Re: [Cooker] OT: on current viruses
On Sun, Aug 24, 2003 at 04:01:13PM -0400, Levi Ramsey wrote: On Sun Aug 24 17:16 +0200, Luca Berra wrote: On Sun, Aug 24, 2003 at 03:56:21PM +0200, Till Kamppeter wrote: Anyone knows a way how to find the box where the virus e-mails (not the error messages, the mails from the virus itself) come from? I would like to inform the users of the infected machines, as these mails are annoying. use the headers, but how exactly would you inform the user? Run a whois on the IP and, especially if it's a .edu, mail [EMAIL PROTECTED] In my experience .edu's are fairly quick to disable the ethernet jacks of machines infected by worms. try that if it is just a big provider, and the user has a dynamic ip :( L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media Services S.r.l. /\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] OT: on current viruses
On Sun, 24 Aug 2003 21:56, Till Kamppeter wrote: The virus runs its own SMTP implementation, so that there is no provider rejecting the mail with wrong From: addresses. However, this does open it to simple filtering: block all outbound SMTP except that aimed at your own SMTP gateway. Cheers; Leon
Re: [Cooker] OT: on current viruses
On Mon, Aug 25, 2003 at 07:29:40AM +0800, Leon Brooks wrote: However, this does open it to simple filtering: block all outbound SMTP except that aimed at your own SMTP gateway. Supposedly it looks up your relay from your mail settings and uses that with its own SMTP engine -- Ben Reser [EMAIL PROTECTED] http://ben.reser.org What upsets me is not that you lied to me, but that from now on I can no longer believe you. -- Nietzsche
Re: [Cooker] OT: on current viruses
On Sat, Aug 23, 2003 at 01:00:29PM -0400, Austin wrote: I keep getting these messages from virus scanners on various mail servers all over the world saying that I tried to send a virus infected email through their mail server. It's the sobig.f virus, which is written in MSVC, and propogates through windows, so I don't see how I could have sent it to anyone, but they attach a copy of it with my return address. This makes me very mad. I don't have a single computer running Windows, and I highly doubt if Balsa can execute MS macros LOL. I'm proud of the fact that I don't propogate viruses. You're just now getting these emails? I've been getting them for the past year or so at least... My procmail rules to try and filter them out: http://mirror.brain.org/linux/breser/misc/rc.virus Every big virus I get to add a whole new batch of rules... -- Ben Reser [EMAIL PROTECTED] http://ben.reser.org What upsets me is not that you lied to me, but that from now on I can no longer believe you. -- Nietzsche
Re: [Cooker] OT: on current viruses
On Sun, 2003-08-24 at 19:47, Benjamin Pflugmann wrote: but the stupid programmers of antivirus software, which are clever enough to analyze that a virus is forging the sender, but did not manage yet - for several years - to spread program versions which take this clue.[1] Although the worm flood is bothering enough, it is at least easily handled. All those automatic notifications, which have no common characteristic most times, are what really cause me work. [1] I.e. make their software not sending notifications on such worms, no matter what preferences the user choses. And that's regardless of what one thinks about the the value of such notifications to begin with. Perhaps the programmers are not stupid, it's their management who are doing it to spam on the back of the worm. I left a company of which I was head of RD because of management like that. -- Dave Cotton [EMAIL PROTECTED]
Re: [Cooker] OT: on current viruses
On Sat, 2003-08-23 at 19:00, Austin wrote: Hey, I keep getting these messages from virus scanners on various mail servers all over the world saying that I tried to send a virus infected email through their mail server. It's the sobig.f virus, which is written in MSVC, and propogates through windows, so I don't see how I could have sent it to anyone, but they attach a copy of it with my return address. I've had exactly the same thing and feel equally as angry as you, but try this as an idea. You are getting these from systems that may have been set up by MSCEs, whatever that means. They have been set up using the defaults supplied by the suppliers, because these poor souls know no better, who really have seen an opportunity to spam the world with news of their wonderful anti-virus product, under the guise of information. One shows actual stupidity, the person whose name appears in the from is certainly not the one who sent the mail, because that's the way the worm works, and the other is nothing more than pure spamming because the creators know that is the case. But without the hype they would not sell there products. I equally take exception to the press reporting, the use of PCs around the world, your PC, your email program rather than properly reporting i.e. adding the W or M word. -- Dave Cotton [EMAIL PROTECTED]
Re: [Cooker] OT: on current viruses
