stopping email worms

as many people know, email worms have pretty much shut down many email systems in the last few days.

Here is my tentative server based solution to the problem:

tail the maillog to an application that keeps statistics on each users normal behavior as per sending and receiving email, have a normal period of a few months of running use.

if the logs suddenly show significant change from the norm, like the sending of hundreds of emails where the person usually sends one or two, the person's smtp priviledges are turned off.

Also use the logs watcher to look at the number of emails received with the same or similar topics, we could use a bayesian engine to give this a stronger analysis, and if there is a sudden increase in traffic from certain hosts, certain topics, etc. that mail should be immediately quarantined, if the flood of similar materials gets too high for quarantine, then they should be rejected at reception or dropped into /dev/null

it is my theory, that by combining these two tactics, email floods and viral worms can be prevented. they are also going to be useful in detecting and preventing massive spam. Once you have this in place you can then coordinate lists with other mailhosts to form strategic partnerhships which could be used to more easily identify and prevent worms and email attacks from occuring.

This entry was posted in General.