As mentioned in a recent log entry, I've been having grief with email recently in the form of viruses and spam. Today, however, the spam rate was better than usual, and most of it was caught by the blacklist filters. For the first time (as far as I can recall), however, I noticed that one item had been blocked which looked like it was neither spam, nor legitimate mail. Based on its source and destination, I'd lay good odds that it was a virus.

This is an advantage of the MAPS DUL that I hadn't considered before. The MAPS DUL is a list of IP addresses used for casual Internet connections — IP addresses that get allocated to average end users when they dial in. These addresses are provided to the DUL maintainers by the ISPs responsible for them, and DUL subscribers can look up IP addresses in this list to make policy decisions. In practice many mail servers (mine included) are configured to refuse mail from IP addresses listed in the DUL. This prevents the kind of spam where the spammer sends the spam directly from his computer rather than bouncing off a relay. Ordinary casual customers aren't affected because they use the ISP's mail server.

As I discovered, this also catches a certain kind of virus. A variant of the "Snowhite" virus has been worming its way into my mail system a great deal of late. It works by sending mail to a destination system directly, rather than by sending to the ISP's mail relay. This can make it hard to track, but it also means that it gets caught by the DUL filter. If the other ISP has listed their IP-pool for dial-up users in the DUL, the virus will look like direct spam, and I'll filter it.

What a wonderfully neat side-effect.