Re: [sniffer] New virus...
If you are running your mail server only for yourself feel free to ban .exe's and .zip's. If you are providing mail services to others I STRONGLY suggest you consult an attorney that specializes in Internet related matters. There have been a couple of recent cases where ISP's have been held responsible for non-delivery of messages. I asked two for an opinion on the matter and was told that we should not block or hold any messages unless we believe them to be a specific threat to our systems. After the smoke cleared we came to the conclusion that it's OK to block known viruses and threats, but they had to be "known". We no longer hold or delete any known SPAM. We let the users or domain admins determine via rules what they want to block. I also checked with our errors and omissions insurance provider and was told that we would not be covered for non-delivery issues if it was a "deliberate act" on our part to block them. This has become a hot issue that few want to discuss. It's nearly impossible to find an attorney well versed in the field. As more become aware of the issue I suspect it will become a popular point to litigate (has your ISP caused you damage by failing to deliver important information?, etc.). The bottom line is that if you block items like all .exe's or all .zip's you are taking the responsibility for non-delivery. In the two cases I found one had a disclaimer, and the other a written TOS. It didn't help either in court. Just be very careful. -Joe - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Thursday, October 06, 2005 2:01 AM Subject: RE: [sniffer] New virus... No need to block zips, with Declude just add "BANZIPEXTS ON" to your virus.cfg file since the payload is an exe within the zip and since we are all already banning executable files, correct? John T eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Wednesday, October 05, 2005 8:41 PM To: sniffer@sortmonster.com Subject: [sniffer] New virus... Importance: High Hello sniffer, Hello folks... watch out for a new virus email with an attachment named "pword _ change . zip" - extra spaces added to skip filters ;-) We're adding some SNF rules to catch it. No word about it on virus lists or scanner services yet (that I can see). You may want to temporarily block .zip files - or at least this particular zip file until the new rules can be pushed out and the virus scanners catch up. Thanks, _M Pete McNeil (Madscientist) President, MicroNeil Research Corporation Chief SortMonster (www.sortmonster.com) Chief Scientist (www.armresearch.com) This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] New virus...
That's only in Virus Pro, right? I don't think BANZIPEXTS is available in Standard or Lite. Darin. - Original Message - From: "John T (Lists)" <[EMAIL PROTECTED]> To: Sent: Thursday, October 06, 2005 3:01 AM Subject: RE: [sniffer] New virus... No need to block zips, with Declude just add "BANZIPEXTS ON" to your virus.cfg file since the payload is an exe within the zip and since we are all already banning executable files, correct? John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Wednesday, October 05, 2005 8:41 PM > To: sniffer@sortmonster.com > Subject: [sniffer] New virus... > Importance: High > > Hello sniffer, > > Hello folks... watch out for a new virus email with an attachment > named "pword _ change . zip" - extra spaces added to skip filters > ;-) > > We're adding some SNF rules to catch it. No word about it on virus > lists or scanner services yet (that I can see). > > You may want to temporarily block .zip files - or at least this > particular zip file until the new rules can be pushed out and the > virus scanners catch up. > > Thanks, > _M > > Pete McNeil (Madscientist) > President, MicroNeil Research Corporation > Chief SortMonster (www.sortmonster.com) > Chief Scientist (www.armresearch.com) > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] New virus...
I suppose it depends on just deep the sniffer signature goes... Previous viruses including Sober.* have come in waves, with variants that skirt all but the most intrusive antivirus blocking schemes. I submitted a sample to the Norman Sandbox, which turned up different information than the McAfee, Trend Micro et al writeups. I googled the CLSIDs that turned up and didn't come up with much, but a fascinating thing was that they also hit on previous Norman Sandbox entry that Google happened to have in its cache from Sep-25-2005. Maybe the bad guys are testing their software there before release? Hmmm... So anyhow... If sniffer is *so* amazing that it could identify the CLSID within an executable within a zip file within a MIME segment of a message file, well, that would certainly be amazing, now wouldn't it? I figure the CLSID is unlikely to change as quick as the distribution method and packaging. Andrew 8) P.s. We'll see how well the shiny new Common Malware Enumeration scheme pans out. So far, the vendors' names for the malware are quite different. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) > Sent: Thursday, October 06, 2005 12:02 AM > To: sniffer@SortMonster.com > Subject: RE: [sniffer] New virus... > > No need to block zips, with Declude just add "BANZIPEXTS > ON" to your > virus.cfg file since the payload is an exe within the zip and > since we are all already banning executable files, correct? > > John T > eServices For You > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > On > > Behalf Of Pete McNeil > > Sent: Wednesday, October 05, 2005 8:41 PM > > To: sniffer@sortmonster.com > > Subject: [sniffer] New virus... > > Importance: High > > > > Hello sniffer, > > > > Hello folks... watch out for a new virus email with an attachment > > named "pword _ change . zip" - extra spaces added to skip filters > > ;-) > > > > We're adding some SNF rules to catch it. No word about it on virus > > lists or scanner services yet (that I can see). > > > > You may want to temporarily block .zip files - or at least this > > particular zip file until the new rules can be pushed out and the > > virus scanners catch up. > > > > Thanks, > > _M > > > > Pete McNeil (Madscientist) > > President, MicroNeil Research Corporation Chief SortMonster > > (www.sortmonster.com) Chief Scientist (www.armresearch.com) > > > > > > This E-Mail came from the Message Sniffer mailing list. For > > information > and > > (un)subscription instructions go to > > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > > This E-Mail came from the Message Sniffer mailing list. For > information and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] New virus...
No need to block zips, with Declude just add "BANZIPEXTSON" to your virus.cfg file since the payload is an exe within the zip and since we are all already banning executable files, correct? John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Pete McNeil > Sent: Wednesday, October 05, 2005 8:41 PM > To: sniffer@sortmonster.com > Subject: [sniffer] New virus... > Importance: High > > Hello sniffer, > > Hello folks... watch out for a new virus email with an attachment > named "pword _ change . zip" - extra spaces added to skip filters > ;-) > > We're adding some SNF rules to catch it. No word about it on virus > lists or scanner services yet (that I can see). > > You may want to temporarily block .zip files - or at least this > particular zip file until the new rules can be pushed out and the > virus scanners catch up. > > Thanks, > _M > > Pete McNeil (Madscientist) > President, MicroNeil Research Corporation > Chief SortMonster (www.sortmonster.com) > Chief Scientist (www.armresearch.com) > > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
