Re: Navy Marine Corps Internet hit
On Tue, 19 Aug 2003, Scott Weeks wrote: on the .pif, .scr, etc. attachments...) Maybe I was just lucky. Most likely, though, they did not create security zones to keep problems contained within certain network segments and not let them out to destroy other networks. Luck is very important. Like most other people I have no knowledge about how the Navy Marine Internet works, but that won't stop me from commenting. It sounds like a turnkey operation, with EDS managing everything. They may have 100,000 users with identical configurations (software, patch levels, etc) in one big flat network. A large homogeneous population is vulnerable to a common infection. Nachia has a very effecient scanning and infection process, particularly if your entire network uses RFC1918 address space internally.
RE: Navy Marine Corps Internet hit
On Tue, 19 Aug 2003, Scott Weeks wrote: - on the .pif, .scr, etc. attachments...) Maybe I was just lucky. Most - likely, though, they did not create security zones to keep problems - contained within certain network segments and not let them out to destroy - other networks. -Luck is very important. -Like most other people I have no knowledge about how the Navy Marine -Internet works, but that won't stop me from commenting. -It sounds like a turnkey operation, with EDS managing everything. They -may have 100,000 users with identical configurations (software, patch -levels, etc) in one big flat network. A large homogeneous population is -vulnerable to a common infection. Nachia has a very effecient scanning -and infection process, particularly if your entire network uses RFC1918 -address space internally. As a former Marine, and IT support staff member.. The Military uses REAL WORLD IP's on ALL systems. I won't mention IP's. BUT they have all RW on every system. Not quite a flat net either... It is rather a unique system, to say the least. J
Hijacked email
Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm. Thoughts? Jack -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 4:11 AM To: Parks, Jack W Cc: [EMAIL PROTECTED] Subject: MailMarshal has detected a Virus in your message Investec content scanning has stopped the following message: Message: BB002e9963.0001.mml From:[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Thank you! Because it believes the message contains a virus. The virus scanning software used was: Sophos AntiVirus (SAVI2 Interface) Virus name: W32/Sobig-F Please clean the file and resend it. Rule: Inbound Messages : Block Virus
Re: Hijacked email
Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm. same here... seems the worm is not only using the adress book for targets, but also as sources.. Pascal
Re: Hijacked email
On Wed, 20 Aug 2003, Pascal Gloor wrote: Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm. same here... seems the worm is not only using the adress book for targets, but also as sources.. Is this surprising to anyone? That's the way the past few Lookout Virus Express viruses have worked. The funny thing is, on this account, I've gotten zero copies that I've noticed...just lots of mail from various lists talking about it. On my work account, I've gotten several this morning and a bunch of bounces. -- Jon Lewis [EMAIL PROTECTED]| I route System Administrator| therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Hijacked email
On Wed, 20 Aug 2003 [EMAIL PROTECTED] wrote: Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm. Yep, my email is definitely being used. :( Nathan Stratton nathan at robotics.net http://www.robotics.net
Re: Hijacked email
Hello All , I have just seen several bounces from various places with my addy being used as well . JimL On Wed, 20 Aug 2003, Nathan A. Stratton wrote: On Wed, 20 Aug 2003 [EMAIL PROTECTED] wrote: Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm. Yep, my email is definitely being used. :( -- +--+ | James W. Laferriere | SystemTechniques | Give me VMS | | NetworkEngineer | P.O. Box 854 | Give me Linux | | [EMAIL PROTECTED] | Coudersport PA 16915 | only on AXP | +--+
Re: Hijacked email
Yup, seeing same. Spoofing to quite a few of our addresses and sending worms to everyone.. -hc -- Sincerely, Haesu C. TowardEX Technologies, Inc. WWW: http://www.towardex.com E-mail: [EMAIL PROTECTED] Cell: (978) 394-2867 On Wed, Aug 20, 2003 at 07:36:23AM -0500, [EMAIL PROTECTED] wrote: Anyone seeing hijacked email addresses with this Sobig-F worm? I did some research and I know I didn't send anything to Investec Bank of Johannesburg,ZA. On top of that, I definitely did not send a worm. Thoughts? Jack -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 4:11 AM To: Parks, Jack W Cc: [EMAIL PROTECTED] Subject: MailMarshal has detected a Virus in your message Investec content scanning has stopped the following message: Message: BB002e9963.0001.mml From:[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Thank you! Because it believes the message contains a virus. The virus scanning software used was: Sophos AntiVirus (SAVI2 Interface) Virus name: W32/Sobig-F Please clean the file and resend it. Rule: Inbound Messages : Block Virus
To send or not to send 'virus in email' notifications?
Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?
Re: To send or not to send 'virus in email' notifications?
Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not? Considering that the From is almost always not the right one, I think sending notifications back will only help to increase the mail traffic and wont help anyone. Pascal
RE: To send or not to send 'virus in email' notifications?
Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not? IMO: No. I have had around 200 of these alerts this morning alone, most of which originate from [EMAIL PROTECTED] which received email using my forged address. I can't blithely ignore the postmaster, but I'm sorely tempted to filter them. Side note: I'm seeing about a 20x increase in smtp traffic over the daily norm. -John
RE: To send or not to send 'virus in email' notifications?
Kind of like a statement made @ a security conference I was recently at, 'Hacking from the conference = Dismissal, if you have to ask No you shouldn't' -Original Message- From: Gregory Hicks [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 10:30 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: To send or not to send 'virus in email' notifications? Date: Wed, 20 Aug 2003 10:25:28 -0400 From: Joe Maimon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: To send or not to send 'virus in email' notifications? Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not? Not.
RE: To send or not to send 'virus in email' notifications?
Absolutely not. SoBig.F, like many others, forges the sender address. That means that your notifications: 1) Don't make it back to the person with the infection 2) Simply add more clutter to the mailbox of the person whose address was used (in addition to all the bounce messages) In the enterprise, this is a great argument for scanning outbound email with positive identification of whose outbound mail you're scanning. Matthew Kaufman [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Maimon Sent: Wednesday, August 20, 2003 7:25 AM To: [EMAIL PROTECTED] Subject: To send or not to send 'virus in email' notifications? Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?
RE: To send or not to send 'virus in email' notifications?
All of my bounces are coming from emails that originated from 195.157.87.253... Maybe it's the same guy with others here? Mark Fyi.. [EMAIL PROTECTED]:~ whois -h whois.ripe.net 195.157.87.253 % This is the RIPE Whois server. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 195.157.70.0 - 195.157.87.255 netname: NSUK-PARTITION-LL descr:Connectivity country: GB admin-c: NSUK2-RIPE tech-c: NSUK1-RIPE status: LIR-PARTITIONED PA remarks: ** remarks: * Please do not send abuse reports to tech or admin contacts * remarks: * All abuse reports to [EMAIL PROTECTED] * remarks: ** remarks: * This is an partition object and does not represent a valid # remarks: # assignment. Valid assignments have status: ASSIGNED PA# remarks: ## notify: [EMAIL PROTECTED] mnt-by: NETSCALIBURUK-MNT mnt-lower:NETSCALIBURUK-MNT changed: [EMAIL PROTECTED] 20011025 changed: [EMAIL PROTECTED] 20020110 changed: [EMAIL PROTECTED] 20020514 source: RIPE route:195.157.0.0/16 descr:Netscalibur UK Ltd origin: AS8272 mnt-by: NETSCALIBURUK-MNT changed: [EMAIL PROTECTED] 20010706 source: RIPE role: Netscalibur UK Hostmaster address: Netscalibur UK Ltd address: 9 Selsdon Way address: Cityharbour address: London E14 9GL address: UK phone:+44 (0)870 887 8800 fax-no: +44 (0)870 887 8867 e-mail: [EMAIL PROTECTED] admin-c: CSP3-RIPE admin-c: SY131-RIPE tech-c: NSUK1-RIPE tech-c: NSUK3-RIPE nic-hdl: NSUK2-RIPE remarks: Hostmaster remarks: remarks: * All abuse reports to [EMAIL PROTECTED] remarks: notify: [EMAIL PROTECTED] mnt-by: NETSCALIBURUK-MNT changed: [EMAIL PROTECTED] 20010712 changed: [EMAIL PROTECTED] 20010731 changed: [EMAIL PROTECTED] 20020109 changed: [EMAIL PROTECTED] 20020116 source: RIPE role: Netscalibur UK NOC address: Netscalibur UK Ltd address: 9 Selsdon Way address: Cityharbour address: London E14 9GL address: UK phone:+44 (0)845 117 2200 fax-no: +44 (0)870 887 8867 e-mail: [EMAIL PROTECTED] admin-c: ZP64-RIPE admin-c: DJH8-RIPE tech-c: NSUK2-RIPE tech-c: NSUK3-RIPE nic-hdl: NSUK1-RIPE remarks: Network Operations Center remarks: remarks: * All abuse reports to [EMAIL PROTECTED] remarks: notify: [EMAIL PROTECTED] mnt-by: NETSCALIBURUK-MNT changed: [EMAIL PROTECTED] 20010711 changed: [EMAIL PROTECTED] 20020116 source: RIPE -- Mark Segal Director, Network Planning FCI Broadband Tel: 905-284-4070 Fax: 416-987-4701 http://www.fcibroadband.com Futureway Communications Inc. is now FCI Broadband -Original Message- From: Jim Deleskie [mailto:[EMAIL PROTECTED] Sent: August 20, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: RE: To send or not to send 'virus in email' notifications? Kind of like a statement made @ a security conference I was recently at, 'Hacking from the conference = Dismissal, if you have to ask No you shouldn't' -Original Message- From: Gregory Hicks [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 10:30 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: To send or not to send 'virus in email' notifications? Date: Wed, 20 Aug 2003 10:25:28 -0400 From: Joe Maimon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: To send or not to send 'virus in email' notifications? Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not? Not.
