9 Nov
2005
9 Nov
'05
2:31 a.m.
"Your server is not an open relay, but you have a user that is infected with a mass-mailer trojan/malware"
(and finally a copy of some message headers that prove it)
Was this the honest-to-god reason? I thought that most malware did its own MX lookups and relayed directly? Aka bypassing the SMTP relay provided by infected-parties ISP? Given the sheer volume of smtp-crud that a lot of people see, it wouldnt suprise me that large blocks get put in sooner rather than later. In some respects though, SORBS's policy is actually reasonably well thought out. Entries get a TTL of 2 days and if now further 'hits' on the IP are received, the TTL auto-expires and the block comes off. TTL gets renewed each time a further report is received. Mark.