Hello, What is the most common method for providing virus protection for your hosted email customers? Thank you in advance. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
| -----Original Message----- | From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of | Christopher J. Wolff | Sent: Wednesday, August 20, 2003 1:51 PM | To: nanog@merit.edu | Subject: Email virus protection | | | Hello, | | What is the most common method for providing virus protection for your | hosted email customers? Thank you in advance. We filter the normal "bad attachment stuff" right off the bat: ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md [be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc] and as we see fit, we add system wide filters for specific viruses, trojans, etc. Customers are notified when additional filters are added/removed. Todd -- | | Regards, | Christopher J. Wolff, VP CIO | Broadband Laboratories, Inc. | http://www.bblabs.com | |
Christopher J. Wolff wrote:
Hello,
What is the most common method for providing virus protection for your hosted email customers? Thank you in advance.
The best method for protection of your network (by limiting exposure of your users to viruses) is to strip executable files. We replace the files with a small text file mentioning the filename and a brief description of why we stripped it and who to contact if they need the file. I recommend executable stripping before virus scanning in all cases. Virus scanning is still vulnerable to startup viruses (Sobig-F could have infected numberous users before the dat files update). -Jack
Yo Jack! On Wed, 20 Aug 2003, Jack Bates wrote:
The best method for protection of your network (by limiting exposure of your users to viruses) is to strip executable files. We replace the files with a small text file mentioning the filename and a brief description of why we stripped it and who to contact if they need the file.
I love guys like you. All my customers once had (still have) admins that filtered and cleaned their email for them. Also added firewalls for their protection. Now they are my customers because they do not want your protections. What you are doing is certainly proper in some cases. I would hope BofA learned that lesson after the last worm attack that killed their ATM network. That also means a lot of bank employees need to also have an ISP account from me to do things they can not do with their email on the job. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
Gary E. Miller wrote:
I love guys like you. All my customers once had (still have) admins that filtered and cleaned their email for them. Also added firewalls for their protection. Now they are my customers because they do not want your protections.
I never understood ISPs that can apply a filter but not make an exception. All my filters, network and service level, have exclusions. The filters are designed to protect the network from the users. Less than 0.1% of my users do not want such protections, and those users are cleared of them. In the last 3 days, I have received over 50 thankyou emails from customers concerning Sobig-F stripping. One user said that they wanted off filtering because they updated their anti-virus definitions once a week and that they were expecting an email from someone, but I'd stripped the attachment. It turns out that the user hadn't updated since Sobig-F released 2 days ago and since the from address was something he was looking for, he would have run the executable I'd stripped. I informed him that the file was viral, and he informed me that he'd like to keep the filtering. This is normal of most requests. I will agree with you that there are many networks that deploy filtering and do not work with the customer concerning the filtering. To do so is poor business practice in my opinion. The problem isn't the filtering. It is the lack of contact with the customer. -Jack
Hey - they aren't supposed to be using their work e-mail for stuff other than work - especially in a banking environment. I would be unhappy if my bank did not exclude executables from outside e-mail. Again, ITS YOUR EMPLOYERS NETWORK, NOT YOURS. ----- Original Message ----- From: "Gary E. Miller" <gem@rellim.com> To: "Jack Bates" <jbates@brightok.net> Cc: <nanog@merit.edu> Sent: Wednesday, August 20, 2003 14:29 Subject: Re: Email virus protection
Yo Jack!
On Wed, 20 Aug 2003, Jack Bates wrote:
The best method for protection of your network (by limiting exposure of your users to viruses) is to strip executable files. We replace the files with a small text file mentioning the filename and a brief description of why we stripped it and who to contact if they need the file.
I love guys like you. All my customers once had (still have) admins that filtered and cleaned their email for them. Also added firewalls for their protection. Now they are my customers because they do not want your protections.
What you are doing is certainly proper in some cases. I would hope BofA learned that lesson after the last worm attack that killed their ATM network. That also means a lot of bank employees need to also have an ISP account from me to do things they can not do with their email on the job.
RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676
John Palmer wrote:
Hey - they aren't supposed to be using their work e-mail for stuff other than work - especially in a banking environment.
