|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Monitoring dark address space?
> > since this space has no dns records pointing into it, the only
> > traffic it will see is from errors/typo's, and network scanners.
>
> And blowback from other people forging your addresses as sources.
Actually, not. Very few modern MTA's correctly implement "@[dot.ted.qu.ad]"
parsing, and other than zone file typo's, no MX points into this address
space. So the blowback comes to my real MX's, not to this "dark space".
> (We've had quite a few goober-with-firewall reports of that type -
> especially from a certain manufacturer of networking equipment who
> shall remain nameless, even though they ought to know better.)
Apropos of that, I'm appending my current list of antivirus spoor in postfix
format. Antivirus vendors know that viruses usually have forged sources, but
they get to spam you for free using their customers' own e-mail servers, all
in the guise of telling you that their product filtered something bad and by
the way here's the URL if you want more information about their product. As
it turns out, if you blackhole the servers who send you this crap, the customer
who installed the antivirus software calls YOU. If on the other hand you
reject it at SMTP level you cause a "double bounce" to the customer's own
"postmaster" account, and the customer calls THEM (the antivirus sw-vendor.)
> > false positives are less than one in ten million. "blackhole 'em all."
>
> If you're actually going so far as to accept the connections, yes. If
> you're just counting packets, then a little more caution is possibly
> indicated.
Packet counting _never_ helps you. Simply put, probitive malware does not
have to send enough packets that it'll show up on quantitative IDS "radar".
And for that matter, a number of non-malware systems (like some IRC nets I
know of) will do a virus probe with no ill intent. Unless you're going to
accept the connection (and perform a transaction successfully, such as
pretending to accept some mail or sending them some web data), you cannot
learn anything about the vileness of the initiator's intentions, or even
the level of technical sophistication of the initiating host's owner/op.)
--------
Here are my current lists of postfix body, and then header, AV regexes.
(An award goes to Symantec who spells their avspam in so many ways, though
we all hope this is not being done in order to avoid patterned rejection.)
--------
/^Sorry Dangerous Attachment has been Removed/ REJECT avbody
/ is removed from here because it contains a virus$/ REJECT avbody
/^WARNING: This e-mail has been altered by MIMEDefang/ REJECT avbody
/^Norton AntiVirus deleted the following email message/ REJECT avbody
/^Diagnostic\-Code\: 550 5\.7\.1 Virus detected by ClamAV/ REJECT avbody
/^This is a machine-generated message, please do not reply/ REJECT avbody
/^Las partes del mensaje que estaban infectadas no han sido/ REJECT avbody
/^Your email was not properly addressed/ REJECT avbody
--------
/^Subject:.*ALERTE \- Vous avez envoye un mail avec virus/ REJECT avhead
/^Subject:.*ALERTE\: un virus a / REJECT avhead
/^Subject:.*ALERT\! Virus found in your mail/ REJECT avhead
/^Subject:.*Anti-Virus Notification/ REJECT avhead
/^Subject:.*Antigen found VIRUS/ REJECT avhead
/^Subject:.*Antigen Notification/ REJECT avhead
/^Subject:.*AntiVir ALERT/ REJECT avhead
/^Subject:.*Antivirus stopped your message/ REJECT avhead
/^Subject:.*Antivirus found VIRUS/ REJECT avhead