RE: To send or not to send 'virus in email' notifications?
maybe the AV vendors could suply a 'to mail or not to mail' flag within their databases, based on character of the virus... any of them lurking here? :) -- deejay -Original Message- From: Matthew Kaufman [mailto:[EMAIL PROTECTED] Sent: 20. augusta 2003 16:41 To: 'Joe Maimon'; [EMAIL PROTECTED] Subject: RE: To send or not to send 'virus in email' notifications? Absolutely not. SoBig.F, like many others, forges the sender address. That means that your notifications: 1) Don't make it back to the person with the infection 2) Simply add more clutter to the mailbox of the person whose address was used (in addition to all the bounce messages) In the enterprise, this is a great argument for scanning outbound email with positive identification of whose outbound mail you're scanning. Matthew Kaufman [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Maimon Sent: Wednesday, August 20, 2003 7:25 AM To: [EMAIL PROTECTED] Subject: To send or not to send 'virus in email' notifications? Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?
Re: To send or not to send 'virus in email' notifications?
On Wed, 20 Aug 2003 10:25:28 EDT, Joe Maimon [EMAIL PROTECTED] said: Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not? It isn't like the A/V vendors can't put a single bit in the description that says uses real address or uses forged address and only send a notification when the real bit is set. However, a lot of them seem to be more interested in pumping out PR and FUD. Worst part is if one of them had been smart, they'd have invented such a bit, patented it, and then shipped New! Improved! Now with less confusing messages, and used the patent to make sure nobody else did. Now *that* would be a selling point for their product, but n... ;) They've missed their chance. Feel free to cite this e-mail as prior art if somebody tries it now... ;) pgp0.pgp Description: PGP signature
Re: To send or not to send 'virus in email' notifications?
Thus spake Tomas Daniska ([EMAIL PROTECTED]) [20/08/03 10:56]: maybe the AV vendors could suply a 'to mail or not to mail' flag within their databases, based on character of the virus... amavisd-new maintains a list of viruses that are known to forge sender addresses. It won't notify the sender (if configured) if the virus found is in the list. I can't speak for the other amavis* projects.
RE: To send or not to send 'virus in email' notifications?
Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not? If your scanner doesn't know if a virus forges addresses, and hence no point replying, then bin it and buy a proper one brandon
Re: Hijacked email
For our Postfix viewers out there... header_checks: /^X-MailScanner: Found to be clean$/REJECT You're infected, but you probably won't see this message anyway. body_checks: /X-MailScanner: Found to be clean/ REJECT Please, stop sending me bounces/infection notices for spoofed virus spam. The last rule is kinda evil as it will block all mail with that line in the body (both incoming and outgoing), so know what you're doing before you blindly cut and paste.
Re: Hijacked email
Please people, of all the great feedback these joe jobbed addresses are receiving, from the anti-virus software... it really wouldn't hurt to include the -=IP=- (and possibly headers) of the system that contacted your server. Rather than simply complain, it would allow us to track down, and triangulate the -=real=- perp, an infected M$ machine or two (million). Thanks in Advance for useful data ! :D JMHO. Omachonu Ogali wrote: For our Postfix viewers out there... header_checks: /^X-MailScanner: Found to be clean$/REJECT You're infected, but you probably won't see this message anyway. body_checks: /X-MailScanner: Found to be clean/ REJECT Please, stop sending me bounces/infection notices for spoofed virus spam. The last rule is kinda evil as it will block all mail with that line in the body (both incoming and outgoing), so know what you're doing before you blindly cut and paste.
Re: To send or not to send 'virus in email' notifications?
On Wednesday 20 August 2003 10:25, Joe Maimon wrote: Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not? Absolutely not. My spam filters are handling the original spam fine but I am getting tons of responses to email I didn't send in the first place. It's legitimate email from legitimate sources so the filters don't catch it but it is garbage nonetheless. -- D'Arcy J.M. Cain [EMAIL PROTECTED]|vex}.net | Democracy is three wolves http://www.druid.net/darcy/| and a sheep voting on +1 416 425 1212 (DoD#0082)(eNTP) | what's for dinner.
Re: To send or not to send 'virus in email' notifications?
virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not? Virus notification was great in times past. With forged addresses, now the double edged sword is pointed back at the victim system, since some of the notifications are sent to invalid domains or accounts the mail rests undeliverable in a mail queue awaiting to expire. My mail queue rose yesterday to over 100 undeliverable mails. All of these from sorbid notifications to illegal domains or accounts. I shutdown notifications ASAP, saving myself (and my systems) some processing time. The notification piece of most scanner engines need to be revamped by the software manufacturers and developers to keep up in the new trends in virii behavior (i.e. forged addresses). Someone posted that Amavis-new has this feature, and this is open source software, you imagine the commercial companies could have figured this one out by now since klez also used forged addresses. Gerardo D'Arcy J.M. Cain writes: On Wednesday 20 August 2003 10:25, Joe Maimon wrote: Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not? Absolutely not. My spam filters are handling the original spam fine but I am getting tons of responses to email I didn't send in the first place. It's legitimate email from legitimate sources so the filters don't catch it but it is garbage nonetheless. -- D'Arcy J.M. Cain [EMAIL PROTECTED]|vex}.net | Democracy is three wolves http://www.druid.net/darcy/| and a sheep voting on +1 416 425 1212 (DoD#0082)(eNTP) | what's for dinner. Gerardo A. Gregory Manager Network Administration and Security 402-970-1463 (Direct) 402-850-4008 (Cell) Affinitas - Latin for Relationship Helping Businesses Acquire, Retain, and Cultivate Customers Visit us at http://www.affinitas.net
Re: To send or not to send 'virus in email' notifications?
Notifications from virus scanners is backscatter, just the same as the backscatter generated by Smurf attacks. The virus scanners are contributory technology in the conduct of a denial of service attack in exactly the same way as having directed broadcasts enabled on your routers was (read RFC 2644 for the details). Please let's stop building technology that aids in the conduct of DoS attacks.
Re: To send or not to send 'virus in email' notifications?
In a message written on Wed, Aug 20, 2003 at 11:40:53AM -0400, D'Arcy J.M. Cain wrote: Absolutely not. My spam filters are handling the original spam fine but I am getting tons of responses to email I didn't send in the first place. It's legitimate email from legitimate sources so the filters don't catch it but it is garbage nonetheless. For those that use spamassassin, in ~/.spamassassin/user_prefs: header VIRUS_BOUNCE X-MailScanner =~ /Found to be clean/ describe VIRUS_BOUNCE Has X-MailScanner with virus signature. score VIRUS_BOUNCE 5.0 -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgp0.pgp Description: PGP signature
RE: To send or not to send 'virus in email' notifications?
At 10:30:43 my systems rebooted after installing hotfix Windows 2000 Hotfix KB823980 was installed and machines rebooted. Any ideas on how to remove this or what it may be? Wes Vaux, CCNA, CCDA Network Security Engineer, 9000 Regency Pkwy Ste 500 Cary, NC 27511 t 919.463.6782 f 919.463.1290 Global Knowledge Experts Teaching Experts http://www.globalknowledge.com -Original Message- From: Stephen J. Wilcox [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 10:33 AM To: Joe Maimon Cc: [EMAIL PROTECTED] Subject: Re: To send or not to send 'virus in email' notifications? On Wed, 20 Aug 2003, Joe Maimon wrote: Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not? well if you dont tell them they wont know, altho with sobig the return address is false anyhow it would probably be best to cache the sender/virus combinations and send a single message per 7 days Steve
RE: To send or not to send 'virus in email' notifications?
On Wed, 20 Aug 2003, Wesley Vaux wrote: At 10:30:43 my systems rebooted after installing hotfix Windows 2000 Hotfix KB823980 was installed and machines rebooted. Any ideas on how to remove this or what it may be? http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/HFDeploy.htm#what_is_a_hotfix__mbbi http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/HFDeploy.htm#removing_a_windows_hotfix_adbb KB823980 appears to be the patch against DCOM why do you wish to remove it? Steve Wes Vaux, CCNA, CCDA Network Security Engineer, 9000 Regency Pkwy Ste 500 Cary, NC 27511 t 919.463.6782 f 919.463.1290 Global Knowledge Experts Teaching Experts http://www.globalknowledge.com -Original Message- From: Stephen J. Wilcox [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 10:33 AM To: Joe Maimon Cc: [EMAIL PROTECTED] Subject: Re: To send or not to send 'virus in email' notifications? On Wed, 20 Aug 2003, Joe Maimon wrote: Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not? well if you dont tell them they wont know, altho with sobig the return address is false anyhow it would probably be best to cache the sender/virus combinations and send a single message per 7 days Steve
RE: To send or not to send 'virus in email' notifications?