I would be unhappy if my bank did not exclude executables from outside e-mail.
That's what the net admin was telling me when I mentioned one of his branch bank offices had Sobig-F. Apparently they all run A/V and I think he said his mail server does as well. Unfortunately, they still allow executables in. I won't be using that bank. -Jack
Jack Bates(jbates@brightok.net)@2003.08.20 15:49:01 +0000:
That's what the net admin was telling me when I mentioned one of his branch bank offices had Sobig-F. Apparently they all run A/V and I think he said his mail server does as well. Unfortunately, they still allow executables in.
The problem is the false sense of security while using anti-virus products. For having a working signature, somebody has to be hit first and submit the virus to the AV vendor. This requires a certain time, which leads - in case of the latest womr occurences which appear to be pretty aggressive - to a certain amount of infections that happen before there are signatures available. And then, the update still has to be downloaded to the AV scanning software which extends the time window being unprotected against a certain worm or virus variant. So, the virus and worm authors are always one step ahead. This is by design of the AV concept. Better put the wasted cash and time into the design of better systems, which brings the software developers this critical one step in the lead. Due to what obscure reason does a mail user agent have to execute interpreted code and do unasked things to mail attachments, nowadays? Regards, /k --
Those who do not understand Unix are condemned to reinvent it, poorly. --Henry Spencer webmonster.de -- InterNetWorkTogether -- built on the open source platform http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
Christopher J. Wolff(chris@bblabs.com)@2003.08.20 10:50:55 +0000:
What is the most common method for providing virus protection for your hosted email customers? Thank you in advance.
Making them switch to a software product that does not auto-execute arbitrary chunks of code that come in via some network connection. Ok, you got me, it is not the most common method "out there", but the most common method for my customers ;-) There's quite a lot of usable stuff out there. Many Win32 users have switched to Mozilla which seems to solve 100% of the Outlook-specific attacks which account for... hmmm... 100% of the malicious email messages of the last 6 months. Some switched to Mac. Many UNIX users are on mutt or similar MUAs which do not bear the potential for execution of arbitrary code. Sure, this does not apply for Exchange-driven installations that require Outlook, but there are also alternatives available. Deployment cost causes a certain lack of motivation to get rid of Exchange, but if you calculate a potential impact of Microsoft worms and viruses (virii?) in terms of damage to the company's data and infrastructure and also credibility, it's worth it, quite often. A bit more on the philosophical side of things, the international press and media - and many people reading or watching those media - mix up the terms "internet threat", "Microsoft-specific threat" and "Outlook-specific threat" which leads to a totally twisted perspective of the current events. Fact is, that there's a broad base of installed and Microsoft-driven PCs which are vulnerable. Customers often realize this after you explain it to them step-by-step and they seem very happy with their new knowledge about what actually caused the vulnerability of their company and information infrastructure. Some of them - call them brave - take immediate action and implement fallback or alternative solutions. Regards, /k --
Parts that don't exist can't break. --Russell Nelson webmonster.de -- InterNetWorkTogether -- built on the open source platform http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
On Wed, 20 Aug 2003, Karsten W. Rohrbach wrote: Some switched to Mac. Many UNIX users are on mutt or similar MUAs which do not bear the potential for execution of arbitrary code. http://www.cert.org/advisories/CA-1997-14.html http://www.cert.org/advisories/CA-1998-10.html Wow, the second one even mentions Mutt by name. --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
just me(matt@snark.net)@2003.08.20 14:17:17 +0000:
http://www.cert.org/advisories/CA-1997-14.html http://www.cert.org/advisories/CA-1998-10.html
Wow, the second one even mentions Mutt by name.
The more recent of those two advisories is dated August 11, 1998. What are you trying to express, by citation of those pretty outdated CERT advisories? If you are trying to imply that software does not improve in a time frame of five years, go ahead and convince me. =) On a different angle, the apparent problem of a software product being vulnerable to an exploit is not solved by deploying a - albeit well-patched - application monoculture worldwide. Risk is lowered by using more well-designed software packages out there. Diversity is the name of the game, it's nature's solution and it seems to work quite well. Regards, /k --
Zero Defects, n.: The result of shutting down a production line. webmonster.de -- InterNetWorkTogether -- built on the open source platform http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
On Wed, 20 Aug 2003, Karsten W. Rohrbach wrote: just me(matt@snark.net)@2003.08.20 14:17:17 +0000:
http://www.cert.org/advisories/CA-1997-14.html http://www.cert.org/advisories/CA-1998-10.html
Wow, the second one even mentions Mutt by name.
