[wellylug] Mailing list administrivia

Ewen McNeill wellylug at ewen.mcneill.gen.nz
Sat Aug 23 12:59:21 NZST 2003


Hi,

As many of you are probably aware, world wide email systems are being
flooded with various (windows-based) viruses and worms, particularly
including SoBig.F, as well as large quantities of (entirely useless)
virus notifications (arriving at the rate of about 1 every 2 minutes,
all day, every day).  

The mail server hosting the Wellylug mailing list (which is also used
for other things) has received something over 5000 copies of the SoBig.F
email in about the last 48 hours, for a total of about 500MB of email
traffic in that time.  This is dozens of times higher than the usual
email load handled by this mail server, and a significant chunk of the
monthly traffic allocation for the server's Internet connection.

One IP address (site?) in particular, a US roadrunner cable address,
has been responsible for about 1500 copies of the SoBig.F virus email,
arriving at the rate of dozens of copies per hour.

In order to reduce the volume of this junk, and leave email still usable
I've updated the configuration on the mail server to:

- be much more strict about RFC2821 (SMTP) compliance, in particular
  it will now refuse mail without a legal (fully qualified) host in the
  SMTP headers (the mail server built into SoBig.F apparently doesn't
  comply with this part of RFC2821); and

- reject mail from certain particularly prolific sites (usually with
  SMTP bounce rules mentioning a web page describing the problem, but 
  in the case of that very prolific road runner address by simply 
  dropping the traffic on the floor with iptables rules -- even with 
  SMTP bounce rules it was still flooding the logs with reports of 
  the rejected connections)

I don't think that this will affect any legitimate traffic, including
any legitimate traffic to the WellyLug mailing list.  But if anyone is
concerned that it might please contact me off list.

My aim is to ensure that all legitimate traffic gets through, and that
the virus/spam problem is kept to a managable level (lest it become a
distributed denial of service attack on the whole email system).

Ewen McNeill, Naos Ltd (hosts of the Wellylug mailing list)



More information about the wellylug mailing list