On Sat Aug 23 13:00 -0400, Austin wrote: Hey, I keep getting these messages from virus scanners on various mail servers all over the world saying that I tried to send a virus infected email through their mail server. It's the sobig.f virus, which is written in MSVC, and propogates through windows, so I don't see how I could have sent it to anyone, but they attach a copy of it with my return address. This makes me very mad. I don't have a single computer running Windows, and I highly doubt if Balsa can execute MS macros LOL. I'm proud of the fact that I don't propogate viruses. Long story short: a SoBig.F infected system will send out emails to everybody in the address book (it may also scan IE's cache for email addresses), setting the From: header on the email to other random addresses on the infected system. So someone who has you in their address book is infected. -- Levi Ramsey [EMAIL PROTECTED] [EMAIL PROTECTED] Take due notice and govern yourselves accordingly. Currently playing: Rush - Power Windows - Mystic Rhythms Linux 2.4.21-3mdk 02:16:00 up 19 days, 11:34, 10 users, load average: 0.00, 0.03, 0.06
Re: [Cooker] OT: on current viruses
On Sat, Aug 23, 2003 at 01:00:29PM -0400, Austin wrote: Hey, I keep getting these messages from virus scanners on various mail servers all over the world saying that I tried to send a virus infected email i was even thinking of modifying amavisd-new so for $viruses_that_fake_sender_re the intended recipient is not even notified :) L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media Services S.r.l. /\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] OT: on current viruses
Austin wrote: Hey, I keep getting these messages from virus scanners on various mail servers all over the world saying that I tried to send a virus infected email through their mail server. It's the sobig.f virus, which is written in MSVC, and propogates through windows, so I don't see how I could have sent it to anyone, but they attach a copy of it with my return address. This makes me very mad. I don't have a single computer running Windows, and I highly doubt if Balsa can execute MS macros LOL. I'm proud of the fact that I don't propogate viruses. Happens with me, too. If a Windows box is infected, the virus searches nearly all files on the hard disk (not only the address book) for mail adresses and sends mails with each one having two randomly chosen but different addresses, one for the sender (From:) and one for the destination (To:). The virus runs its own SMTP implementation, so that there is no provider rejecting the mail with wrong From: addresses. At the destination it is not recognized that the From: address is wrong and the error message is simply sent to the address in the From: header. You probably got many more addresses from the virus itself than error messages from others who received the virus. See http://hq.mcafeeasap.com/dispVirus.asp?virus_k=100561 for more info about the virus. Anyone knows a way how to find the box where the virus e-mails (not the error messages, the mails from the virus itself) come from? I would like to inform the users of the infected machines, as these mails are annoying. Till
Re: [Cooker] OT: on current viruses
very long story short Bill Gates made computers usable for 99.44% of the non-geek population but this includes some very stupid people. worry if Random co serves you will lawsuit papers otherwise mv %mail% /dev/null
Re: [Cooker] OT: on current viruses
On Sun, Aug 24, 2003 at 03:56:21PM +0200, Till Kamppeter wrote: Anyone knows a way how to find the box where the virus e-mails (not the error messages, the mails from the virus itself) come from? I would like to inform the users of the infected machines, as these mails are annoying. use the headers, but how exactly would you inform the user? L. -- Luca Berra -- [EMAIL PROTECTED] Communication Media Services S.r.l. /\ \ / ASCII RIBBON CAMPAIGN XAGAINST HTML MAIL / \
Re: [Cooker] OT: on current viruses
On Sun 2003-08-24 at 10:42:36 -0400, [EMAIL PROTECTED] wrote: very long story short Bill Gates made computers usable for 99.44% of the non-geek population but this includes some very stupid people. worry if Random co serves you will lawsuit papers otherwise mv %mail% /dev/null The current problem we have is not the worm (and the OS that made them too easy), although that is the origin of the problem, but the stupid programmers of antivirus software, which are clever enough to analyze that a virus is forging the sender, but did not manage yet - for several years - to spread program versions which take this clue.[1] Although the worm flood is bothering enough, it is at least easily handled. All those automatic notifications, which have no common characteristic most times, are what really cause me work. Bye, Benjamin. [1] I.e. make their software not sending notifications on such worms, no matter what preferences the user choses. And that's regardless of what one thinks about the the value of such notifications to begin with.
Re: [Cooker] OT: on current viruses
On Sun Aug 24 17:16 +0200, Luca Berra wrote: On Sun, Aug 24, 2003 at 03:56:21PM +0200, Till Kamppeter wrote: Anyone knows a way how to find the box where the virus e-mails (not the error messages, the mails from the virus itself) come from? I would like to inform the users of the infected machines, as these mails are annoying. use the headers, but how exactly would you inform the user? Run a whois on the IP and, especially if it's a .edu, mail [EMAIL PROTECTED] In my experience .edu's are fairly quick to disable the ethernet jacks of machines infected by worms. -- Levi Ramsey [EMAIL PROTECTED] [EMAIL PROTECTED] Take due notice and govern yourselves accordingly. Currently playing: Rush - Power Windows - Mystic Rhythms Linux 2.4.21-3mdk 16:00:02 up 20 days, 1:18, 10 users, load average: 1.67, 0.84, 0.56