Connect with us

Worm and Virus attack

Discussion in 'Electronic Design' started by Aubrey McIntosh, Sep 19, 2003.

Scroll to continue with content
  1. Active8

    Active8 Guest

    good point, but i wasn't aware that bouncing did that. figure that with
    mailwasher, you're viewing the message on the server which requires a
    download, but it's still on the server. a bounce message should be just
    that, a bounce message, no?

    i just bounced 15 as a test. that would be 1.59MB or 12.72Mb at 14.4kbps
    dial-up upload speed or 883 sec.

    it took 30 sec. :)

    from the help:

    Clicking the Bounce box on a message or selecting E-mail/Mark for
    Bouncing from the menu sends a faked “address not found” message to the
    address that the message originated from. This reduces the possibility
    of more spam e-mail coming from this address. Checking the Bounce box
    will automatically check the Delete checkbox.

    Some messages may meet the virus or spam-like material selection
    criteria that is configured into MailWasher and these will automatically
    be set to Bounce and Delete. However you may unset these checkboxes if
    you wish to receive the mail.

    end of topic

    so the mail is viewed but not downloaded and the only thing sent is a
    bounce message.
    i know of no filter rule ( i'm using pegasus mail, but checked out the
    bat. i think bat would be a good client and pegasus a good list server)
    that would handle this random crap.

    i'm up to 90 now. about 4 per hour.

    BTW, mailwasher can blacklist mail from certain users, so any repeat
    from the same random sender will be blaclisted. it has filters. the 2
    filters that come with it (unchecked by default) are for mail sent to
    "undisclosed recipient" and mail not specifically to you (me).

    mike
     
  2. Active8 wrote...
    MailWasher, ok, thanks for the tip. I'll check it out.

    Thanks,
    - Win
     
  3. Serves you right for being so famous/popular. I only got the one.

    evin Aylward

    http://www.anasoft.co.uk
    SuperSpice, a very affordable Mixed-Mode
    Windows Simulator with Schematic Capture,
    Waveform Display, FFT's and Filter Design.
     
  4. Nico Coesel

    Nico Coesel Guest

    Oops. I forgot the smiley :)
    Seriously, ISPs should block all e-mail composed by Outlook. There is
    no other alternative.
     
  5. Bruce Tomlin

    Bruce Tomlin Guest

    I used to use Eudora a long time ago, until they came up with the adware
    version. The problem wasn't the adware, the problem was that they
    completely rewrote the UI code for the Mac version, presumably with
    oodles of C++, and window redraw was too slow. They would visibly
    flicker during redraw.

    Anyhow, the trick I found was to locate the cache directory for the ads,
    delete it, and create an empty file of the same name. The ad window was
    still there, but it couldn't download any ads, so the window was empty.
     
  6. Jim Thompson

    Jim Thompson Guest

    Cox West crashed early this morning at 3:44AM MST and didn't come back
    until about 9:15AM MST.

    (I stopped using my Cox username and created a new mail account with a
    really obscure, hard to guess, name :)

    ...Jim Thompson
     
  7. John Larkin

    John Larkin Guest


    Except that Windows is crap through and through.

    Any decent operating system separates I and D-spaces, and Windows
    doesn't. So buffer overrun exploits are easy. Buffer overruns are a
    chronic defect in Windows, and apparently always will be.

    Microsoft's QC is abysmal; they actually make money selling crappy
    operating systems and applications that encourage everybody to keep
    upgrading.

    Microsoft seems to have the attitude that, when in doubt, execute it.
    In Redmond nobody seems able to tell the difference between data and
    code. So you can have viruses in Word documents, spreadsheets,
    unopened email and, of course, any executable. Hell, I ran RSTS/E in
    1980 on a PDP-11 and hosted my company plus four competing high
    schools full of creative brats; they tried mightily, but it was
    impossible to crash, even programming in assembly, and it ran for
    months between power failures. This because it had a clean, simple
    kernal that simply did not allow user applications to exceed defined
    priviliges; Windows has no such control.

    Windows defaults to least-secure settings when installed. Why?

    Apple/UNIX/Linux/VMS/Solaris security lapses are measured in bugs per
    year, and often clock in at zero. Windows bugs run several per week.

    John
     
  8. Certainly worms have been around since the beginning of computers
    (even before email). However OE makes the propagation totally
    transparent. YOY does anyone make attachment auto-execute even a
    possibility, much less the default?

    Essentialy worms/viruses are allowed to propagate like wildfire
    because we have such a mono culture. A little diversity wouldn't
    hurt, along with a certain software manufacturer that cares
    something about security.
    The problem with this particular worm is that it's effectively a
    DoS attack on the entire Internet. I don't *have* to be infected
    to have wasted many hours cleaning up.
    I won't get a virus if I never power the computer on either.
    ....hardly a good choice.
    Which is what I've spent most of today doing. It's a PITA
    though. I finally figured out that they aren't using the "To:"
    or "CC:" for the address, so I've filtered on these. It's still
    a PITA because my ISP doesn't do complex filtering, so I had to
    do an "OR" by shuffling the email off to another account if it
    was addressed to me.
     
