[clamav-users] issues with mirror - 194.186.47.19
Paul Kosinski
clamav-users at iment.com
Mon Jun 19 15:42:01 UTC 2017
I agree that there are lots of compromised ".edu" accounts, and that
some students like to cause trouble. But, when I say I never *see* spam
from ".edu" domains, I mean, if there is any, it gets filtered out by
other means, not that my MTA never receives any.
Also, in the past I *have* corresponded with ".edu". For example, I was
using a Stratum 1 NTP server at MIT (it being nearby, and my being an
MIT grad), and had to communicate with the guy running it.
The only TLDs I currently block are some of the weird new ones, like
'accountant', 'bid', 'club', 'cricket', 'date', 'download', 'men',
'stream', 'top' and 'xyz', as I have no evidence that anything *but*
spam ever comes from them.
P.S. I often look at our mail logs (for our tiny domain), and ".edu"
does not stand out at all. As far as IPTABLES logs, I don't remember
seeing probes from IP addresses which PTR-resolve to ".edu", but I
don't do that a lot (and I certainly don't log every dropped SYN).
On Sun, 18 Jun 2017 18:23:32 +0100 (BST)
"G.W. Haywood" <clamav at jubileegroup.co.uk> wrote:
> Hi there,
>
> On Sun, 18 Jun 2017, Paul Kosinski wrote:
> > On Fri, 16 Jun 2017 17:22:53 +0100 (BST) "G.W. Haywood" wrote:
> >
> >> ... We just outright reject all mail from the '.edu' TLD ...
> >
> > Why do you reject *all* email from ".edu".
>
> Because all connections we see from .edu are either from compromised
> accounts sending spam or from irresponsible juveniles who think it's
> clever/cool/whatever to try to hack into other people's computers.
>
> > Doesn't that cut you off from lots of useful technological info?
>
> Not in the least. There's a reasonable scientific press, for example.
>
> > (I don't think I *ever* see spam from ".edu".)
>
> That seems strange to me. Generally speaking we have no reason to
> correspond with .edu domains, but even so, apart from hack attempts
> we never see anything else. Do you actually look for it? I mean,
> you know, read the logs? :)
>
> There's an important point here. Well over 90% of the attacks we see
> are defeated by preventing connections from the sources of the attacks
> simply because they are known sources of attacks. It's not the only
> technique we use, but even on its own it's more effective, in terms of
> both success rate and processing overhead, than scanning for malicious
> characteristics - which of course we do as well, but only after the
> bulk of the dross has been dropped using a number of other techniques.
>
More information about the clamav-users
mailing list