The more recent of those two advisories is dated August 11, 1998. What are you trying to express, by citation of those pretty outdated CERT advisories? If you are trying to imply that software does not improve in a time frame of five years, go ahead and convince me. =) It's happened before, it'll happen again. Please don't pretend that your MUA-de-jour is somehow invulnerable by design, unless you've audited every line of code yourself. On a different angle, the apparent problem of a software product being vulnerable to an exploit is not solved by deploying a - albeit well-patched - application monoculture worldwide. Risk is lowered by using more well-designed software packages out there. Diversity is the name of the game, it's nature's solution and it seems to work quite well. I completely agree. Which is why I discourage people from using Outlook Express as well as Mutt. matto --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
just me(matt@snark.net)@2003.08.20 14:41:02 +0000:
Please don't pretend that your MUA-de-jour is somehow invulnerable by design, unless you've audited every line of code yourself.
I don't. Mutt and similar MUAs are prone to misconfiguration, which makes them vulnerable to some degree, but this fact alone does not expose enough surface for implementation of an internet-wide worm attack ;-) Perhaps, Outlook is a secure and performant email solution - in, say, 3 to 4 years from now, but this means a drastic change of course for the vendor. In end-user application design, finding the right mix between security and and convenience (which tend to be mutually exclusive, in one way or the other) is a critical design decision. You get the point.
On a different angle, the apparent problem of a software product being vulnerable to an exploit is not solved by deploying a - albeit well-patched - application monoculture worldwide. Risk is lowered by using more well-designed software packages out there. Diversity is the name of the game, it's nature's solution and it seems to work quite well.
I completely agree. Which is why I discourage people from using Outlook Express as well as Mutt.
So the interesting question in context of this email thread is: what do you encourage them for? Regards, /k --
Horngren's Observation: Among economists, the real world is often a special case. webmonster.de -- InterNetWorkTogether -- built on the open source platform http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
On Thu, 21 Aug 2003, Karsten W. Rohrbach wrote: Mutt and similar MUAs are prone to misconfiguration, which makes them vulnerable to some degree, but this fact alone does not expose enough surface for implementation of an internet-wide worm attack ;-) So you are saying that all MUA's are prone to vulnerabilities through misconfiguration, and the reason for Outlook's prominence is simply its larger installed base? If so, I completely agree with you. In end-user application design, finding the right mix between security and and convenience (which tend to be mutually exclusive, in one way or the other) is a critical design decision. You get the point. Indeed. I certainly wish Outlook was shipped with more sane settings.
I completely agree. Which is why I discourage people from using Outlook Express as well as Mutt.
So the interesting question in context of this email thread is: what do you encourage them for? My brother has used MH for the last 20 years or so, without ill effect. However, I believe it was also vulnerable in '97 because of its inclusion of metamail functionality. I've been impressed with Ximian's Evolution, but have no false hopes for its intgrity in the face of malicious content. There certainly is no universal best mail client. If I encourage anything, its to use the client folks are most comfortable with. Regards, /k matto --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
At 02:07 PM 8/20/2003, Karsten W. Rohrbach wrote:
There's quite a lot of usable stuff out there. Many Win32 users have switched to Mozilla which seems to solve 100% of the Outlook-specific attacks which account for... hmmm... 100% of the malicious email messages of the last 6 months.
Unfortunately, that's not true. My father has to use Windoze because several software programs for his industry (Real Estate, specifically managing rentals) only come in Windoze flavors. He stays away from M$ client software whenever possible and was using Mozilla for email (until yesterday, I'm getting him started on Eudora). His email software doesn't automatically open attachments for him. He knows better than to manually open random attachments that don't look like something business like, but a few weeks ago one caught him during the vulnerable period (after the virus started making the rounds, before he had updated the virus definitions) and managed to pretend to be a type of file he *does* expect in his day to day business (an "application" attachment). Oops. Now he finally *really* understands why I'm adamant about frequently updating the virus definitions (I presently have his antivirus software set to check for updates every 4 hours) and having a strong firewall, and not loading unnecessary applications on his work computer. jc
On Wed, Aug 20, 2003 at 03:46:48PM -0700, JC Dill wrote:
At 02:07 PM 8/20/2003, Karsten W. Rohrbach wrote:
There's quite a lot of usable stuff out there. Many Win32 users have switched to Mozilla which seems to solve 100% of the Outlook-specific attacks which account for... hmmm... 100% of the malicious email messages of the last 6 months.
Unfortunately, that's not true. My father has to use Windoze because several software programs for his industry (Real Estate, specifically managing rentals) only come in Windoze flavors. He stays away from M$ client software whenever possible and was using Mozilla for email (until yesterday, I'm getting him started on Eudora). His email software doesn't automatically open attachments for him.
For some (but not all folks), you can run such software on a Windows virtual machine (I use Win4Lin) under a Unix or Linux OS. That might be an attractive and not very expensive solution for the above.
jc
-- -=[L]=-
Warning, this is an off-topic rant about client software and the state of the world WRT Windows and Linux. There is zero operational content in this post. At 06:07 PM 8/20/2003, Lou Katz wrote:
On Wed, Aug 20, 2003 at 03:46:48PM -0700, JC Dill wrote:
At 02:07 PM 8/20/2003, Karsten W. Rohrbach wrote:
There's quite a lot of usable stuff out there. Many Win32 users have switched to Mozilla which seems to solve 100% of the Outlook-specific attacks which account for... hmmm... 100% of the malicious email messages of the last 6 months.
Unfortunately, that's not true. My father has to use Windoze because several software programs for his industry (Real Estate, specifically managing rentals) only come in Windoze flavors. He stays away from M$ client software whenever possible and was using Mozilla for email (until yesterday, I'm getting him started on Eudora). His email software doesn't automatically open attachments for him.
For some (but not all folks), you can run such software on a Windows virtual machine (I use Win4Lin) under a Unix or Linux OS. That might be an attractive and not very expensive solution for the above.
He needs to be able to automatically and easily move data between all his programs. It's not at all unusual for him to scan a document with PaperPort, then export it to Acrobat, then attach it to email and send. Then he needs to automatically accept a fax and transfer it into PaperPort, so incoming faxes come in with WinFaxPro. Then he needs to transfer data from an email into Homeworks, or Promas. Then he needs to type up a document in WordPerfect (grabbing the address data from his Palm software), send attached to an email, also attaching a document just received via fax or just scanned. Typically he has 6 or more programs all open at once. We just upgraded the RAM so that his computer could handle all this in native Windows2k. He (which means me, when he has problems) has enough trouble getting everything working nice/nice under Windows. It would be impossible to get it all working seamlessly with some of these applications in Windows inside Linux and others inside Linux itself. If we aren't running at least 1/2 of his applications under Linux itself, I don't see much purpose in running Linux at all. Is there a Linux program that does what WinFaxPro does (booting at startup, automatically answering incoming faxes, saving in a format that can be exported to Acrobat or PaperPort, automatically forwarding a copy of the fax via email)? Is there a Linux program that does what PaperPort does (scanning and filing all paperwork, then saving the file thru Acrobat or Photoshop, transferring to email or fax or OCR and into WP)? I'm quite sure that there aren't any Linux programs like Homeworks or ListTrak or Promas (all Real Estate speciality programs required for his business). So at most, he can use Linux with the Palm software (maybe), a browser (he's already using Mozilla under Win2K, so this isn't a big gain) an email client (he's using Eudora now, and I don't believe they have a Linux version), and Star Office (maybe, if it doesn't crash) for a WordPerfect