http://support.microsoft.com/default.aspx?scid=kb;[LN];823980 Cheers, Cade Kelly System/Network Administrator ECONnergy Co. Inc Spring Valley, NY -Original Message- From: Wesley Vaux [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 11:58 AM To: 'Stephen J. Wilcox'; Joe Maimon Cc: [EMAIL PROTECTED] Subject: RE: To send or not to send 'virus in email' notifications? At 10:30:43 my systems rebooted after installing hotfix Windows 2000 Hotfix KB823980 was installed and machines rebooted. Any ideas on how to remove this or what it may be? Wes Vaux, CCNA, CCDA Network Security Engineer, 9000 Regency Pkwy Ste 500 Cary, NC 27511 t 919.463.6782 f 919.463.1290 Global Knowledge Experts Teaching Experts http://www.globalknowledge.com -Original Message- From: Stephen J. Wilcox [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 10:33 AM To: Joe Maimon Cc: [EMAIL PROTECTED] Subject: Re: To send or not to send 'virus in email' notifications? On Wed, 20 Aug 2003, Joe Maimon wrote: Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not? well if you dont tell them they wont know, altho with sobig the return address is false anyhow it would probably be best to cache the sender/virus combinations and send a single message per 7 days Steve
Hey netscalibur! (was: Re: Hijacked email)
Today at 10:40 (-0500), Richard Irving wrote: Date: Wed, 20 Aug 2003 10:40:25 -0500 From: Richard Irving [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Hijacked email Please people, of all the great feedback these joe jobbed addresses are receiving, from the anti-virus software... it really wouldn't hurt to include the -=IP=- (and possibly headers) of the system that contacted your server. Rather than simply complain, it would allow us to track down, and triangulate the -=real=- perp, an infected M$ machine or two (million). Okie doke is Netscalibur in the house? I might assume so based on the nanog-ish return address on the received e-mail from [195.157.87.253]. This IP is sourcing Sobig.F to me, and *as* me. The received mail: From [EMAIL PROTECTED] Wed Aug 20 10:03:00 2003 Received: from KYAN ([195.157.87.253]) by ack.Berkeley.EDU (8.11.3/8.11.3) with ESMTP id h7K9k2n04029 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 02:46:02 -0700 (PDT) Message-Id: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Details Date: Wed, 20 Aug 2003 10:46:45 +0100 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_00623C6D Content-Length: 17 See the attached file for details [ Part 2, Application/OCTET-STREAM (Name: details.pif) 100KB. ] And the results of the joe-job: The original message was received at Wed, 20 Aug 2003 03:42:13 -0700 (PDT) from [195.157.87.253] - The following addresses had permanent fatal errors - [EMAIL PROTECTED] (reason: 550 [EMAIL PROTECTED]... No such mailbox) - Transcript of session follows - ... while talking to mail.sega.com.: RCPT To:[EMAIL PROTECTED] 550 [EMAIL PROTECTED]... No such mailbox 550 5.1.1 [EMAIL PROTECTED]... User unknown [ Part 2: Delivery Status ] Reporting-MTA: dns; postal.segasoft.com Received-From-MTA: DNS; [195.157.87.253] Arrival-Date: Wed, 20 Aug 2003 03:42:13 -0700 (PDT) Final-Recipient: RFC822; [EMAIL PROTECTED] Action: failed Status: 5.1.1 Remote-MTA: DNS; mail.sega.com Diagnostic-Code: SMTP; 550 [EMAIL PROTECTED]... No such mailbox Last-Attempt-Date: Wed, 20 Aug 2003 03:42:19 -0700 (PDT) [ Part 3: Included Message ] Return-Path: [EMAIL PROTECTED] Received: from KYAN ([195.157.87.253]) by postal.segasoft.com (8.12.9/8.11.0) with ESMTP id h7KAgCbV004367 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 03:42:13 -0700 (PDT) Message-Id: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Details Date: Wed, 20 Aug 2003 11:42:56 +0100 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_0095ABA4 Please see the attached file for details. [ Part 3.2, Application/OCTET-STREAM (Name: thank_you.pif) 101KB. ] [ Unable to print this part. ]
Re: To send or not to send 'virus in email' notifications?
FWIW In a message written on Wed, Aug 20, 2003 at 10:04:05AM -0700, Steve Thomas wrote: From: Steve Thomas [EMAIL PROTECTED] To: Leo Bicknell [EMAIL PROTECTED] Subject: Re: To send or not to send 'virus in email' notifications? [other headers editied] NO! Some organizations (the company I work for, for instance) use MailScanner on incoming AND outgoing mail. I tried telling this to the person who sent the Postfix regex, but, of course, my mail was rejected. MailScanner is a very widely used product, and adding rules/filters like the one above only adds to the problems that the virus author is trying to create. Please forward this to NANOG - I tried subscribing to NANOG-POST, but my subscription request was bounced with content rejected. Note, unlike the postfix rule his message still made it past spamassassin has he had enough non-spam qualities to offset the rule I suggested adding. Please keep in mind there may be legitimate e-mail with these headers if you're going to use rules such have been suggested here. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgp0.pgp Description: PGP signature
virus or hacked?
Good morning: I was wondering if anyone has seen this message on a win2k server before and might be able to help me Message from destroyer to you on 8/19/2003 11:24:53pm Make this your last pop-up ever Destroy all these pop-up for a fraction of the price of our competitors!!! go to www. messagdestroyer.net This is all in a plain windows box(gray box with an ok button at the bottom and the X is the upper right corner) Any help or insight would much appreciated!! Thanks Chris Todd Computer Technician Western Newspapers, Inc. (928)775-2499 Resistance is Futile
Re: virus or hacked?
That would probably be the messenger service in Win2k. to stop it, go to Settings - control panel - Administrative Tools - Services. Find Messenger and disable it. Thanks, Paul Or load the linux OS of choice ;) On Wed, 2003-08-20 at 12:32, Chris Todd wrote: Good morning: I was wondering if anyone has seen this message on a win2k server before and might be able to help me Message from destroyer to you on 8/19/2003 11:24:53pm Make this your last pop-up ever Destroy all these pop-up for a fraction of the price of our competitors!!! go to www. messagdestroyer.net This is all in a plain windows box(gray box with an ok button at the bottom and the X is the upper right corner) Any help or insight would much appreciated!! Thanks Chris Todd Computer Technician Western Newspapers, Inc. (928)775-2499 Resistance is Futile -- Paul A Bradford Senior Network Engineer Adelphia Cable Communications 814-274-6663
RE: virus or hacked?
| -Original Message- | From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of | Chris Todd | Sent: Wednesday, August 20, 2003 12:33 PM | To: '[EMAIL PROTECTED]' | Subject: virus or hacked? | | | Good morning: | I was wondering if anyone has seen this message on a win2k server before | and | might be able to help me | | Message from destroyer to you on 8/19/2003 11:24:53pm | Make this your last pop-up ever Destroy all these pop-up for a fraction of | the price of our competitors!!! | go to www. messagdestroyer.net | | This is all in a plain windows box(gray box with an ok button at the | bottom | and the X is the upper right corner) | This is a standard Windows messenger (not MSN messenger) spam. If you don't use the Windows messenger service, disable the messenger service. SPAM will stop. Todd --
Re: virus or hacked?
Chris Todd schrieb: Thanks Chris Todd Computer Technician Computer Technician? you sure? -- Johannes Catterwell,| Did you ever wonder Darmstadt, Germany | ... why you have to click johannes at catterwell dot de | on Start to stop Windows?
Re: virus or hacked?
From: Chris Todd [EMAIL PROTECTED] Date: Wed, 20 Aug 2003 09:32:30 -0700 Good morning: I was wondering if anyone has seen this message on a win2k server before and might be able to help me Chris: This is the new spam technique using the windows admin pop-up vector. Supposed to be used by an Admin to send messages of some import to all their users on a particular server. That the popup showed up means you have some patching to do as well as some (3 - I think) ports to block on your firewall. See the NANOG archives for more details. Regards, Gregory Hicks Message from destroyer to you on 8/19/2003 11:24:53pm Make this your last pop-up ever Destroy all these pop-up for a fraction of the price of our competitors!!! go to www. messagdestroyer.net This is all in a plain windows box(gray box with an ok button at the bottom and the X is the upper right corner) Any help or insight would much appreciated!! Thanks Chris Todd Computer Technician Western Newspapers, Inc. (928)775-2499 Resistance is Futile - Gregory Hicks | Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3479 San Jose, CA 95134 | Internet: [EMAIL PROTECTED] Never attribute to malice that which is adequately explained by ignorance or stupidity. Asking the wrong questions is the leading cause of wrong answers The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton
RE: virus or hacked?
How catty. We all start somewhere, or have you forgotten? Gruss + Cheers, Cade Kelly System/Network Administrator ECONnergy Co. Inc Spring Valley, NY -Original Message- From: Johannes Catterwell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 1:52 PM To: Chris Todd Cc: [EMAIL PROTECTED] Subject: Re: virus or hacked? Chris Todd schrieb: Thanks Chris Todd Computer Technician Computer Technician? you sure? -- Johannes Catterwell,| Did you ever wonder Darmstadt, Germany | ... why you have to click johannes at catterwell dot de | on Start to stop Windows?
RE: virus or hacked?
-| -Original Message- -| From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf -Of -| Chris Todd -| Sent: Wednesday, August 20, 2003 12:33 PM -| To: '[EMAIL PROTECTED]' -| Subject: virus or hacked? -| -| -| Good morning: -| I was wondering if anyone has seen this message on a win2k server -before -| and -| might be able to help me -| -| Message from destroyer to you on 8/19/2003 11:24:53pm -| Make this your last pop-up ever Destroy all these pop-up for a -fraction of -| the price of our competitors!!! -| go to www. messagdestroyer.net -| -| This is all in a plain windows box(gray box with an ok button at the -| bottom -| and the X is the upper right corner) -| - -This is a standard Windows messenger (not MSN messenger) spam. If you -don't use the Windows messenger service, disable the messenger -service. SPAM will stop. - -Todd If you have this showing up on a server that is behind a firewall, you may have a MUCH bigger problem. The access to the messenger service requires access to a specific port, and this problem normally only manifests itslef when the server/workstation is plugged directly into an internet pipe with a real world IP on one of it's network cards! If you are not behind a firewall/router of even the linksys family, shame on you. If you are behind a firewall... Oh boy, better look for some security problems later, J
Email virus protection
Hello, What is the most common method for providing virus protection for your hosted email customers? Thank you in advance. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
Re: Hey netscalibur! (was: Re: Hijacked email)
Today at 18:38 (+0100), Dan Houghton wrote: Date: Wed, 20 Aug 2003 18:38:43 +0100 From: Dan Houghton [EMAIL PROTECTED] To: Christopher Chin [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Hey netscalibur! (was: Re: Hijacked email) [. . .] IP in question is in use by a Netscalibur UK customer. The RIPE whois record for the IP provides the abuse@ contact details (which is staffed and dealt with correctly) but also noticed you emailed onto [EMAIL PROTECTED] as well. I'll make sure that the NOC staff deal with it and get these stopped. Thanks for the quick response, Dan. It's great to hear that you have alert folks on the other end of both abuse@ and noc@ roles. As with most organizations, we have a fair amount of overlap between queries that arrive at abuse@, security@, and noc@, but we tend to handle operational issues via noc, and abuse@ is mostly for questionable behavior (intentional or otherwise) by our local users. With that in mind, I figured [EMAIL PROTECTED] would be the more appropriate address. Please do let me know (offline is OK too) if that is not your preference. Thanks, - Christopher
IDT-Winstar
Any of you know off the top of your head Winstar's config/policy for a customer wanting to accept customer routes only from a BGP feed? Or, a contact that can respond within a couple of hours would be useful too. I've called their NOC. They have no clue what I am talking about. They said email [EMAIL PROTECTED] Emailed them. No response...going on 2 days. Checked their website...about as useful as above. Thanks! Tony
RE: virus or hacked?
Ok, let me kill this now, To everyone that helped thank you very much.. to others I am sorry for posting off topic. I just now found out the server admin left the server outside the firewall with many open ports. again, thanks for all the help and sorry for the off topic spam. Chris Todd Computer Technician Western Newspapers, Inc. (928)775-2499 Resistance is Futile -- From: McBurnett, Jim Sent: Wednesday, August 20, 2003 11:48 AM To: Todd Mitchell - lists; Chris Todd Cc: [EMAIL PROTECTED] Subject: RE: virus or hacked? -| -Original Message- -| From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf -Of -| Chris Todd -| Sent: Wednesday, August 20, 2003 12:33 PM -| To: '[EMAIL PROTECTED]' -| Subject: virus or hacked? -| -| -| Good morning: -| I was wondering if anyone has seen this message on a win2k server -before -| and -| might be able to help me -| -| Message from destroyer to you on 8/19/2003 11:24:53pm -| Make this your last pop-up ever Destroy all these pop-up for a -fraction of -| the price of our competitors!!! -| go to www. messagdestroyer.net -| -| This is all in a plain windows box(gray box with an ok button at the -| bottom -| and the X is the upper right corner) -| - -This is a standard Windows messenger (not MSN messenger) spam. If you -don't use the Windows messenger service, disable the messenger -service. SPAM will stop. - -Todd If you have this showing up on a server that is behind a firewall, you may have a MUCH bigger problem. The access to the messenger service requires access to a specific port, and this problem normally only manifests itslef when the server/workstation is plugged directly into an internet pipe with a real world IP on one of it's network cards! If you are not behind a firewall/router of even the linksys family, shame on you. If you are behind a firewall... Oh boy, better look for some security problems later, J
Re: virus or hacked?
That was my thought after my initial knee jerk how to fix response. I'm sorry for replying to the list Thanks, Paul -- Paul A Bradford Senior Network Engineer Adelphia Cable Communications 814-274-6663
RE: Email virus protection
| -Original Message- | From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of | Christopher J. Wolff | Sent: Wednesday, August 20, 2003 1:51 PM | To: [EMAIL PROTECTED] | Subject: Email virus protection | | | Hello, | | What is the most common method for providing virus protection for your | hosted email customers? Thank you in advance. We filter the normal bad attachment stuff right off the bat: ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md [be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc] and as we see fit, we add system wide filters for specific viruses, trojans, etc. Customers are notified when additional filters are added/removed. Todd -- | | Regards, | Christopher J. Wolff, VP CIO | Broadband Laboratories, Inc. | http://www.bblabs.com | |
Re: virus or hacked?
Indeed. - Original Message - From: Claire Kelly [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 1:45 PM Subject: RE: virus or hacked? How catty. We all start somewhere, or have you forgotten? Gruss + Cheers, Cade Kelly System/Network Administrator ECONnergy Co. Inc Spring Valley, NY -Original Message- From: Johannes Catterwell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 1:52 PM To: Chris Todd Cc: [EMAIL PROTECTED] Subject: Re: virus or hacked? Chris Todd schrieb: Thanks Chris Todd Computer Technician Computer Technician? you sure? -- Johannes Catterwell, | Did you ever wonder Darmstadt, Germany | ... why you have to click johannes at catterwell dot de | on Start to stop Windows?
Re: virus or hacked?
On Wed, 20 Aug 2003 13:45:46 EDT, Claire Kelly [EMAIL PROTECTED] said: How catty. We all start somewhere, or have you forgotten? You *do* have to admit it's an unusual combination of skills to: a) have enough clue to get subscribed to NANOG-post *AND* b) not be able to identify Windows Messenger spam pgp0.pgp Description: PGP signature
Re: virus or hacked?
Most of us start at google. On Wed, Aug 20, 2003 at 01:45:46PM -0400, Claire Kelly wrote: How catty. We all start somewhere, or have you forgotten? Gruss + Cheers, Cade Kelly System/Network Administrator ECONnergy Co. Inc Spring Valley, NY -Original Message- From: Johannes Catterwell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 1:52 PM To: Chris Todd Cc: [EMAIL PROTECTED] Subject: Re: virus or hacked? Chris Todd schrieb: Thanks Chris Todd Computer Technician Computer Technician? you sure? -- Johannes Catterwell, | Did you ever wonder Darmstadt, Germany| ... why you have to click johannes at catterwell dot de | on Start to stop Windows?
RE: virus or hacked?
Yes, this is totally true. But my point was that being helpful is more efficient than pure cattiness (which could translate into arrogance *gasp*). Enough of that goes on on this list, and in any case, while we're busy sneering about our ignorant users, we could at least help out our own. You know? Have a good one! Cheers, Cade -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 2:03 PM To: Claire Kelly Cc: [EMAIL PROTECTED] Subject: Re: virus or hacked? On Wed, 20 Aug 2003 13:45:46 EDT, Claire Kelly [EMAIL PROTECTED] said: How catty. We all start somewhere, or have you forgotten? You *do* have to admit it's an unusual combination of skills to: a) have enough clue to get subscribed to NANOG-post *AND* b) not be able to identify Windows Messenger spam
Re: virus or hacked?
Chris, Chances are that you're not but...make sure you block the following ports (at a minimum) at your firewall: 135 137-139 445 If you don't have a firewall, you need to get one installed ASAP. In the meantime, install a personal (software) firewall - if the circumstances allow. If you are getting pop-up ads on that server, who knows what else is going on. -Jack --- Chris Todd [EMAIL PROTECTED] wrote: Good morning: I was wondering if anyone has seen this message on a win2k server before and might be able to help me Message from destroyer to you on 8/19/2003 11:24:53pm Make this your last pop-up ever Destroy all these pop-up for a fraction of the price of our competitors!!! go to www. messagdestroyer.net This is all in a plain windows box(gray box with an ok button at the bottom and the X is the upper right corner) Any help or insight would much appreciated!! Thanks Chris Todd Computer Technician Western Newspapers, Inc. (928)775-2499 Resistance is Futile
Re: virus or hacked?
On Wed, 20 Aug 2003 at 7:51pm Johannes Catterwell wrote: Chris Todd schrieb: Thanks Chris Todd Computer Technician Computer Technician? you sure? That ain't nothing compared to the Network Security Engineer that posted a few messages before that had never heard of Blaster and has his servers set to auto-update from M$ (shudder). -- Joseph F. Noonan Rigaku/MSC Inc. [EMAIL PROTECTED]
Re: virus or hacked?
On Wed, 20 Aug 2003 [EMAIL PROTECTED] wrote: You *do* have to admit it's an unusual combination of skills to: a) have enough clue to get subscribed to NANOG-post *AND* b) not be able to identify Windows Messenger spam I dunno about that...I know when I first saw the Messenger spam on my wife's Win 2k box, I didn't know what it was, probably because I'm not a Windows user myself. It also boggled my mind that MS would leave that on by default. It still does, come to think of it... James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
End of thread ; WAS: RE: virus or hacked?
Sorry folks, my last message being sent to the list was my fault - this topic has long gone off-list. Again, apologies. Cheers, Cade
Re: virus or hacked?