  9. Guest

    Guest Guest

    with a little insight and effort the PC-version can be 'quieted' also
    (hint: use a free software firewall like Sygate)
    ....Eudora did loose a bunch of entries from my addressbook recently...
    but I doubt that that was 'in revenge' for nor letting it "call home"
    (though I can't be sure, of course... :(


    p.s. why was this cross-posted to sci.electronics.design anyways?
    I'll take that out (of my FollowUp-To-header)
     
  10. Guest

    Guest Guest

    you must have received an (increasing) number of bounces also,
    without the worm (ISPs are installing filters and dropping the
    attachments), plus bounces of "Can't be delivered, no such address.

    simple: one uses a decent mail-agent and ISP (the latter is hard to
    figure out beforehand); one doesn't download but the headers (IMAP)
    or only complete messages shorter than X k (Eudora) with X set to
    between 10k and 70k (would work for most)

    sweN --> News if you stop posting to USEnet the rate should
    go down within a day or two...
    :)

    sometimes I can't help but wonder is such worms are written by
    people who are disgusted with deficiencies in current computing
    platforms: talking to MicroSloth (and sendmail, for that matter)
    authors for several decades about lurking problems didn't get
    anything addressed, telling ISP's about DOS-attack problems,
    mail-floods (both message size and number of messages), forging,
    snooping, etc... didn't get any of them to take any steps.

    I just checked, and it's somewhere between funny and pathetic to
    see how many users here have hundreds of megabytes waiting for
    them in the mail-queue... I wonder how many ISPs are learning
    the hard way about this problem (waiting to happen again) and
    how many lusers will get their courage up to bitch at their ISP
    to get their shit together and PREPARE for this kind of event
    to happen again and again and again... and to be ready to react
    quickly and effectively, without poor lusers getting overwhelmed
    and losing the email that they actually want to receive.

    this particular attack is targetting the USEnet community as
    a whole (those who don't post there should see little... and
    may wonder what the hoopla is all about) and the theory is that
    its some spammer(s) who are trying to retaliate and inconvenience
    (keep otherwise busy) those netizens who are trying to fight the
    email spam problem... could be, but maybe not.

    ...next time it will be another subset of the online community
    (users of some software, website, or communication protocol) who
    will be victimized, thrown for a loop, and more and more people
    will get turned off to the whole online experience and technology.

    Vandals and Anarchists clearly have a new playground, as do all the
    snakeoil salesmen and con artists of the world... (not mentioning
    criminal and political organizations, and business mainsleaze...
    it's going to be a long next couple of years, I fear)
     
  11. Here's Qualcomm's statement on the Aureate issue:

    http://www.eudora.com/techsupport/kb/2220hq.html


    Best regards,
    Spehro Pefhany
     
  12. YD

    YD Guest

    Got an addie? J/K :)

    Seems the thing scours the news spool and other sources besides OE's
    address book. My techie.com account used to get 2 or 3 'MS updates' a
    day, this latest variant has it overrun, some 200 or 300 a day since
    Wednesday.

    - YD.
     
  13. YD

    YD Guest

    Filter by subject line and sender, they don't vary all that much. I
    know it's a bit of added hassle but you need to do it only once.

    Netscape for mail, Opera for browsing (mail on trial), Forté Agent for
    news, Zone Alarm firewall, occasional peeks in the registry settings,
    close watch on unexpected activities. Seems to be keeping me safe
    enough.

    - YD.
     
  14. Jim Thompson

    Jim Thompson Guest

    That's why I stopped using a valid E-mail address on the news groups,
    plus my SIG refers you to the website... where the E-mail address is
    an *image* thus not harvestable.

    ...Jim Thompson
     
  15. Colin Bloch

    Colin Bloch Guest

    Sendmail is an MTA & whatever security issues its had in the past
    have had nothing to do with the spread of worms.
    No its not.
    No they shouldn't.

    It spreads through Kazaa, Email, mapped drives, IRC and yes, will
    randomly post to newsgroups on your configured news server (or
    just pick one if you don't have one configured.) However there
    is no "targeting" nor any group at risk more than any other.

    http://securityresponse.symantec.com/avcenter/venc/data/

    CAB
     
  16. Frank Buss

    Frank Buss Guest

    Not for the current worm. I received yesterday ca. 100 virus eMails, today
    300, hoping the big providers will install sending filters, if the costs
    are getting to high for them. But I don't want to think about what could be
    possible, if a worm attacks sendmail and uses all the eMail addresses of
    it.

    Any comments about this program: http://tmda.net ?

    I don't have time at the moment to install it on my server, but it looks
    like a good solution to all spam and virus problems.
     
  17. Jim Thompson

    Jim Thompson Guest

    On the face of it, Challenge/Response sounds marvelous. Then you
    realize it will sink the Internet with the traffic density going up
    astronomically.

    I think blacklisting ala SpamCop/SPEWS will ultimately settle the
    problem.

    ...Jim Thompson
     
  18. Frank Buss

    Frank Buss Guest

    Why? It sends only one mail for an incoming virus mail or spam. If the
    destination address is invalid and a response mail is received, I hope the
    program can recognize it, otherwise...
    Currently I've installed SpamPal, but all theses programs are not perfect.
    The challenge/response concept looks perfect; at least until the spammers
    integrate it in their programs, but then you can enhance the challenge:
    I've read about a challenge, where the user must click on a point on an
    image and the position is described by text or a text, which is difficult
    for OCR programs to recognize, must be typed in a web form.
     
  19. The problem with this worm is that it is a DoS attack on lots of mailservers
    I have had about 2000 of these in the last 2 days - I wonder if it is those
    who are using NGs - a lot of the frequent posters on this NG are affected.
    I have talked to my ISP - the worm avoids most of their filter settings. It
    appears to disguise its source address. This will be one of the biggest
    attacks yet I think. It doesnt matter which E mail clent you use as the worm
    clogs up your mailbox at the ISP level.

    Richard



    http://www.speff.com
     
  20. Swen's size is within 147000 to 161000 bytes.
    Are you able to reject on size range?
     
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Electronics Point Logo
Continue to site
Quote of the day

-