Re: [[suse-security] E-mail account disabling warning.]
Dear user, the management of Suse.com mailing system wants to let you know that,
We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
For details see the attach.
In order to read the attach you have to use the following password:
What is the name of this worm? I am seeing it show up everywhere yet have not seen a name attatched to it. The level of customization is amazing. If this wasn't a Linux list I would have thought this was a legit email the way it was worded. The broken grammer points to someone who does not speak English as a first language. Dan staff@suse.com wrote: 26753.
Sincerely, The Suse.com team http://www.suse.com
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Dear user, the management of Suse.com mailing system wants to let you know that,
We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
For details see the attach.
In order to read the attach you have to use the following password:
Here's a link to the critter. http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html Dave Watkins -----Original Message----- From: Dan Smith [mailto:dansmith@dragonsoasis.com] Sent: Wednesday, March 03, 2004 4:03 PM To: staff@suse.com; suse-security@suse.com Subject: [suse-security] Re: [[suse-security] E-mail account disabling warning.] What is the name of this worm? I am seeing it show up everywhere yet have not seen a name attatched to it. The level of customization is amazing. If this wasn't a Linux list I would have thought this was a legit email the way it was worded. The broken grammer points to someone who does not speak English as a first language. Dan staff@suse.com wrote: 26753.
Sincerely, The Suse.com team http://www.suse.com
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Wed, 3 Mar 2004, Abacus Infomail wrote: The virus trolls invest the majority of their lives finding ways to be disruptive idiots. This virus just appends an official title to the domain it's being sent to and inserts that string in the "From" header. Personally, I think these shithead virus-writing trolls deserve long, brutal prison sentences. We should implement a policy requiring posts to be signed with a preregistered key. -- -linux_lad
Here's a link to the critter.
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html
Dave Watkins
-----Original Message----- From: Dan Smith [mailto:dansmith@dragonsoasis.com] Sent: Wednesday, March 03, 2004 4:03 PM To: staff@suse.com; suse-security@suse.com Subject: [suse-security] Re: [[suse-security] E-mail account disabling warning.]
What is the name of this worm? I am seeing it show up everywhere yet have not seen a name attatched to it. The level of customization is amazing. If this wasn't a Linux list I would have thought this was a legit email the way it was worded. The broken grammer points to someone who does not speak English as a first language.
Dan
staff@suse.com wrote:
Dear user, the management of Suse.com mailing system wants to let you know that,
We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
For details see the attach.
In order to read the attach you have to use the following password:
Sincerely, The Suse.com team http://www.suse.com
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-linux_lad public key john@linuxlad.org
On Wed, 03 Mar 2004, -linux_lad wrote:
We should implement a policy requiring posts to be signed with a preregistered key.
I think this was discussed recently. IMHO this would generally be a bad thing: (1) malicious person or malware could pre-register a key as easily as they can send mail to the list (2) honest person with useful info for list members often will not have access to the signing key (or even to openpgp software) at the machine they send mail from. dproc
Quoting dproc <dproc@dol.net>:
(1) malicious person or malware could pre-register a key as easily as they can send mail to the list
This is absurd. None of these attacks are directed at the list specifically. They're just massmailing worms. Adding the key to the listserver would have to be done manually, and is just not something the massmailing script kiddies are interested in. We're not trying to prevent someone from specifically attacking the list, but just trying to avoid the collateral damage and windows fallout from mass mailing exploits.
(2) honest person with useful info for list members often will not have access to the signing key (or even to openpgp software) at the machine they send mail from.
This is more likely and a valid concern. Whether to move to such a system really depends on just how annoying these massmailings get. Much like e-mail blacklists, there is a certain point when they simply must be implemented, no matter how much we'd rather not. Perhaps something simpler is in order. We could require everyone to put a "#" at the end of the Subject string? Spammers and mass mailing worms won't know to put it in, and does not require any special software on posters machines. Replies to the list wouldn't even need to add it, as it would already be there from the previous post.
On Fri, Mar 05, 2004 at 10:59:08AM -0500, suse@rio.vg wrote:
This is more likely and a valid concern. Whether to move to such a system really depends on just how annoying these massmailings get. Much like e-mail
Well, in fact the _most_ annoying thing are not the massmailings itself, but the repeated discussion that starts _everytime_ when _one_ such thing touches the list. Sometimes I feel like on Groundhog Day... Robert -- Robert Schiele Tel.: +49-621-181-2517 Dipl.-Wirtsch.informatiker mailto:rschiele@uni-mannheim.de
Hi, On 3/5/2004 5:05 PM, Robert Schiele wrote:
Well, in fact the _most_ annoying thing are not the massmailings itself, but the repeated discussion that starts _everytime_ when _one_ such thing touches the list. Sometimes I feel like on Groundhog Day...
FULL ACK!!! And in addition to that, I would state that those discussion cause more than quadruple the traffic the worms do. Regards, Stefan
Quoting Stefan Gofferje <suse-security@gofferje.homelinux.org>:
On 3/5/2004 5:05 PM, Robert Schiele wrote:
Well, in fact the _most_ annoying thing are not the massmailings itself, but the repeated discussion that starts _everytime_ when _one_ such thing touches the list. Sometimes I feel like on Groundhog Day...
FULL ACK!!! And in addition to that, I would state that those discussion cause more than quadruple the traffic the worms do.
Perhaps that is because nothing is ever done. Virus/Spam gets post, people whine, nothing happens, people stop. Rinse/Repeat. As far as I am aware, this is a security list. Security of the list would, I believe, be covered as a valid discussion. I don't care much about the vagaries of SuSE's iptables wrapper, but it is discussed ceaselessly on the list. I recognize that as valid. Why is our own discussion any less valid? I am, at least, talking about something constructive. Whining about other people's posts is hypocritical at the very least. I rather like the idea of simply requiring a specific string somewhere in the message to prevent spam. Would it be such a burden to end a subject line with "#"? Does anyone know if there is a technical problem in checking for such a subject before sending out to the list?
Well, in fact the _most_ annoying thing are not the massmailings itself, but the repeated discussion that starts _everytime_ when _one_ such thing touches the list. Sometimes I feel like on Groundhog Day...
FULL ACK!!! And in addition to that, I would state that those discussion cause more than quadruple the traffic the worms do.
Perhaps that is because nothing is ever done. Virus/Spam gets post, people whine, nothing happens, people stop. Rinse/Repeat.
As far as I am aware, this is a security list. Security of the list would, I believe, be covered as a valid discussion. I don't care much about the vagaries of SuSE's iptables wrapper, but it is discussed ceaselessly on the list. I recognize that as valid. Why is our own discussion any less valid? I am, at least, talking about something constructive. Whining about other people's posts is hypocritical at the very least.
I rather like the idea of simply requiring a specific string somewhere in
There is no lack in security from such post, because the mailserver cuts them of (or my mailserver filters them out). The problem is it consumes me time to delete the posts and filter them from the more important ones. If there are more spam-mails, than real mails on the list I loose interest, because I want to read security related stuff and no /dev/tele-tubby texts (no I not 68 and need aging pills ... or anything other). the
message to prevent spam. Would it be such a burden to end a subject line with "#"? Does anyone know if there is a technical problem in checking for such a subject before sending out to the list?
Any "FULL ACK!!!" or "That makes more traffic" posts don't _REALLY_ help solving that issue. At our local admingroup's mailinglist we had simillar problems with posts not belonging to the list. Now we got this under control. If this list makes a key-exchange-party and only mails were allows with the right signature, there would be no spam here at all. If then somebody is on the list spamming, he/she/it can easily be unsuscribed (small amount of work). Example with pgp signature: -----BEGIN PGP SIGNATURE----- YOUR KEY [...] -----END PGP SIGNATURE----- The next point is, the content of the list is presented on webpages, which webspiders can easily grep. It's no problem getting this information with e.g. google - there is much knowledge behind the posts - , but if malicious third party fetch the E-Mail addresses of the users and do their unprofessional business. So if we use a signed list this signatures should not be posted there. It is better, if we can find a zero spam solution and can come back to more important threads. Philippe
On Fri, 5 Mar 2004, suse@rio.vg wrote:
Quoting dproc <dproc@dol.net>:
(1) malicious person or malware could pre-register a key as easily as they can send mail to the list
This is absurd. None of these attacks are directed at the list specifically. They're just massmailing worms. Adding the key to the listserver would have to be done manually, and is just not something the massmailing script kiddies are interested in.
We're not trying to prevent someone from specifically attacking the list, but just trying to avoid the collateral damage and windows fallout from mass mailing exploits.
(2) honest person with useful info for list members often will not have access to the signing key (or even to openpgp software) at the machine they send mail from.
This is more likely and a valid concern. Whether to move to such a system really depends on just how annoying these massmailings get. Much like e-mail blacklists, there is a certain point when they simply must be implemented, no matter how much we'd rather not.
Perhaps something simpler is in order. We could require everyone to put a "#" at the end of the Subject string? Spammers and mass mailing worms won't know to put it in, and does not require any special software on posters machines. Replies to the list wouldn't even need to add it, as it would already be there from the previous post.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
I'm glad at least one person agrees with me. The list only has to verify that the post is signed with the key that users register. It's a simple procedure and would not require a lot of effort. I don't know what the mechanism for this list, but it would only take a couple of scripts to accomplish. New users could be advised at signup time that they are required to sign posts, and they could supply their public key of choice simply by pasting it in an email. The key does not need to be signed by others to work, it's only purpose is to filter out automated posts. One or two people have suggested that worm writers would simply modify their worms to send keys to the system. This suggests that those writers don't fully understand what's going on here. The worm simply grabs all the email addresses it can find and sends itself to them. If the naysayers are truly concerned about the worm being capable of using the victim's key or generating their own key, they can implement a mechanism that requires human interaction, like many BBS and free mail systems do to foil automated signups. -linux_lad public key john@linuxlad.org
participants (8)
-
-linux_lad -
Abacus Infomail -
Dan Smith -
dproc -
Philippe Vogel -
Robert Schiele -
Stefan Gofferje -
suse@rio.vg