How catty. We all start somewhere, or have you forgotten? not only that, but we all start in exactly the same place -- with zero knowledge. there was a day when even X didn't know Y, for all X and Y. s.
Re: virus or hacked?
Oh I don't know. Many here do a pretty good impression of that unique combination of skills prior to that first cup of coffee :P [EMAIL PROTECTED] wrote: On Wed, 20 Aug 2003 13:45:46 EDT, Claire Kelly [EMAIL PROTECTED] said: How catty. We all start somewhere, or have you forgotten? You *do* have to admit it's an unusual combination of skills to: a) have enough clue to get subscribed to NANOG-post *AND* b) not be able to identify Windows Messenger spam
Re: To send or not to send 'virus in email' notifications?
on 8/20/2003 9:25 AM Joe Maimon wrote: Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not? The least-harmful yet still-compliant mechanism is to reject the message during the transfer stage, instead of during the delivery stage. If the victim is sending their mail using an MTA that is built into the worm, that should be the end of it. If the victim is sending the mail by way of a real server (eg, a submission server or a smarthost), then the transfer rejects will probaly still result in delivery failure notifications being sent to the spoofed sender address. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Email virus protection
Christopher J. Wolff wrote: Hello, What is the most common method for providing virus protection for your hosted email customers? Thank you in advance. The best method for protection of your network (by limiting exposure of your users to viruses) is to strip executable files. We replace the files with a small text file mentioning the filename and a brief description of why we stripped it and who to contact if they need the file. I recommend executable stripping before virus scanning in all cases. Virus scanning is still vulnerable to startup viruses (Sobig-F could have infected numberous users before the dat files update). -Jack
Re: Hey netscalibur! (was: Re: Hijacked email)
On Wed, 20 Aug 2003, Christopher Chin wrote: Okie doke is Netscalibur in the house? I might assume so based on the nanog-ish return address on the received e-mail from [195.157.87.253]. This IP is sourcing Sobig.F to me, and *as* me. The received mail: From [EMAIL PROTECTED] Wed Aug 20 10:03:00 2003 Received: from KYAN ([195.157.87.253]) I got six various examples from this exact machine, until I just nullrouted Netscalibur's /16. They have been the only virus messages I've seen so far. matto [EMAIL PROTECTED]darwin Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include disclaim.h
Re: Email virus protection
Yo Jack! On Wed, 20 Aug 2003, Jack Bates wrote: The best method for protection of your network (by limiting exposure of your users to viruses) is to strip executable files. We replace the files with a small text file mentioning the filename and a brief description of why we stripped it and who to contact if they need the file. I love guys like you. All my customers once had (still have) admins that filtered and cleaned their email for them. Also added firewalls for their protection. Now they are my customers because they do not want your protections. What you are doing is certainly proper in some cases. I would hope BofA learned that lesson after the last worm attack that killed their ATM network. That also means a lot of bank employees need to also have an ISP account from me to do things they can not do with their email on the job. RGDS GARY --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676
OT but, OKc ISP?
Looking for someone who can provide dialup access while I'm traveling in OKC and the surrounding areas. Didn't want to end up with an AOL or something so if someone is providing services in the area and would contact me off list that would be great. Thanks!
Re: Email virus protection
Gary E. Miller wrote: I love guys like you. All my customers once had (still have) admins that filtered and cleaned their email for them. Also added firewalls for their protection. Now they are my customers because they do not want your protections. I never understood ISPs that can apply a filter but not make an exception. All my filters, network and service level, have exclusions. The filters are designed to protect the network from the users. Less than 0.1% of my users do not want such protections, and those users are cleared of them. In the last 3 days, I have received over 50 thankyou emails from customers concerning Sobig-F stripping. One user said that they wanted off filtering because they updated their anti-virus definitions once a week and that they were expecting an email from someone, but I'd stripped the attachment. It turns out that the user hadn't updated since Sobig-F released 2 days ago and since the from address was something he was looking for, he would have run the executable I'd stripped. I informed him that the file was viral, and he informed me that he'd like to keep the filtering. This is normal of most requests. I will agree with you that there are many networks that deploy filtering and do not work with the customer concerning the filtering. To do so is poor business practice in my opinion. The problem isn't the filtering. It is the lack of contact with the customer. -Jack
Re: Email virus protection
Hey - they aren't supposed to be using their work e-mail for stuff other than work - especially in a banking environment. I would be unhappy if my bank did not exclude executables from outside e-mail. Again, ITS YOUR EMPLOYERS NETWORK, NOT YOURS. - Original Message - From: Gary E. Miller [EMAIL PROTECTED] To: Jack Bates [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 14:29 Subject: Re: Email virus protection Yo Jack! On Wed, 20 Aug 2003, Jack Bates wrote: The best method for protection of your network (by limiting exposure of your users to viruses) is to strip executable files. We replace the files with a small text file mentioning the filename and a brief description of why we stripped it and who to contact if they need the file. I love guys like you. All my customers once had (still have) admins that filtered and cleaned their email for them. Also added firewalls for their protection. Now they are my customers because they do not want your protections. What you are doing is certainly proper in some cases. I would hope BofA learned that lesson after the last worm attack that killed their ATM network. That also means a lot of bank employees need to also have an ISP account from me to do things they can not do with their email on the job. RGDS GARY --- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 [EMAIL PROTECTED] Tel:+1(541)382-8588 Fax: +1(541)382-8676
RE: To send or not to send 'virus in email' notifications?
Has anyone else gotten hit by this and know how to stop it? the new dats from McAffee have not effectof course...and I can't find a tool anywhere. Does anyone have any ideas? Wes Vaux, CCNA, CCDA Network Security Engineer, 9000 Regency Pkwy Ste 500 Cary, NC 27511 t 919.463.6782 f 919.463.1290 Global Knowledge Experts Teaching Experts http://www.globalknowledge.com -Original Message- From: Daniel Senie [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 12:37 PM To: [EMAIL PROTECTED] Subject: Re: To send or not to send 'virus in email' notifications? Notifications from virus scanners is backscatter, just the same as the backscatter generated by Smurf attacks. The virus scanners are contributory technology in the conduct of a denial of service attack in exactly the same way as having directed broadcasts enabled on your routers was (read RFC 2644 for the details). Please let's stop building technology that aids in the conduct of DoS attacks.
Weird network problems
Is anyone out there tracking down some weird network behavior yesterday and today? I'm not talking about ping traffic from the worm or anything like that, I'm seeing TNT MAX boxes go unpingable, arp broadcast storms, one way traffic blocks on T1's between cisco routers, stuff that I have not been able to explain yet. Just wondering if it's only me seeing this or if others are working on the same sorts of issues. I heard a rumor that ICG was also experiencing some strange network problems so I figured it was time to post. Geo.
Plano, TX Legacy: Fiber Provider or Wireless Wireless question
Looking for any advice or pointers for obtaining multiple Gig links (last mile) in the Plano, TX area. The abundance of fiber options here seems to be decidedly underwhelming. Looking for suggestions including creative options such as wireless. I need to get from Plano to any closest better place for picking up multiple Gig Internet links. Wondering too what other large companies in this area have done for large internet links...any advice appreciated. Also, I'm reading now that more ISP's are using wireless for last mile provisioning on the new unlicensed frequencies. Was wondering if anyone had experience using Dragonwave or any similar wireless products in Texas. Do sandstorms and golf ball sized hail pose significant issues? Severe thunderstorms? Would like to chat with anyone with significant wireless experience in the Dallas area. WOuldnt mind speaking with an unfluffed sales person eitehr. :-)
Re: Email virus protection
Christopher J. Wolff([EMAIL PROTECTED])@2003.08.20 10:50:55 +: What is the most common method for providing virus protection for your hosted email customers? Thank you in advance. Making them switch to a software product that does not auto-execute arbitrary chunks of code that come in via some network connection. Ok, you got me, it is not the most common method out there, but the most common method for my customers ;-) There's quite a lot of usable stuff out there. Many Win32 users have switched to Mozilla which seems to solve 100% of the Outlook-specific attacks which account for... hmmm... 100% of the malicious email messages of the last 6 months. Some switched to Mac. Many UNIX users are on mutt or similar MUAs which do not bear the potential for execution of arbitrary code. Sure, this does not apply for Exchange-driven installations that require Outlook, but there are also alternatives available. Deployment cost causes a certain lack of motivation to get rid of Exchange, but if you calculate a potential impact of Microsoft worms and viruses (virii?) in terms of damage to the company's data and infrastructure and also credibility, it's worth it, quite often. A bit more on the philosophical side of things, the international press and media - and many people reading or watching those media - mix up the terms internet threat, Microsoft-specific threat and Outlook-specific threat which leads to a totally twisted perspective of the current events. Fact is, that there's a broad base of installed and Microsoft-driven PCs which are vulnerable. Customers often realize this after you explain it to them step-by-step and they seem very happy with their new knowledge about what actually caused the vulnerability of their company and information infrastructure. Some of them - call them brave - take immediate action and implement fallback or alternative solutions. Regards, /k -- Parts that don't exist can't break. --Russell Nelson webmonster.de -- InterNetWorkTogether -- built on the open source platform http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
Re: Plano, TX Legacy: Fiber Provider or Wireless Wireless question
Wireless is a good option with a few caveats: 1. At the speeds you are talking about, you need line of sight. Usually, this means getting up high to account for curvature of the earth and clearing of what is called the fresnel zone for the particular frequency you are using. 2. You will need to use some of the higher frequency systems to get link speeds of a gig or more. There are 23ghz unlicensed systems as well as 60ghz unlicensed systems. The 60ghz systems will get you higher speeds but the link distance will be on the order of hundereds of meters. 3. Link planning will be a critical exercise. If you really NEED the high availability, you can get it by properly considering the distance you need to go, the speeds you will use, the frequencies you will transmit at, and the statistical expectations of weather and other factors that will affect the total path attenuation the system will encounter. Systems that average availability of 99.99% are commonplace and 99.999% can be achieved by using shorter path distances. Try the guys at www.ydi.com. They will steer you right. -Richard [EMAIL PROTECTED] wrote: Looking for any advice or pointers for obtaining multiple Gig links (last mile) in the Plano, TX area. The abundance of fiber options here seems to be decidedly underwhelming. Looking for suggestions including creative options such as wireless. I need to get from Plano to any closest better place for picking up multiple Gig Internet links. Wondering too what other large companies in this area have done for large internet links...any advice appreciated. Also, I'm reading now that more ISP's are using wireless for last mile provisioning on the new unlicensed frequencies. Was wondering if anyone had experience using Dragonwave or any similar wireless products in Texas. Do sandstorms and golf ball sized hail pose significant issues? Severe thunderstorms? Would like to chat with anyone with significant wireless experience in the Dallas area. WOuldnt mind speaking with an unfluffed sales person eitehr. :-)
Re: Email virus protection
Jack Bates([EMAIL PROTECTED])@2003.08.20 15:49:01 +: That's what the net admin was telling me when I mentioned one of his branch bank offices had Sobig-F. Apparently they all run A/V and I think he said his mail server does as well. Unfortunately, they still allow executables in. The problem is the false sense of security while using anti-virus products. For having a working signature, somebody has to be hit first and submit the virus to the AV vendor. This requires a certain time, which leads - in case of the latest womr occurences which appear to be pretty aggressive - to a certain amount of infections that happen before there are signatures available. And then, the update still has to be downloaded to the AV scanning software which extends the time window being unprotected against a certain worm or virus variant. So, the virus and worm authors are always one step ahead. This is by design of the AV concept. Better put the wasted cash and time into the design of better systems, which brings the software developers this critical one step in the lead. Due to what obscure reason does a mail user agent have to execute interpreted code and do unasked things to mail attachments, nowadays? Regards, /k -- Those who do not understand Unix are condemned to reinvent it, poorly. --Henry Spencer webmonster.de -- InterNetWorkTogether -- built on the open source platform http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
Re: Email virus protection
On Wed, 20 Aug 2003, Karsten W. Rohrbach wrote: Some switched to Mac. Many UNIX users are on mutt or similar MUAs which do not bear the potential for execution of arbitrary code. http://www.cert.org/advisories/CA-1997-14.html http://www.cert.org/advisories/CA-1998-10.html Wow, the second one even mentions Mutt by name. [EMAIL PROTECTED]darwin Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include disclaim.h
Re: Plano, TX Legacy: Fiber Provider or Wireless Wireless question
Wireless is a good option but you might want to look at the licensed services as well. Licensing in most cases is a formality handled by the vendor along with a nominal user fee sent to the FCC. Unlicensed systems are regulated by part 15 of the FCC regulations which read DEVICE MUST ACCEPT INTERFERENCE this means if another service with primary allocation in those frequency bands begins to interfere with your service you are up a well known creek without propulsion. Secondly if your device/link interferes with a licensed device YOU must fix the interference at your expense or terminate the operation of the interfering device. This part of the US code has the full power and majesty of the federal government behind it and since the primary services in these bands are the Government Radiolocation Service in fedspeak better known as Military Radar to the rest of us the enforcment stick is quite large (5-10k$/Day fines and prison terms) Scott C. McGrath On Wed, 20 Aug 2003, N. Richard Solis wrote: Wireless is a good option with a few caveats: 1. At the speeds you are talking about, you need line of sight. Usually, this means getting up high to account for curvature of the earth and clearing of what is called the fresnel zone for the particular frequency you are using. 2. You will need to use some of the higher frequency systems to get link speeds of a gig or more. There are 23ghz unlicensed systems as well as 60ghz unlicensed systems. The 60ghz systems will get you higher speeds but the link distance will be on the order of hundereds of meters. 3. Link planning will be a critical exercise. If you really NEED the high availability, you can get it by properly considering the distance you need to go, the speeds you will use, the frequencies you will transmit at, and the statistical expectations of weather and other factors that will affect the total path attenuation the system will encounter. Systems that average availability of 99.99% are commonplace and 99.999% can be achieved by using shorter path distances. Try the guys at www.ydi.com. They will steer you right. -Richard [EMAIL PROTECTED] wrote: Looking for any advice or pointers for obtaining multiple Gig links (last mile) in the Plano, TX area. The abundance of fiber options here seems to be decidedly underwhelming. Looking for suggestions including creative options such as wireless. I need to get from Plano to any closest better place for picking up multiple Gig Internet links. Wondering too what other large companies in this area have done for large internet links...any advice appreciated. Also, I'm reading now that more ISP's are using wireless for last mile provisioning on the new unlicensed frequencies. Was wondering if anyone had experience using Dragonwave or any similar wireless products in Texas. Do sandstorms and golf ball sized hail pose significant issues? Severe thunderstorms? Would like to chat with anyone with significant wireless experience in the Dallas area. WOuldnt mind speaking with an unfluffed sales person eitehr. :-)
Re: Email virus protection
On Wed, 20 Aug 2003, Karsten W. Rohrbach wrote: just me([EMAIL PROTECTED])@2003.08.20 14:17:17 +: http://www.cert.org/advisories/CA-1997-14.html http://www.cert.org/advisories/CA-1998-10.html Wow, the second one even mentions Mutt by name. The more recent of those two advisories is dated August 11, 1998. What are you trying to express, by citation of those pretty outdated CERT advisories? If you are trying to imply that software does not improve in a time frame of five years, go ahead and convince me. =) It's happened before, it'll happen again. Please don't pretend that your MUA-de-jour is somehow invulnerable by design, unless you've audited every line of code yourself. On a different angle, the apparent problem of a software product being vulnerable to an exploit is not solved by deploying a - albeit well-patched - application monoculture worldwide. Risk is lowered by using more well-designed software packages out there. Diversity is the name of the game, it's nature's solution and it seems to work quite well. I completely agree. Which is why I discourage people from using Outlook Express as well as Mutt. matto [EMAIL PROTECTED]darwin Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include disclaim.h
Re: Email virus protection
just me([EMAIL PROTECTED])@2003.08.20 14:41:02 +: Please don't pretend that your MUA-de-jour is somehow invulnerable by design, unless you've audited every line of code yourself. I don't. Mutt and similar MUAs are prone to misconfiguration, which makes them vulnerable to some degree, but this fact alone does not expose enough surface for implementation of an internet-wide worm attack ;-) Perhaps, Outlook is a secure and performant email solution - in, say, 3 to 4 years from now, but this means a drastic change of course for the vendor. In end-user application design, finding the right mix between security and and convenience (which tend to be mutually exclusive, in one way or the other) is a critical design decision. You get the point. On a different angle, the apparent problem of a software product being vulnerable to an exploit is not solved by deploying a - albeit well-patched - application monoculture worldwide. Risk is lowered by using more well-designed software packages out there. Diversity is the name of the game, it's nature's solution and it seems to work quite well. I completely agree. Which is why I discourage people from using Outlook Express as well as Mutt. So the interesting question in context of this email thread is: what do you encourage them for? Regards, /k -- Horngren's Observation: Among economists, the real world is often a special case. webmonster.de -- InterNetWorkTogether -- built on the open source platform http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
Re: Email virus protection
On Thu, 21 Aug 2003, Karsten W. Rohrbach wrote: Mutt and similar MUAs are prone to misconfiguration, which makes them vulnerable to some degree, but this fact alone does not expose enough surface for implementation of an internet-wide worm attack ;-) So you are saying that all MUA's are prone to vulnerabilities through misconfiguration, and the reason for Outlook's prominence is simply its larger installed base? If so, I completely agree with you. In end-user application design, finding the right mix between security and and convenience (which tend to be mutually exclusive, in one way or the other) is a critical design decision. You get the point. Indeed. I certainly wish Outlook was shipped with more sane settings. I completely agree. Which is why I discourage people from using Outlook Express as well as Mutt. So the interesting question in context of this email thread is: what do you encourage them for? My brother has used MH for the last 20 years or so, without ill effect. However, I believe it was also vulnerable in '97 because of its inclusion of metamail functionality. I've been impressed with Ximian's Evolution, but have no false hopes for its intgrity in the face of malicious content. There certainly is no universal best mail client. If I encourage anything, its to use the client folks are most comfortable with. Regards, /k matto [EMAIL PROTECTED]darwin Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include disclaim.h
Re: Email virus protection
At 02:07 PM 8/20/2003, Karsten W. Rohrbach wrote: There's quite a lot of usable stuff out there. Many Win32 users have switched to Mozilla which seems to solve 100% of the Outlook-specific attacks which account for... hmmm... 100% of the malicious email messages of the last 6 months. Unfortunately, that's not true. My father has to use Windoze because several software programs for his industry (Real Estate, specifically managing rentals) only come in Windoze flavors. He stays away from M$ client software whenever possible and was using Mozilla for email (until yesterday, I'm getting him started on Eudora). His email software doesn't automatically open attachments for him. He knows better than to manually open random attachments that don't look like something business like, but a few weeks ago one caught him during the vulnerable period (after the virus started making the rounds, before he had updated the virus definitions) and managed to pretend to be a type of file he *does* expect in his day to day business (an application attachment). Oops. Now he finally *really* understands why I'm adamant about frequently updating the virus definitions (I presently have his antivirus software set to check for updates every 4 hours) and having a strong firewall, and not loading unnecessary applications on his work computer. jc
RE: To send or not to send 'virus in email' notifications?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The right answer for the original question is probably Buy an email server package with virus scanning hooks or Get a virus scanner with sendmail milter hooks rather than specific details of how to set it... The suggestion to do virus filtering during the message transfer stage rather than the delivery stage is good. It looks like sendmail milters can be tweaked to do this, though unless they can recognize the virus from the mail headers, they have to wait until the end-of-message hook to do it, i.e. after the whole virus has been transferred but before the message acceptance codes get transferred. It's too bad that it's difficult to send a reject code and continue a teergrube at the same time. For virus scanners that run at other stages in the delivery process, the right decision about whether to do a notification or not is virus-dependent, if your anti-virus package supports it. Sobig almost always forges sender addresses, so it shouldn't get a reply, but some other viruses don't forge the sender, and should get the reply. Limiting the responses to once a week per sender or whatever may help, but only if the same sender gets forged a lot. Yet another reason to cryptographically sign your outgoing mail, not that I usually do so or that most people or mail clients check. Thanks; Bill Stewart -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com Comment: PGP Freeware 703 iQA/AwUBP0QHO7JBeu7P+eyUEQK4xACgwIEKFP47bIyOZ3ABzm5fxm8AsyQAoI8L mnmDP9h63r+REIlTzTBdltSM =8pMy -END PGP SIGNATURE-
HP Openview possibly affected by MSBlaster
http://hpat962.external.hp.com/blaster.jsp?print=1
TNTs Rebooting, was RE: Weird network problems
In a word, Yes. We've got two TNT's that have been rock-solid for over a year that have rebooted 6 times in two days. Any help at all would be most appreciated. Thanks in Advance, Ejay Hire -Original Message- From: Geo. [mailto:[EMAIL PROTECTED] Sent: Wed 8/20/2003 3:45 PM To: [EMAIL PROTECTED] Cc: Subject: Weird network problems Is anyone out there tracking down some weird network behavior yesterday and today? I'm not talking about ping traffic from the worm or anything like that, I'm seeing TNT MAX boxes go unpingable, arp broadcast storms, one way traffic blocks on T1's between cisco routers, stuff that I have not been able to explain yet. Just wondering if it's only me seeing this or if others are working on the same sorts of issues. I heard a rumor that ICG was also experiencing some strange network problems so I figured it was time to post. Geo.
