This is a question for those that have already become familiar with these worm e-mails.
Is it possible that the propagation is via totally spoofed IP numbers? I did not think this would be possible. The end result is that my mail server is receiving around 100 of these per hour, from three general geographic areas, but never the same IP number. (it, de and au) The destination is to a single address in one of the domains I serve as a gateway for. So far Amavis+AntiVir has been catching them and generates a lot of email to the postmaster account. I wanted to try to see if I could create some rules in the Linux Firewall to drop these connections, but am a bit overwhelmed by the sheer quantity. I did note that some of the infected email have made it past the virus scanner, however the attachment on those is only either a zero-byte or a 2 byte size, These are not a problem as the fragmented attachment is of no danger. I have advised all clients to disable the instant view as well as to disable iframe execution in their mail client, which seems to be preventing the ones that are crafted as a bounce, but contain an iframe command to infect the unwary user. ====================================== Stop spam on your domain, use our gateway! For hosting solutions http://www.clickdoug.com Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases. ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772 Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf ====================================== If you are not satisfied with my service, my job isn't done! ----- Original Message ----- From: "Claude Schneegans" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Monday, September 22, 2003 8:53 AM Subject: Re: [ OT] Special security Alert! | >>There is a new virus threat introduced to the internet yesterday, which | Symantec identifies as the [EMAIL PROTECTED] worm. | | This is unbelievable: since last friday I'm receiving about half/dozen copies of it every hour! | Suscribing to a list like this makes your email address present in thousands of computers. | If the virus is able to find addresses in mail inbox, it might explain I receive so many of them. | | Are you some of you also receiving so many message about a so called microsoft update | or a message delivery failure ? | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm?link=i:4:137908 Archives: http://www.houseoffusion.com/lists.cfm?link=t:4 Subscription: http://www.houseoffusion.com/lists.cfm?link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Get the mailserver that powers this list at http://www.coolfusion.com