solution. Except that he really needs to migrate *off* WP and onto Word because he needs to send and receive docs in the format everyone else uses (Word, unfortunately). In many cases he'd have to pay to buy new Linux versions of software he has already purchased for Windows (like Acrobat, Word, Norton Antivirus or the equivalent, with update license) even though some equivalent applications can be had for free (Gimp for Photoshop). Then there's the learning curve, I'm sure that Gimp doesn't work *exactly* like Photoshop, he will have to learn to do things differently. And this assumes all his RE software will run in a Win4Lin environment. Can you say "the vendor doesn't support that" boys and girls? :-( Yeah, I thought you could. A support tech drove from San Jose to Monterey yesterday to install a ListTrak because they have problems installing it on Win2K systems with SP4. There's NFW they would support any of these programs if they were installed under Win4Lin or if we had problems with them running under Win4Lin but they run fine in Windows2k itself. Oh, and he needs to be able to print from all programs to the HP 3330, which is directly connected to the desktop computer and accessed by the laptop as a Windows network printer. Due to program driver weirdness (particularly with Promas) he has two different instances of this printer installed with two different drivers, he uses one version for some programs, the other version for the others. The there's the hardware. His desktop box is a el cheapo Compaq Presario desktop computer with 2 different CD drives (one reads, one reads and writes) with an internal zip drive and internal floppy. It also has a modem (months ago I replaced the crappy win-modem with a real one so that WinFaxPro would work) and NIC, has a palm cradle via a serial connection, the HP3300 via USB, a mouse via USB, monitor, keyboard, and speakers. And it needs to all work simply and easily for his non-technical bookkeeper who comes in only 1 day a week to input the bills and payments. She scans documents into PaperPort, enters data into Promas, makes deposits, cuts checks, and then backsup all the day's data onto the Zip drive. For some people, the applications needed simply dictate that they use Windoze. My dad has been using WordPerfect since the DR-DOS days (and before that it was Electric Pencil), so he's not a M$ fan by any stretch of the imagination. He can no longer use his favorite scanner (which works Win2k to use the latest versions of all his RE programs. He's pissed at M$ for their crappy software and at the vendors for the forced upgrades, but he can't do without it because the alternatives are much more expensive and less likely to work well together, if they actually work at all. And he needs this to work every day. So he's stuck between a rock and a hard place, and we just try to secure his Windows system the best we can. jc
To answer the original question asked... At 10:50 -0700 8/20/03, Christopher J. Wolff wrote:
What is the most common method for providing virus protection for your hosted email customers? Thank you in advance.
We use a layered approach, with Postini being the front line ...they do an *excellent* job, and we - and our clients - love them. <http://www.postini.com> We forced all the (mail) domains we host to use Postini about a year ago when our mail servers came under some serious directory harvest attacks. We allow clients to opt-out of the spam filtering if they want, but still run the mail through Postini's system anyway to stop directory harvest and virus attacks. Postini can be set to filter, but not quarantine, which looks to our opt-out clients like no filtering but still saves our mailservers from most assaults. Second layer is some nice configuration options on our customer-facing mail servers, which run CommunigatePro from Stalker. <http://www.stalker.com> CGP is as full featured as Exchange, but without the BS. Plus it has the added benefit of actually working as advertised, and can be run on virtually *any* platform. The suits like the buzzword-compliance and the fact that it is commercially supported (excellent support too I'll add.) The geeks like it because it *works*... and on any platform they choose. The last layer is of course the hardest to control, as it is out of our hands and in the client's, but we strongly suggest that they use a mail client that doesn't auto-execute code. Myself, I use Eudora on my PowerBook running OS X. I know that doesn't make me somehow immune to everything... just the vast majority. My nanog list mail account got joejobbed by the "Netscalibur" user, both as sender and receiver (supposedly from Valdis Kletnieks, and somebody at NetSol.) and I've never seen what an Outlook mail client looks like. =) I have to agree with Mr. Donelan who said here: "(Microsoft) Outlook, the exploding Pinto on the information superhighway." Regards, -- Chuck Goolsbee V.P. Technical Operations _________________________________________________________________ digital.forest Phone: +1-877-720-0483, x2001 where Internet solutions grow Int'l: +1-425-483-0483 19515 North Creek Parkway Fax: +1-425-482-6871 Suite 208 http://www.forest.net Bothell, WA 98011 email: cg@forest.net
