[unisog] should one pull the plug in worm outbreak?

Jose Nazario jose at biocserver.BIOC.cwru.edu
Thu Dec 6 03:14:18 GMT 2001


On Thu, 6 Dec 2001, Russell Fulton wrote:

> I'll ask another question.  Should one pull the plug on the your
> mailservers until you can control the spread (either by adhoc
> filtering or AV products) or should one try and ride the storm?

i've been of the opinion for some time that your staff should be skilled
enough to be able to whip something in place as a stopgap measure. one
such thing worth investigating is a sendmail mail bridge doing, for
example, procmail filtering on the mail and removing the offending
attachments. while you'll get something of a slowdown, its far less than
what you would get if it spread inside your organization.

this approach has worked for me, basic MTA filtering to give people enough
time to get caught up on their desktop filters (to catch mutants, for
example).

____________________________
jose nazario						     jose at cwru.edu
	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)



More information about the unisog mailing list