code. On the other hand, I might not be
available enough to promise support: this has been written to solve personal
needs and might use configuration choices that would not please others.
Some anti-spam tools have a lot, lot more knowledge than my own filters.
Moreover, for the above processing, I did the work in a rush, not seeking
the ideal parameterisation. Also, the overall thing might be a bit tersely
documented. But if it could give ideas to the Python list maintainers (or
anyone else), I'm quite willing to make it available on request.

Ten minutes after instituting the clever hack that saved mail.python.org,
about 250 hosts were being rejected at the firewall level.

What is that clever hack? I'm mostly curious, but maybe interested too!

 

[Grant Edwards]

Filtering out all the posts with the word "virus" in the
subject line helps a log.

Setting up scoring in slrn is probably what I ought to do. It
would be useful for other stuff too.

 

[=?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Setting up scoring in slrn is probably what I ought to do. It
would be useful for other stuff too.

Once you start scoring, you can stop. There are also some useful
scoring macros at the slrn web page (http://www.slrn.org).

Regards,

Chema.

- --
Esta dirección de correo NO se lee. Quita "-news" para contestar
This e-mail address is NOT being read. Take out "-news" to reply
Web & GPG key: http://chema.homelinux.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/Tbil9P6GbSlI+hkRAtPRAKDR4EukJwRnObpVbncSY8rxToMY/QCgneNG
jfqAtrR+gVlCIhq6vPhi5b0=
=1ski
-----END PGP SIGNATURE-----

 

[Michael Hudson]

Filtering out all the posts with the word "virus" in the subject
line helps a log.

Then how did you see the post you're replying to? <wink>

Cheers,
mwh
(rhetorical, no need to reply...)

 

[Michael Hudson]

What is that clever hack? I'm mostly curious, but maybe interested too!

Basically, any host that makes five or more attempts to send the Sobig
virus in 15 minutes is blocked by the Linux ipchain firewall. I'm not
sure how Sobig is detected; may just be the subject lines. Martijn
Pieters has a shell sitting on the machine doing this:

tail --follow=name /var/log/exim/reject.log | grep SOBIG | ~martijn/ipchain_deny_sobig.py

The script filters out the IP of sobig infected machines and tells the
firewall about them.

Cheers,
mwh

 

[=?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Setting up scoring in slrn is probably what I ought to do. It
would be useful for other stuff too.

Once you start scoring, you can't stop . There are also some
useful scoring macros at the slrn web page (http://www.slrn.org).

Regards,

Chema.

- --
Esta dirección de correo NO se lee. Quita "-news" para contestar
This e-mail address is NOT being read. Take out "-news" to reply
Web & GPG key: http://chema.homelinux.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/Tbil9P6GbSlI+hkRAtPRAKDR4EukJwRnObpVbncSY8rxToMY/QCgneNG
jfqAtrR+gVlCIhq6vPhi5b0=
=1ski
-----END PGP SIGNATURE-----