On Wed, 20 Aug 2003 17:49:07 PDT, chuck goolsbee <chucklist@forest.net> said:
majority. My nanog list mail account got joejobbed by the "Netscalibur" user, both as sender and receiver (supposedly from Valdis Kletnieks, and somebody at NetSol.) and I've never seen what an Outlook mail client looks like. =)
Erm.. wasn't me.. though so far I've had 1,787 of the suckers show up in my personal mailbox. Fortunately, they were defanged by our Mirapoints, so they were only 2K rather than 80K each ;) Meanwhile, I've had 52 "You sent us a virus" bounces. I'm pretty sure this Linux laptop didn't do it. ;) My favorite so far? Had to be the site whos spamfilter said this: ======================= Original headers follow ======================= Received: from localhost [127.0.0.1] by secure.*****.com with SpamAssassin (2.60-cvs 1.195-2003-06-30-exp); Wed, 20 Aug 2003 10:36:51 -0600 From: <Valdis.Kletnieks@vt.edu> To: <ntp@*****.com> Subject: XXXSPAMXXX Re: Wicked screensaver Date: Wed, 20 Aug 2003 9:54:21 --0700 X-Spam-Level: ***** MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----------=_3F43A3A3.11294FF5" Yep.. point the gun *straight* up, pull the trigger, wait, and then wonder what that little thing coming straight at you is... ;)
On Wed, 20 Aug 2003, Christopher J. Wolff wrote:
Hello,
What is the most common method for providing virus protection for your hosted email customers? Thank you in advance.
None, we only protect those customers who additionally pay for our antivirus services. These services comprise of systems which decode the mime, unzip, untar, unarc (etc) and then run any files thro commercial virus checker engines which are updated automatically daily or manually in the case of a new emerging threat that cant wait. We dont filter by file type.. people do send exe's legitimately! Steve
Jack Bates wrote:
Stephen J. Wilcox wrote:
We dont filter by file type.. people do send exe's legitimately!
You can zip the exe, or you can rename the exe, or you can ask not to have exe's filtered at all.
Sometimes solutions can be simple.
Unless your AV software has a clue, like most do, and unzips archives and see what's inside. And thank goodness they do or else the Mimail (with its message.zip attachment) could have been worse. -- Crist J. Clark crist.clark@globalstar.com
Unless your AV software has a clue, like most do, and unzips archives and see what's inside. which is ideal for virus scanning, but not for blanket-blocking of email. A zipped archive containing an executable cannot (unless something has changed that I don't know about) be automatically opened by any mail client - the user must make a deliberate attempt to open the archive then exectute the attachment (although the actual extraction can be performed automatically by many decompression utilities if you double-click an executable or document inside its browser)
Crist Clark wrote: there is of course no allowing for the stupidity of users - but if you have a stupid enough user you could induce him to bypass any protection anyhow.
No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers: <user>@cisco.com <user>@tacnet.com <user>@wcom.com <user>@sprint.com Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a technical term from Bloom County cartoons, for those not old enough to remember. I hate to rub it in, but I've got fifty days of uptime on everything I'm responsible for and the only reason it isn't a hundred and fifty is due to me taking them down for an OS upgrade. root 1 0.0 0.1 552 0 ?? ILs 3Jul03 0:01.56 /sbin/init -- Windows is a question presented to each of us. Some find their answer here ==> http://freebsd.org
Even they don't like you dude ... the sources are forged ... :) -Steve * neal rauhauser said:
No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers:
<user>@cisco.com <user>@tacnet.com <user>@wcom.com <user>@sprint.com
Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a technical term from Bloom County cartoons, for those not old enough to remember.
I hate to rub it in, but I've got fifty days of uptime on everything I'm responsible for and the only reason it isn't a hundred and fifty is due to me taking them down for an OS upgrade.
root 1 0.0 0.1 552 0 ?? ILs 3Jul03 0:01.56 /sbin/init --
Windows is a question presented to each of us. Some find their answer here ==> http://freebsd.org
On Thu, 21 Aug 2003, neal rauhauser wrote:
No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers:
<user>@cisco.com <user>@tacnet.com <user>@wcom.com <user>@sprint.com
it (sobig) forges the source email address using the same set of files that it looks in to find email adresses to send to... So all you can insure is that the user sending it to you is on some mailing list you're on or your email address is in their browser cache someplace... you have to look at the source ip address for the first hop to identify the culprit... joelja
Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a technical term from Bloom County cartoons, for those not old enough to remember.
I hate to rub it in, but I've got fifty days of uptime on everything I'm responsible for and the only reason it isn't a hundred and fifty is due to me taking them down for an OS upgrade.
root 1 0.0 0.1 552 0 ?? ILs 3Jul03 0:01.56 /sbin/init --
Windows is a question presented to each of us. Some find their answer here ==> http://freebsd.org
-- -------------------------------------------------------------------------- Joel Jaeggli Unix Consulting joelja@darkwing.uoregon.edu GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
On Thu, 21 Aug 2003 10:10:12 CDT, neal rauhauser <neal@lists.rauhauser.net> said:
No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers:
<user>@cisco.com <user>@tacnet.com <user>@wcom.com <user>@sprint.com
Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a
No, it looks like some poor schmuck who happened to have those e-mail addresses somewhere on the disk has their windows system in trouble. W32/SoBig-F is known to forge the From: field. Which explains why I've gotten at least 103 "you sent us a virus" postings regarding my Linux laptop.. ;) Which of course just goes to show that people can be "behind the knowledge curve" no matter *what* operating system they happen to be using.
I prefer to think of it as having evolved to a higher plane of existence :-) Valdis.Kletnieks@vt.edu wrote:
On Thu, 21 Aug 2003 10:10:12 CDT, neal rauhauser <neal@lists.rauhauser.net> said:
No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers:
<user>@cisco.com <user>@tacnet.com <user>@wcom.com <user>@sprint.com
Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a
No, it looks like some poor schmuck who happened to have those e-mail addresses somewhere on the disk has their windows system in trouble.
W32/SoBig-F is known to forge the From: field. Which explains why I've gotten at least 103 "you sent us a virus" postings regarding my Linux laptop.. ;)
Which of course just goes to show that people can be "behind the knowledge curve" no matter *what* operating system they happen to be using.
------------------------------------------------------------------------ Part 1.2Type: application/pgp-signature
Probably not. The virus grabs a From address at random from the infected person's email in box. So its more likely someone who has got mail FROM those people rather than those people. See http://vil.nai.com/vil/content/v_100561.htm To quote, "The "From:" address may be spoofed with an address extracted from the victim machine." ---Mike At 10:10 AM 21/08/2003 -0500, neal rauhauser wrote:
<user>@cisco.com <user>@tacnet.com <user>@wcom.com <user>@sprint.com
Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a
At 08:10 AM 8/21/2003, neal rauhauser wrote:
No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers:
<user>@cisco.com <user>@tacnet.com <user>@wcom.com <user>@sprint.com
Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a technical term from Bloom County cartoons, for those not old enough to remember.
Today's problem virus forges the "from" field. So all those emails "from" <user>@cisco/tacnet/wcom/sprint were sent from an infected computer (or computers) that had those email addresses in it. Probably from a computer on a competitor's network. You need to look at the received headers to find out where the emails are are *really* coming from. jc
Email for me is becoming more of a pain in the ass than it's worth.. On Thu, Aug 21, 2003 at 10:10:12AM -0500, neal rauhauser wrote:
No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers:
<user>@cisco.com <user>@tacnet.com <user>@wcom.com <user>@sprint.com
Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a technical term from Bloom County cartoons, for those not old enough to remember.
I hate to rub it in, but I've got fifty days of uptime on everything I'm responsible for and the only reason it isn't a hundred and fifty is due to me taking them down for an OS upgrade.
root 1 0.0 0.1 552 0 ?? ILs 3Jul03 0:01.56 /sbin/init --
Windows is a question presented to each of us. Some find their answer here ==> http://freebsd.org
neal rauhauser wrote:
No one loves me and I don't get much email from the folks who tolerate me. I just got back from having lunch with some guys who tolerate me and I found scads of messages from all over -the funniest among the bunch for our Nanog readers:
<user>@cisco.com <user>@tacnet.com <user>@wcom.com <user>@sprint.com
Looks like my internetwork equipment vendor and my two favorite peers have their Windoze stuff in a complete state of 'higgledy piggledy' - a technical term from Bloom County cartoons, for those not old enough to remember.