/^Subject:.*Anti\-Virus Notification/ REJECT avhead
/^Subject:.*BANNED FILENAME/ REJECT avhead
/^Subject:.*BitDefender found an infected object/ REJECT avhead
/^Subject:.*Content violation/ REJECT avhead
/^Subject:.*Disallowed attachment type found/ REJECT avhead
/^Subject:.*Email Quarantined Due to Virus/ REJECT avhead
/^Subject:.*Failed to clean virus file/ REJECT avhead
/^Subject:.*File blocked - ScanMail for Lotus/ REJECT avhead
/^Subject:.*Inflex scan report \[\d+\]/ REJECT avhead
/^Subject:.*InterScan NT Alert/ REJECT avhead
/^Subject:.*MailMarshal has detected a Virus in your message/ REJECT avhead
/^Subject:.*MailSure Virus Alert/ REJECT avhead
/^Subject:.*Mail Warning \(Attachment Removal\)/ REJECT avhead
/^Subject:.*message .* contains a virus/ REJECT avhead
/^Subject:.*Message deleted/ REJECT avhead
/^Subject:.*MMS Notification/ REJECT avhead
/^Subject:.*MxShield Virus Notification/ REJECT avhead
/^Subject:.*NAV detected a virus/ REJECT avhead
/^Subject:.*Network Associates Webshield.*Content Alert/ REJECT avhead
/^Subject:.*Norton Anti.* detected/ REJECT avhead
/^Subject:.*Ochrona antywirusowa/ REJECT avhead
/^Subject:.*problem found in sent message/ REJECT avhead
/^Subject:.*RAV Anti[Vv]irus/ REJECT avhead
/^Subject:.*RECIPIENT \! Virus Notify \!/ REJECT avhead
/^Subject:.*Report to Sender/ REJECT avhead
/^Subject:.*Returned due to virus\; was\:/ REJECT avhead
/^Subject:.*SAV detected a violation in a / REJECT avhead
/^Subject:.*ScanMail Message\: To Sender\, virus found / REJECT avhead
/^Subject:.*SENDER \! Virus Notify \!/ REJECT avhead
/^Subject:.*Suspected SPAM message.* from your domain/ REJECT avhead
/^Subject:.*Symantec (AntiVirus|AVF|Mail Security)/ REJECT avhead
/^Subject:.*This message contains unsolicited data/ REJECT avhead
/^Subject:.*Virenchecker Information/ REJECT avhead
/^Subject:.*VIRUS .* IN MAIL FROM YOU/ REJECT avhead
/^Subject:.*VIRUS .*IN YOUR MAIL/ REJECT avhead
/^Subject:.*Virus Alert/ REJECT avhead
/^Subject:.*Virus Check Alert/ REJECT avhead
/^Subject:.*Virus Detected by Network Assoc/ REJECT avhead
/^Subject:.*Virus discarded/ REJECT avhead
/^Subject:.*Virus found in / REJECT avhead
/^Subject:.*virus found in sent message/ REJECT avhead
/^Subject:.*Virus in Ihrer Nachricht/ REJECT avhead
/^Subject:.*VIRUS in your message/ REJECT avhead
/^Subject:.*Virus intercepted/ REJECT avhead
/^Subject:.*Virus in\:/ REJECT avhead
/^Subject:.*VIRUS .*NO SEU EMAIL/ REJECT avhead
/^Subject:.*Virus Notification from Redstone/ REJECT avhead
/^Subject:.*Virus Notification\:/ REJECT avhead
/^Subject:.*Virus Quarantine Notification/ REJECT avhead
/^Subject:.*virus trouve dans le message envoye/ REJECT avhead
/^Subject:.*virus trovato in un messaggio inviato / REJECT avhead
/^Subject:.*Virus Warning/ REJECT avhead
/^Subject:.*Votre message contient un virus/ REJECT avhead
/^Subject:.*Warning \- Virus Detected\:/ REJECT avhead
/^Subject:.*Warning\: antivirus system report/ REJECT avhead
/^Subject:.*Warning\: E-mail viruses detected/ REJECT avhead
/^Subject:.*WARNING\: YOU MAY HAVE A VIRUS/ REJECT avhead
/^Subject:.*WorldSecure Server notification/ REJECT avhead
/^Subject:.*\[SmartFilter\] Virus Alert / REJECT avhead
/^Subject:.*\[Virus detected\]/ REJECT avhead
/^Subject:.*\{VIRUS\?\}/ REJECT avhead
/^From:.*Symantec_AntiVirus_for_SMTP_Gateways\@/ REJECT avhead
/^Subject:.*VIRUS POSLAN SA VASE ADRES/ REJECT avhead
/^Subject:.*Unsolicited commercial email rejected/ REJECT avhead
--
Paul Vixie
|