the low-tech solution that i put in place consisted of simply *commenting out* the dtml-sendmail piece in my standard_html_error page for a little while until the storm had passed... i personally always do the email upon "NotFound" because if you put the HTTP_REFERER info into the email you can locate stale links to your site and advise the webmaster of the remote site about it. the worm before that (don't remember the name, there's just way too many IIS exploits to ever keep track of...) used to look for default.ida only. for that i put an empty DTML method named default.ida in my site root. (well, it's not exactly empty, it contains an expletive, hoping some *&^% will read the default.ida file contents that were found by the worm...) jens On Friday, January 4, 2002, at 08:48 , Oleg Broytmann wrote:
On Fri, Jan 04, 2002 at 01:40:56AM -0500, marc lindahl wrote:
I wouldnt do this - I got nailed by the NIMDA worm. 1000's of computers that caught it after sept. 11th were each accessing something like 11 wierd paths, which of course didn't exists, so my admin account was flooded with over 100K emails within a couple of days.
Procmail filtering is a big help!
Oleg. -- Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru Programmers don't die, they just GOSUB without RETURN.