Re: Weird network problems
Is anyone out there tracking down some weird network behavior yesterday and today? I'm not talking about ping traffic from the worm or anything like that, I'm seeing TNT MAX boxes go unpingable, arp broadcast storms, one way traffic blocks on T1's between cisco routers, stuff that I have not been able to explain yet. I'm seeing the exact same issues with the TNTs and am in the process of trying to track down exactly what is causing it. So far no pattern has emerged. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
Re: TNTs Rebooting, was RE: Weird network problems
On Wed, 20 Aug 2003, Ejay Hire wrote: In a word, Yes. We've got two TNT's that have been rock-solid for over a year that have rebooted 6 times in two days. Any help at all would be most appreciated. Has anyone opened a ticket with Lucent about this? My initial feeling is some traffic pattern, possibly a side affect of the recent instability, could be causing it. Thanks. andy -- PGP Key Available at http://www.tigerteam.net/andy/pgp
Re: TNTs Rebooting, was RE: Weird network problems
On Wed, 20 Aug 2003, Andy Walden wrote: Has anyone opened a ticket with Lucent about this? My initial feeling is some traffic pattern, possibly a side affect of the recent instability, could be causing it. Thanks. Lucent is aware of the problem and is working on a fix. One of our networks is O1 and they use massive amounts of TNTs. Excerpt from their announcement yesterday: ...an intermittent problem that has been discovered to be affecting a specific type of network card used by some of the NAS devices that populate our network. The problem is exacerbated by the blaster worm and has been replicated by Lucent, our vendor and others. In order to resolve the issue, we are working with Lucent to test and deploy an emergency updated version of software to the affected NAS devices. Jim -- See what ISP-Planet is saying about us! http://isp-planet.com/services/wholesalers/flexpop.html __ Jim Dawson [EMAIL PROTECTED] Flexpop/Navi.Nethttp://www.flexpop.net 618 NW Glisan St. Ste. 101 v. +1.503.517.8866 Portland, Or 97209 USA f. +1.503.517.8868 ~~
Re: Email virus protection
To answer the original question asked... At 10:50 -0700 8/20/03, Christopher J. Wolff wrote: What is the most common method for providing virus protection for your hosted email customers? Thank you in advance. We use a layered approach, with Postini being the front line ...they do an *excellent* job, and we - and our clients - love them. http://www.postini.com We forced all the (mail) domains we host to use Postini about a year ago when our mail servers came under some serious directory harvest attacks. We allow clients to opt-out of the spam filtering if they want, but still run the mail through Postini's system anyway to stop directory harvest and virus attacks. Postini can be set to filter, but not quarantine, which looks to our opt-out clients like no filtering but still saves our mailservers from most assaults. Second layer is some nice configuration options on our customer-facing mail servers, which run CommunigatePro from Stalker. http://www.stalker.com CGP is as full featured as Exchange, but without the BS. Plus it has the added benefit of actually working as advertised, and can be run on virtually *any* platform. The suits like the buzzword-compliance and the fact that it is commercially supported (excellent support too I'll add.) The geeks like it because it *works*... and on any platform they choose. The last layer is of course the hardest to control, as it is out of our hands and in the client's, but we strongly suggest that they use a mail client that doesn't auto-execute code. Myself, I use Eudora on my PowerBook running OS X. I know that doesn't make me somehow immune to everything... just the vast majority. My nanog list mail account got joejobbed by the Netscalibur user, both as sender and receiver (supposedly from Valdis Kletnieks, and somebody at NetSol.) and I've never seen what an Outlook mail client looks like. =) I have to agree with Mr. Donelan who said here: (Microsoft) Outlook, the exploding Pinto on the information superhighway. Regards, -- Chuck Goolsbee V.P. Technical Operations _ digital.forest Phone: +1-877-720-0483, x2001 where Internet solutions grow Int'l: +1-425-483-0483 19515 North Creek ParkwayFax: +1-425-482-6871 Suite 208 http://www.forest.net Bothell, WA 98011email: [EMAIL PROTECTED]
XO as a provider
Anyone have positive or negative experiences with XO as a 'tier1' provider? We are re-evaluating our backbone connections and looking for new where appropriate. Bil Herd - INS
XO as Backbone provider - try again
Sorry for the HTML post (boo, hiss) Anyone have positive or negative experiences with XO as a 'tier1' provider? We are re-evaluating orur backbone connections. Bil Herd - INS
Re: Email virus protection
On Wed, Aug 20, 2003 at 03:46:48PM -0700, JC Dill wrote: At 02:07 PM 8/20/2003, Karsten W. Rohrbach wrote: There's quite a lot of usable stuff out there. Many Win32 users have switched to Mozilla which seems to solve 100% of the Outlook-specific attacks which account for... hmmm... 100% of the malicious email messages of the last 6 months. Unfortunately, that's not true. My father has to use Windoze because several software programs for his industry (Real Estate, specifically managing rentals) only come in Windoze flavors. He stays away from M$ client software whenever possible and was using Mozilla for email (until yesterday, I'm getting him started on Eudora). His email software doesn't automatically open attachments for him. For some (but not all folks), you can run such software on a Windows virtual machine (I use Win4Lin) under a Unix or Linux OS. That might be an attractive and not very expensive solution for the above. jc -- -=[L]=-
Re: Hijacked email
On Wed, Aug 20, 2003 at 11:28:27AM -0400, Omachonu Ogali wrote: For our Postfix viewers out there... header_checks: /^X-MailScanner: Found to be clean$/REJECT You're infected, but you probably won't see this message anyway. Of course, this will also block legitimate messages that have been scanned by whatever type of virus scanner adds that header. Wietse suggests the following body check; it will work better with Postfix 2.0: http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml This is working well for us. You could also probably look for the following three lines in a row: (I'll indent a space so they don't set off people who are blocking based on the above rules): X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. We're seeing a LOT of these today probably in the thousands per second. -- Since when is skepticism un-American? Dissent's not treason but they talk like it's the same... (Sleater-Kinney - Combat Rock)
Re: Hijacked email
On Wed, Aug 20, 2003 at 06:13:58PM -0700, Will Yardley wrote: We're seeing a LOT of these today probably in the thousands per second. Eep - sorry for the annoying self-followup, but that should read thousands per minute (and that during peak hours) -- it's bad, but not THAT bad. -- Since when is skepticism un-American? Dissent's not treason but they talk like it's the same... (Sleater-Kinney - Combat Rock)
Re: XO as Backbone provider - try again
Sorry for the HTML post (boo, hiss) Anyone have positive or negative experiences with XO as a 'tier1' provider? We are re-evaluating orur backbone connections. Consensus opinion of friends and associates: OK network, but they will take forever and a day to install anything at all. Example: a rack + handoff -in their colo- is 55 days and counting. -alex
[brian@linuxwidows.com: Re: HP Openview possibly affected by MSBlaster]
- Forwarded message from Brian Coyle [EMAIL PROTECTED] - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 20 August 2003 20:03, Len Rose wrote: http://hpat962.external.hp.com/blaster.jsp?print=1 We found blaster would tickle opcctla (listening on port 135) and trigger this Solaris rpcbind failure... http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50922zone_32=rpcbind The patch seems to have corrected the problem. [can you forward to nanog? I'm not sub'd to -post. THANX! ] - -- - -BEGIN GEEK CODE BLOCK- Version: 3.12 GAT/CM$ d-@ s:++ a42 C+++$ ULSH$ P+++ L+ E- W++$ N+ w$ O- M- V Y+ PGP t@ 5+@ X+@ R- tv(-)@ b+++ DI D+ e(+) h r+++ y - -END GEEK CODE BLOCK- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Brian Coyle, GCIAhttp://www.giac.org/GCIA.php iD8DBQE/RCHYER3MuHUncBsRAnRhAJ0emWoJk+3eQ3IiaC9+BuikJyx8fACeI5MR 3qx7yWJNRVhYm5d3WcPG8V4= =Srwc -END PGP SIGNATURE- - End forwarded message -
Re: Email virus protection
