Re: Simple e-mail virus scanner

2003-09-03 Thread Doug Winter 
On Wed 20 Aug Olaf Dietsche wrote:
> I guess, you could integrate this in .
> SpamAssassin already scans the email body for signs of spam, so it
> shouldn't be too hard, to add another regex. Although, I never did
> this myself. I just use SpamAssassin out of the box with procmail.

A simple way to help with this in spamassassin is to increase the score
for MICROSOFT_EXECUTABLE to something nice and high.  Then anything with
one of these attachments gets marked as spam.

doug.

-- 
6973E2CF print 2C95 66AD 1596 37D2 41FC  609F 76C0 A4EC 6973 E2CF
Dasypygal (da-si-PYE-gul), adjective - Having hairy buttocks.


pgp5gNrNgVpKf.pgp
Description: PGP signature

Re: Simple e-mail virus scanner

2003-09-03 Thread Doug Winter 
On Wed 20 Aug Olaf Dietsche wrote:
> I guess, you could integrate this in .
> SpamAssassin already scans the email body for signs of spam, so it
> shouldn't be too hard, to add another regex. Although, I never did
> this myself. I just use SpamAssassin out of the box with procmail.

A simple way to help with this in spamassassin is to increase the score
for MICROSOFT_EXECUTABLE to something nice and high.  Then anything with
one of these attachments gets marked as spam.

doug.

-- 
6973E2CF print 2C95 66AD 1596 37D2 41FC  609F 76C0 A4EC 6973 E2CF
Dasypygal (da-si-PYE-gul), adjective - Having hairy buttocks.


pgp0.pgp
Description: PGP signature

Re: "suspicious" apache log entries

2002-09-10 Thread Doug Winter 
On Tue 10 Sep Marcel Weber wrote:
> So a little program called "Silver bullet" got developed. I think it
> run even on Linux. When a backdoored server tried to contact the
> silver bullet server, it got "shot down" by this script using nimda's
> backdoor. I window popped up on the attacking machine and it's ip
> stack went down... It was really amazing how fast all those server and
> workstations got patched and finally there was peace again on the
> networks...

This is probably wandering further and further OT, however I saw a
posting on bugtraq way back when all this started that suggested an
interesting tactic.

It claimed that the HTTP libraries used by Nimda and Code Red were
generic, and could be fooled by sending a redirect response like:

Location: http://127.0.0.1/

They would then attempt to root themselves repeatedly, causing the whole
machine to eventually crash.  I expect behaviour would be different in
the various strains of the worms though.

Obviously you can send any HTTP header you like legally.  Also, I guess
people would be quicker to fix their computers if they kept breaking.  I
never tested this myself, but it sounds plausible.

doug.

-- 
key 1024D/6973E2CF print | Tomorrow will be cancelled due to lack of
2C95 66AD 1596 37D2 41FC | interest.
609F 76C0 A4EC 6973 E2CF |
http://www.antisigma.com |