[sanesecurity] Re: MBL_144360 update
- From: Henrique de Moraes Holschuh <henrique.holschuh@xxxxxxxxxxxxx>
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Thu, 10 Mar 2011 10:01:12 -0300
On 05-03-2011 07:19, Peter wrote:
Thanks Steve, and the others on this list that raised the issue. I
managed to nuke the MBL database here before any customers complained
:)
Here we have a very large quarantine directory just for these things. We
almost never bounce, and only do rejects based on RBLs/RHSBLs. If it
got as far as clamav, it will either be marked and forwarded, or
discarded. In either case, we store a copy for a while.
It was a trivial matter to locate all mail that was missplaced by
the broken version of MBL_144360, and reinject them. I've actually seem
some of the phish it wanted to catch among the false positives.
One thing I'd recommend to others though is to check your logs to see
how many emails get caught by MBL (other than MBL_144360) - in my
case there were none in the last month and I've therefore completely
removed them. Others may find that they're useful.
Here in Brazil, MBL is quite helpful as it seems to be the only list of
signatures with fast response to the massively mutating ecosystem of
phish and trojans targeting brazilians specifically.
Too bad their quality control is clearly not up to the job.
--
Henrique de Moraes Holschuh <hmh@xxxxxxxxxxxxx>
IM@ - Informática de Municípios Associados
Engenharia de Telecomunicações
TEL +55-19-3755-6555/CEL +55-19-9293-9464
Antes de imprimir, lembre-se de seu compromisso com o Meio Ambiente
e do custo que você pode evitar.
Other related posts:
