Here is my approach: When I identify a large number of incoming bad from an IP or a limited range of IPs, I send the following notice to the host domain: We are receiving a large amount of (viruses/spam/hacks/scans) (in e-mail to our users and clients/servers) from an IP address on your network of xxx.xxx.xxx.xxx. Please investigate and correct this problem ASAP! Otherwise, we will be forced to blacklist that IP address for due cause. Evidence is available upon reasonable request. I send it once. If I do not receive a decent response within 24 hours, I block the IP. John Tolmachoff IT Manager, Network Engineer 211 E. Imperial Hwy., Suite 106 Fullerton, CA 92835 714-578-7999, ext. 104 jtolmachoff@xxxxxxxxxxxxxxxx www.reliancesoft.com -----Original Message----- From: Dan Bartley [mailto:dan@xxxxxxxxxxxxxxx] Sent: Thursday, April 18, 2002 9:33 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: virus from "tshinder" http://www.ISAserver.org I blocked several ISPs in Korea due to repeated scans and other hack attempts. Despite repeated complaints to the providers, and seemingly cooperative responses, the same source IPs kept popping up. I've not lost anything important as a result. There seems to be very little legitimate activity coming from that part of the globe, in my realm anyway. Dan Bartley, MCSE+Internet dan@xxxxxxxxxxxxxxx -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, April 18, 2002 12:21 To: [ISAserver.org Discussion List] Subject: [isalist] RE: virus from "tshinder" http://www.ISAserver.org Hi John, Thanks for the info. Which reminds me, there's been a lot of talk in the press about blocking the Pacific rim net blocks because of viruses and spam. I haven't implemented this at any of our locations yet, but I'm wondering if anyone here has done this in their own company? Thanks! Tom www.isaserver.org/shinder -----Original Message----- From: John Tolmachoff [mailto:jtolmachoff@xxxxxxxxxxxxxxxx] Sent: Thursday, April 18, 2002 11:12 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: virus from "tshinder" http://www.ISAserver.org And Tom is such a great guy. Who would do a thing like that? Of course, we could look at the headers and file a complaint. Ah, 202.157.155.35 is in Singapore. 75% of the virus notices that I receive are from infected e-mail from that part of the world. John Tolmachoff IT Manager, Network Engineer 211 E. Imperial Hwy., Suite 106 Fullerton, CA 92835 714-578-7999, ext. 104 jtolmachoff@xxxxxxxxxxxxxxxx www.reliancesoft.com -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Thursday, April 18, 2002 9:02 AM To: [ISAserver.org Discussion List] Subject: [isalist] virus from "tshinder" http://www.ISAserver.org Hi folks, If you get a mail from "tshinder" with a heading of "this configuration can get" on it, drop it like the hot potato it is. Don't open it, don't preview it, nada. It's a HTML MIME.exploit/IFrame virus and WAS NOT sent by Tom. The one I received came from: cebitasia@xxxxxxxxxxxx -- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jtolmachoff@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dan@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jtolmachoff@xxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')