-----Original Message----- From: Arjen Runsink [mailto:arjen@zeilers.net] Sent: 02 March 2004 09:14 To: suse-security@suse.com Subject: [suse-security] FSCKING VIRII
Hi.
Can't you block the IP's that send the virii?
What, like 195.135.221.131? ;-) Realistically, unless you know all PCs that may have been infected.... no. Tom.
Moin folks. On Tue, 2 Mar 2004, Tom Knight wrote:
Can't you block the IP's that send the virii?
What, like 195.135.221.131?
Realistically, unless you know all PCs that may have been infected.... no.
Realistically you can block, reject, drop or whatever every mail that contains a (known) virus. Tho' there's a need for a virusscanner on the mailserver which I guess is missing here. Arjen, why should they block them? You are afraid cause you use Outlook? ;^) Cheers, Michael -- It's a book about a Spanish guy called Manual, you should read it. -- Dilbert
Hi Michael! Quoting Michael 'buk' Scherer <mscherer@gis-systemhaus.de>:
Arjen, why should they block them? You are afraid cause you use Outlook? ;^)
Haha, The list server @ suse removes all attachements so the messages do not contain the actual messsages. But it is the same annoyance as clueless unsubscribe messages ;) And yes, I runs amavis @ home to protect my gf's computer. BB, Arjen
Arjen, Sadly I don't think that would achieve anything. Typically infected computers only send out their payload once, so the security team would be wasting their valuable time shutting a stable door when the horse was well and truly bolted. And then they would have to spend more time dealing with the inevitable request to reopen it (even if they refuse the request it still takes time). Bob On Tue, 2 Mar 2004, Arjen Runsink wrote:
Hi.
Can't you block the IP's that send the virii?
BB, Arjen
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
Hi Bob, Quoting Bob Vickers <bobv@cs.rhul.ac.uk>:
Sadly I don't think that would achieve anything. Typically infected computers only send out their payload once, so the security team
I beg to differ. I have experienced that I got virii from the same ip several times per day. And then also 2 copies of it at the same time. This had nothing to do with machines in a masked network. All where single machines.
the inevitable request to reopen it (even if they refuse the request it still takes time).
Wait till the next one that keeps on hammering. Btw the last time I received numerous copies of the same virus from the same IP happend to be the computer of a university employee ;) BB, Arjen
Why not just stop using M$ Outbreak and Exchange? Outbreak is the only client that is propagating these virii ... On Tue, 2004-03-02 at 11:50, Bob Vickers wrote:
Arjen,
Sadly I don't think that would achieve anything. Typically infected computers only send out their payload once, so the security team would be wasting their valuable time shutting a stable door when the horse was well and truly bolted. And then they would have to spend more time dealing with the inevitable request to reopen it (even if they refuse the request it still takes time).
Bob
On Tue, 2 Mar 2004, Arjen Runsink wrote:
Hi.
Can't you block the IP's that send the virii?
BB, Arjen
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691 -- -- Raymond Leach <raymondl@knowledgefactory.co.za> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
Hi, Quoting Ray Leach <raymondl@knowledgefactory.co.za>:
Why not just stop using M$ Outbreak and Exchange? Outbreak is the only client that is propagating these virii ...
the mailing list software filters out the headers of a sending server so you can't see my mailserver software. But you can see my MUA. User-Agent: Internet Messaging Program (IMP) 4.0-cvs And btw, Exchange is not (yet) a virus/worm feast like outlook. never seen one written for it. BB, Arjen
On Tue, 2004-03-02 at 13:41, Arjen Runsink wrote:
Hi,
Quoting Ray Leach <raymondl@knowledgefactory.co.za>:
Why not just stop using M$ Outbreak and Exchange? Outbreak is the only client that is propagating these virii ...
the mailing list software filters out the headers of a sending server so you can't see my mailserver software. But you can see my MUA.
User-Agent: Internet Messaging Program (IMP) 4.0-cvs
And btw, Exchange is not (yet) a virus/worm feast like outlook. never seen one written for it.
How about this one: http://securityresponse.symantec.com/avcenter/venc/data/trojan.aprilfool.htm...
BB, Arjen -- -- Raymond Leach <raymondl@knowledgefactory.co.za> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
-----Original Message----- From: Ray Leach [mailto:raymondl@knowledgefactory.co.za] Sent: 02 March 2004 11:19 To: SuSE Security Subject: Re: [suse-security] FSCKING VIRII
Why not just stop using M$ Outbreak and Exchange? Outbreak is the only client that is propagating these virii ...
Point 1: Arjan isn't using Outlook, check the headers ;-) Point 2: Outlook isn't the only MUA that propagates these worms. Bagle (for example) uses its own smtp engine and relies on a (stupid) user opening an attachment. The only reliance is use of Windows and lack of virus awareness. Point 3: In the "real world" people have to battle an awful lot to dump Outlook and Exchange (think corporate investment), and until that's done they may still have to support these programs. On the other hand... Something is stripping the viral attachment from these messages, why can't it just dump the entire message? HTH, Tom.
On Tue, 2004-03-02 at 13:45, Tom Knight wrote:
-----Original Message----- From: Ray Leach [mailto:raymondl@knowledgefactory.co.za] Sent: 02 March 2004 11:19 To: SuSE Security Subject: Re: [suse-security] FSCKING VIRII
Why not just stop using M$ Outbreak and Exchange? Outbreak is the only client that is propagating these virii ...
This was a generalisation ....
Point 1: Arjan isn't using Outlook, check the headers ;-) Point 2: Outlook isn't the only MUA that propagates these worms. Bagle (for example) uses its own smtp engine and relies on a (stupid) user opening an attachment. The only reliance is use of Windows and lack of virus awareness. Yes, let's start a virus training school ....
Point 3: In the "real world" people have to battle an awful lot to dump Outlook and Exchange (think corporate investment), and until that's done they may still have to support these programs.
So, if they start planning their migration to the 'new and better' MTA and MUA to coincide with the extinction of there precious 'corporate investment', then they have nothing to lose (except maybe a whole lot of virii). Does it actually make (business) sense to keep a product that is falling behind all the time and to continually 'have' to spend more money on supporting products and resources to 'protect the corporate investment'? That's like flushing your money down the toilet in hopes that one day it will all come back out at you ...
On the other hand... Something is stripping the viral attachment from these messages, why can't it just dump the entire message?
Agreed, but then we would have to agree on what attachments (if any) to allow to the list, or was it which ones to dump ...?
HTH,
Tom. -- -- Raymond Leach <raymondl@knowledgefactory.co.za> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
Heja, me again. :) On Tue, 2 Mar 2004, Tom Knight wrote:
Point 1: Arjan isn't using Outlook, check the headers ;-) Ha, I bet he fakes his headers. ;^) [...]
On the other hand... Something is stripping the viral attachment from these messages, why can't it just dump the entire message? Cause sometimes people post usefull stuff _with_ an attachment to the list. Those messages would be erased too.
To throw my last $0.02, I'm not really annoyed of that virii-mails, so what? I press D and the thing is gone and it really isnt that much compared to the spam I get each day. Cheers, Michael -- It's a book about a Spanish guy called Manual, you should read it. -- Dilbert
Too much time already wasted on the subject ;)
participants (6)
-
Arjen Runsink -
Bob Vickers -
Dan Am -
Michael 'buk' Scherer -
Ray Leach -
Tom Knight