RE: handling Sircam and the like from the e-mail service operator 's perspective...
-----Original Message----- From: woods@weird.com [mailto:woods@weird.com] Sent: Friday, August 03, 2001 9:32 AM
I'm beginning to find that some of my clients who operate e-mail services are facing some very real ongoing operational issues with the likes of the Sircam worm/Trojan. At the moment the clients with the most pressing problem is a small cable-modem and dial-up operator.
So far I've been advising all of my clients to treat these kinds of worms as valid e-mail and to simply help their end users, where possible, to eliminate it and deal with its impacts. I.e. if we're going to accept any e-mail from a given SMTP client to a given recipient then we accept it and deliver it without regard to its content.
That last part is the problem. Why not filter on SirCam, at the mail host? We had to do the LoveBug and it worked well. The issues were almost identical, except that LoveBug was smaller.
We're working under the general assumption that a large segment of these users would undoubtably become very angry if we simply filtered out all attachments, or even just those with filename extensions that losing software might try to "execute" (though in general that means anything that might include "macros" with the data too!), however I don't see any other manageable way to stop this kind of attack (other than eliminating or fixing all of the broken software that can be exploited in this way!).
Run virus scanners on all inbound mail. Yes, I know that burns CPU cycles like mad. It does a pretty good job of thrashing DASD as well.
We're also working under the general assumption that a large segment of these users would become very angry if we dropped the maximum message size to a limit that at least Sircam and its ilk couldn't quickly overflow our average mailbox quotas. We've done this temporarily overnight and over weekends before we upgraded system capacities, and that did cause a lot of extra load on the support lines, but it stopped transmission of at least Sircam in its tracks (being it's always >135KB).
My clients will generally be able to manage the expectations of their users better if they can point to other larger service providers who've taken equally, or more, draconian measures.... :-)
Since you have a working signature, for SirCam, why not use it in production?
participants (1)
-
Roeland Meyer