Topic: How to stop Virus Infected Spam and identify IP pool

[netdesignns]

Am being swamped by virus infected mail that is being caught and stopped by SME using Ver 6. The message header indicates that it is coming from a Bigpond IP. Complaints to Bigpond via their On-line reporting form with all the documents that they want, messages, headers etc only bring an automated response which is as bad as their automated phone system. How can I determine if the IP is faked or belongs to the Bigpond pool of addresses? Average of over a thousand a day from this one IP is no longer a joke, they go nowhere!

[raem]

netdesignns

> SME Ver 6...Average of over a thousand a day..

Check the messages headers although they can also contain fake information.

Have you enabled RBL's ?
See knudi's Spam Filter Panel and/or this HOWTO

http://mirror.contribs.org/smeserver/contribs//rmitchell/smeserver/howto/Spam%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

Also install the patterm matching contrib to stop many of the viruses before they even enter your server, see

http://mirror.contribs.org/smeserver/contribs//rmitchell/smeserver/howto/Virus%20and%20file%20blocking%20HOWTO%20using%20smtpfront-qmail%20for%20sme%20server.htm

[raem]

netdesignns

There are a few other useful tweaks here too

http://mirror.contribs.org/smeserver/contribs//rmitchell/smeserver/howto/Mail%20system%20tweaks%20HOWTO%20for%20sme%20server.htm

[netdesignns]

netdesignns

There are a few other useful tweaks here too

http://mirror.contribs.org/smeserver/contribs//rmitchell/smeserver/howto/Mail%20system%20tweaks%20HOWTO%20for%20sme%20server.htm

Thanks for that will check it out.

Yes RBLs are enabled plus Spamassassin and latest antivirus from Knudsen but this ip does not appear to be on the RBL lists that I have checked.

Very tedious guess I will have to submit the IP to the RBL lists. Hope I get more sense out of them than what I have got out of Telstra/Bigpond. Only a couple of hundred today same IP, looks like an ADSL connection with Telstra, same seemingly legitimate email addresses repeated plus a very nasty worm!

[raem]

netdesignns

> same seemingly legitimate email addresses repeated plus a very nasty worm!

I'm not seeing that worm on a couple of servers I look after.
If the email messages have executable content (the worm virus), then the pattern matching contrib will detect that worm and reject the messages outright.
You will see the rejections in /var/log/smtpfront-qmail/current, but you wont't see the messages anymore.