Re: what can be done about 'in order to have your advice...'
Can anyone help me figure out a way to handle this recent virus? It typically tags email in body: '...in order to have your advice...' and sends random attachments .2 to 2Mb in size. We're getting a lot of these already, and I'm worried that a flood will jam us up, amounting to a DOS. At the very least, this is going to cost us a lot of bandwidth $$$. Seems to me the only way to stop it is to scan the body before the mail is accepted. Yeech. And as soon as we get variations on '...in order to have your advice...' it will be just about indistinguishable from normal email with attachments. Seems to me that the main feature of this virus isn't the text, but the fact that the attachments that it sends always have two extensions: .xls.bat, .doc.lnk and so on. This way, it tricks Windows lusers who have the hide extensions option turned on into clicking on them. So you could write a script to look at the name of the attachments and look for the ones that follow that pattern. (Aside, of course, of checking out the patches that antivirus vendors must be putting out...) Paulo Jan. DDnet.
Re: what can be done about 'in order to have your advice...'
On Tue, Jul 24, 2001 at 10:58:10AM -0400, [EMAIL PROTECTED] wrote: Can anyone help me figure out a way to handle this recent virus? It typically tags email in body: '...in order to have your advice...' and sends random attachments .2 to 2Mb in size. Deliver with procmail. And use these measures: http://www.impsec.org/email-tools/procmail-security.html You can't block it inwards however so the incoming SMTP load won't be helped by this. But you won't spread it. /magnus -- :: Magnus Bodin . http://x42.com/ ::: etlaoinsrm.hcdwyp0:'/bvg2,-14f?@58kz
Re: what can be done about 'in order to have your advice...'
On Wed, Jul 25, 2001 at 09:33:35AM +0200, Paulo Jan wrote: Seems to me that the main feature of this virus isn't the text, but the fact that the attachments that it sends always have two extensions: .xls.bat, .doc.lnk and so on. This way, it tricks Windows lusers who have the hide extensions option turned on into clicking on them. You got something backwards there. The problem isn't the users. The problem is the operating system and its vendor who stubbornly refuses to distribute a systems that offers even minimum security. In short: if you use Windows, you are an idiot - but you wouldn't have to be an idiot with data loss or an idiot being part of a DDoS attack (anyone seen any in the wild, really? cf. http://www.fefe.de/ddos.html) if it weren't for that marketing department turned software giant. N.B., anyone tried MS's solution to the problem (i.e. the Office patch)? It basically renders Outlook useless. Eh. Wait. Make that even more useless. Good work. So you could write a script to look at the name of the attachments and look for the ones that follow that pattern. Boring. I see no reason why virus authors, once identified, should be allowed to live.: http://dailynews.yahoo.com/h/zd/20010724/tc/death_to_virus_writers__1.html (Aside, of course, of checking out the patches that antivirus vendors must be putting out...) Ah yes, our friends and saviours from the other end of the gutter. Interesting to let the last 10 or so years pass by and wonder - and I mean *really* wonder - how anyone could be so unbelievably stupid to run software that has never worked *and* pay additional money to a bunch of hippies investing their time and (limited) programming skills into ways to make money by selling hacks and workarounds for a B.A.D. OS instead of improving this OS. Ooops. Closed source. Embrace and anally rape. Pity. Anyway, if I were a virus vendor, I'd sacrifice virgins by the dozen hoping that Microsoft never, ever hires competent programmers. Reply-to set. WTF has this virus crap got to do on this list? qmail-scanner lists exists and your problem has nothing to do with Unix.
Re: what can be done about 'in order to have your advice...'
On Tue, Jul 24, 2001 at 10:58:10AM -0400, [EMAIL PROTECTED] wrote: Can anyone help me figure out a way to handle this recent virus? It typically tags email in body: '...in order to have your advice...' and sends random attachments .2 to 2Mb in size. We're getting a lot of these already, and I'm worried that a flood will jam us up, amounting to a DOS. At the very least, this is going to cost us a lot of bandwidth $$$. Seems to me the only way to stop it is to scan the body before the mail is accepted. Yeech. And as soon as we get variations on '...in order to have your advice...' it will be just about indistinguishable from normal email with attachments. If it helps, I process the header with ^Content-Type:.*_Outlook_Express_message_boundary virus W32/Sircam-A-Virus Now just find a place to put that (my implementation is not site-portable). And no, it won't block real Outlook Express mails. Jost -- | [EMAIL PROTECTED] Please help stamp out spam! | | Postmaster, JAPH, resident answer machine am RZ der RUB | | Pluralitas non est ponenda sine necessitate | | William of Ockham (1285-1347/49) |
what can be done about 'in order to have your advice...'
Can anyone help me figure out a way to handle this recent virus? It typically tags email in body: '...in order to have your advice...' and sends random attachments .2 to 2Mb in size. We're getting a lot of these already, and I'm worried that a flood will jam us up, amounting to a DOS. At the very least, this is going to cost us a lot of bandwidth $$$. Seems to me the only way to stop it is to scan the body before the mail is accepted. Yeech. And as soon as we get variations on '...in order to have your advice...' it will be just about indistinguishable from normal email with attachments. All I can think of is setting up a colocated MX where bandwidth is cheap and filtering all mail there, then accepting only from that IP. Hmmm, is there a mailscrubber.com ASP that provides that service reliably? cfm -- Christopher F. Miller, Publisher [EMAIL PROTECTED] MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039 1.207.657.5078 http://www.maine.com/ Content/site management, online commerce, internet integration, Debian linux