--snip-- Aww, Neal, you know that I still love you and send you email from time to time;) In some cases you can determine the infected machine from the IP in the header. Of course, if it's that IP is dynamically assigned it's a little harder. If the volume of email from one source IP gets too high, a friendly call to their company or ISP might get results--a lookup of the IP at whois.arin.net should give you the contact info you need. This virus has been a royal pain for me. My personal, work, postmaster and webmaster accounts have finally dropped off receiving it, but if anyone wants the more than several thousand I received Tues. and Wed., they're welcome to it. Anyway, just a note on the consequences here. Each time one of these silly things hit that forge sender addresses, the number of possible future infectees who have your email address increases. Let's say that your brother was infected by Klez. His computer sent out a bunch of emails as other people--some of them as you. One of those folks gets infected. Their computer sends out a bunch of emails as other people--some of them as you. Now you've got people that are friends and co-workers of other friends that were infected. Each time that circle gets larger and the number of folks who potentially have your email address somewhere on their system widens. THIS SUCKS! The postmaster account is by far the worst one as far as receiving. If anyone ever finds out where to send the bill and the firing squad, I'll be at the front of the line;) -- -Susan -- Susan Zeigler | Technical Services szeigler@spindustry.com | Spindustry Systems 515.225.0920 | "You cannot strengthen the weak by weakening the strong." -- Abraham Lincoln
Dave Howe wrote:
Crist Clark wrote:
Unless your AV software has a clue, like most do, and unzips archives and see what's inside. which is ideal for virus scanning, but not for blanket-blocking of email. A zipped archive containing an executable cannot (unless something has changed that I don't know about) be automatically opened by any mail client - the user must make a deliberate attempt to open the archive then exectute the attachment (although the actual extraction can be performed automatically by many decompression utilities if you double-click an executable or document inside its browser)
Automatic opening by Outlook and Outlook Express (I'm not aware of any other MUAs that have actually had worms in the wild that do this) has actually only been used by a few worms. As I mentioned in the original mail, this is how Mimail from a week or two ago spread. An *.htm (not even "executable," whatever that means on Windows anymore) was inside of a zip.
there is of course no allowing for the stupidity of users - but if you have a stupid enough user you could induce him to bypass any protection anyhow.
AFAIK, the present scurge of the net, Sobig.F, requires the reader to "click on it." It's not one of those that takes advantage of Outlook or IE bugs to auto-execute. Most moron^H^H^H^H^Husers do so out of curiousity. We've been telling them not to do this for several years. They still do it. Face it, they are never going to stop doing it. I don't want the users to be able to "click-through" to execute the file, whether it is one or two steps. It's too easy for the curious. My goal is to have the ones who _really_ want to get a "forbidden" extension through the system need to actually *gasp* use the keyboard to rename the file! That means they have to save the mangled name to a file, rename it back, and then "run" it. Ju-ust that little bit of effort is enough to stop several nines of the curious. I remember wa-ay back in the Melissa days, before AV email gateways were widely used, implementing MIMEdefang which did these simple things. That was, and still is, enough to stop an awful lot of this junk. Similarly, if someone wants to zip some things up, mangle the zip extension, and the then send it on through, it's OK with me. That's enough to stop the curious. -- Crist J. Clark crist.clark@globalstar.com
participants (21)
-
Christopher J. Wolff -
chuck goolsbee -
Crist Clark -
Dave Howe -
Gary E. Miller -
Jack Bates -
JC Dill -
Joel Jaeggli -
John Palmer -
Joseph McDonald -
just me -
Karsten W. Rohrbach -
Lou Katz -
Mike Tancsa -
neal rauhauser -
Petri Helenius -
Stephen J. Wilcox -
Steve Carter -
Susan Zeigler -
Todd Mitchell - lists -
Valdis.Kletnieks@vt.edu