Warning, this is an off-topic rant about client software and the state of the world WRT Windows and Linux. There is zero operational content in this post. At 06:07 PM 8/20/2003, Lou Katz wrote: On Wed, Aug 20, 2003 at 03:46:48PM -0700, JC Dill wrote: At 02:07 PM 8/20/2003, Karsten W. Rohrbach wrote: There's quite a lot of usable stuff out there. Many Win32 users have switched to Mozilla which seems to solve 100% of the Outlook-specific attacks which account for... hmmm... 100% of the malicious email messages of the last 6 months. Unfortunately, that's not true. My father has to use Windoze because several software programs for his industry (Real Estate, specifically managing rentals) only come in Windoze flavors. He stays away from M$ client software whenever possible and was using Mozilla for email (until yesterday, I'm getting him started on Eudora). His email software doesn't automatically open attachments for him. For some (but not all folks), you can run such software on a Windows virtual machine (I use Win4Lin) under a Unix or Linux OS. That might be an attractive and not very expensive solution for the above. He needs to be able to automatically and easily move data between all his programs. It's not at all unusual for him to scan a document with PaperPort, then export it to Acrobat, then attach it to email and send. Then he needs to automatically accept a fax and transfer it into PaperPort, so incoming faxes come in with WinFaxPro. Then he needs to transfer data from an email into Homeworks, or Promas. Then he needs to type up a document in WordPerfect (grabbing the address data from his Palm software), send attached to an email, also attaching a document just received via fax or just scanned. Typically he has 6 or more programs all open at once. We just upgraded the RAM so that his computer could handle all this in native Windows2k. He (which means me, when he has problems) has enough trouble getting everything working nice/nice under Windows. It would be impossible to get it all working seamlessly with some of these applications in Windows inside Linux and others inside Linux itself. If we aren't running at least 1/2 of his applications under Linux itself, I don't see much purpose in running Linux at all. Is there a Linux program that does what WinFaxPro does (booting at startup, automatically answering incoming faxes, saving in a format that can be exported to Acrobat or PaperPort, automatically forwarding a copy of the fax via email)? Is there a Linux program that does what PaperPort does (scanning and filing all paperwork, then saving the file thru Acrobat or Photoshop, transferring to email or fax or OCR and into WP)? I'm quite sure that there aren't any Linux programs like Homeworks or ListTrak or Promas (all Real Estate speciality programs required for his business). So at most, he can use Linux with the Palm software (maybe), a browser (he's already using Mozilla under Win2K, so this isn't a big gain) an email client (he's using Eudora now, and I don't believe they have a Linux version), and Star Office (maybe, if it doesn't crash) for a WordPerfect solution. Except that he really needs to migrate *off* WP and onto Word because he needs to send and receive docs in the format everyone else uses (Word, unfortunately). In many cases he'd have to pay to buy new Linux versions of software he has already purchased for Windows (like Acrobat, Word, Norton Antivirus or the equivalent, with update license) even though some equivalent applications can be had for free (Gimp for Photoshop). Then there's the learning curve, I'm sure that Gimp doesn't work *exactly* like Photoshop, he will have to learn to do things differently. And this assumes all his RE software will run in a Win4Lin environment. Can you say the vendor doesn't support that boys and girls? :-( Yeah, I thought you could. A support tech drove from San Jose to Monterey yesterday to install a ListTrak because they have problems installing it on Win2K systems with SP4. There's NFW they would support any of these programs if they were installed under Win4Lin or if we had problems with them running under Win4Lin but they run fine in Windows2k itself. Oh, and he needs to be able to print from all programs to the HP 3330, which is directly connected to the desktop computer and accessed by the laptop as a Windows network printer. Due to program driver weirdness (particularly with Promas) he has two different instances of this printer installed with two different drivers, he uses one version for some programs, the other version for the others. The there's the hardware. His desktop box is a el cheapo Compaq Presario desktop computer with 2 different CD drives (one reads, one reads and writes) with an internal zip drive and internal floppy. It also has a modem (months ago I replaced the crappy win-modem with a real one so that WinFaxPro would work)
RE: To send or not to send 'virus in email' notifications?
For virus scanners that run at other stages in the delivery process, the right decision about whether to do a notification or not is virus-dependent, if your anti-virus package supports it. Sobig almost always forges sender addresses, so it shouldn't get a reply, but some other viruses don't forge the sender, and should get the reply. Limiting the responses to once a week per sender or whatever may help, but only if the same sender gets forged a lot. One of my pet peeves is anti-virus programs that detect a virus by name, so they should know that it always spoofs the sender address, still sending messages referring to the message you sent. I wonder if people receive those, scan for viruses, and then when they don't find one, do one of the following: 1) Take their computer to a computer store and pay for needless 'repairs', or 2) Reinstall/reformat rather than take chances. At a very minimum, guys, adjust your messages to say an email that appears to have been sent by you or similar language to indicate that you don't know for sure who sent the message. DS
www.ebay.com down?
Title: www.ebay.com down? Have not been able to search for items on www.ebay.com since 8:55pm PDT 8/20/2003. Do you see the same thing? richg
Re: www.ebay.com down?
-BEGIN PGP SIGNED MESSAGE- Hash: MD5 Hello Richard, Thursday, August 21, 2003, 1:05:15 AM, you wrote: RG Have not been able to search for items on www.ebay.com since RG 8:55pm PDT 8/20/2003. RG Do you see the same thing? It is slow, but I can to it on my Adelphia -- MFN connection at home. allan - -- Allan Liska [EMAIL PROTECTED] http://www.allan.org http://www.hosthideout.com -BEGIN PGP SIGNATURE- Version: 2.6 iQCVAwUAP0RTbCkg6TAvIBeFAQFV4wP9EC3xERnTbsia10xj1dqdB/0fT47G6HBL 98hYMxL/B+7RfmP4u9k/m9N3zFi1KgeF/o0lN2Yg6SHPBo2FYwylIVz4IijlBv5M huC/GXXOzeT+XQFMdARIIz/9Eefu72PU1+2zEjdyXbfd0Zmi1UeOCK6JPnwsDika zx7XBBUyiyI= =w5wV -END PGP SIGNATURE-
Re: www.ebay.com down?
We were unable to process your request We are sorry, but we were unable to process your request. Please check the eBay Announcement Board for updates on recent and upcoming changes, major system issues, and other important eBay news. however I was unable to reach the announcement board Mehmet Akcin - Original Message - From: Allan Liska [EMAIL PROTECTED] To: Richard Gross [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, August 21, 2003 1:06 AM Subject: Re: www.ebay.com down? -BEGIN PGP SIGNED MESSAGE- Hash: MD5 Hello Richard, Thursday, August 21, 2003, 1:05:15 AM, you wrote: RG Have not been able to search for items on www.ebay.com since RG 8:55pm PDT 8/20/2003. RG Do you see the same thing? It is slow, but I can to it on my Adelphia -- MFN connection at home. allan - -- Allan Liska [EMAIL PROTECTED] http://www.allan.org http://www.hosthideout.com -BEGIN PGP SIGNATURE- Version: 2.6 iQCVAwUAP0RTbCkg6TAvIBeFAQFV4wP9EC3xERnTbsia10xj1dqdB/0fT47G6HBL 98hYMxL/B+7RfmP4u9k/m9N3zFi1KgeF/o0lN2Yg6SHPBo2FYwylIVz4IijlBv5M huC/GXXOzeT+XQFMdARIIz/9Eefu72PU1+2zEjdyXbfd0Zmi1UeOCK6JPnwsDika zx7XBBUyiyI= =w5wV -END PGP SIGNATURE-
Re: www.ebay.com down?
At 10:12 PM 8/20/2003, Mehmet Akcin wrote: We were unable to process your request We are sorry, but we were unable to process your request. Please check the eBay Announcement Board for updates on recent and upcoming changes, major system issues, and other important eBay news. however I was unable to reach the announcement board There are already dozens of similar posts to alt.online.marketing.ebay from users in many different areas. It looks like eBay is severely screwed up all around, and unreachable on many different servers (in the US and UK, on both current and closed auction servers, on the message board servers, half.com, etc.). PayPal seems to still be working. jc