<<< Date Index >>>     <<< Thread Index >>>

Re: Ruh-Roh SOBIG.G?

On September 25, 2003 08:48 am, Nick Fisher wrote:
> As you point out above, one of the biggest problems with SoBig was the
> bandwidth usage. As such wouldn't it be better to DISCARD the messages and
> not REJECT them? SoBig spoofs return addresses, why do you have to clog my
> mail server with bounce messages just because SoBig was spoofing one of my
> customers addresses?

On September 25, 2003 08:32 am, Mike Zupan wrote:
> I don't know if its just me but why add to the problem. Don't REJECT it
> just DISCARD it. I've got more bounced mail coming from email that is
> getting spoofed that mailservers are rejected then the actuall virus
> itself. I set up a discard and already discarded 550 emails.


Well SOBIG's mail relay is hardly well behaved.  I thought REJECT was more 
appropriate. SOBIG won't send bounces on REJECT, and that way other people
who get caught by this will get some diagnostic (since it is the sender relay 
that sends the bounce).

BTW I've put a copy of my received samples and analysis files at 
http://dragos.com/sobig.tgz

cheers,
--dr

-- 
pgpkey http://dragos.com/ kyxpgp