Worm and Virus attack

[Winfield Hill]

Dusty Rhodes wrote...

I haven't looked at the worm, but I'd guess it also uses address books
to spread itself. You may have been in the address book of a clueless
luser, making you a target.

Yes, from what I've read it uses adress book info. I got a peak of
750 in a single 5-minute period Friday morning, dropping to 1200/day
and now down to about 820 per day, a real pain to deal with.

Apparently I'm in the address books of quite a few folks who failed
to download updates to their Microsoft operating system. BTW, Dusty,
was that loser or user you were referring to? Or a combination?

Thanks,
- Win

 

[Jim Thompson]

Dusty Rhodes wrote...

Yes, from what I've read it uses adress book info. I got a peak of
750 in a single 5-minute period Friday morning, dropping to 1200/day
and now down to about 820 per day, a real pain to deal with.

Apparently I'm in the address books of quite a few folks who failed
to download updates to their Microsoft operating system. BTW, Dusty,
was that loser or user you were referring to? Or a combination?

Thanks,
- Win

I guess my feelings should be hurt... I've received not a single
one... but my server does some pre-filtering.

...Jim Thompson

 

[Winfield Hill]

Jim Thompson wrote...

I guess my feelings should be hurt... I've received not
a single one... but my server does some pre-filtering.

You should have gotten a few, before your ISP learned all
the new email worm's details. Another interesting tidbit,
my domain provider uses the highly-acclaimed spam assassin,
which sadly fails to get more than about 1% of the offending
email, possibly due to its semi-random naming scheme, which
has prevented me from coming up with viable filters.

BTW, propagating this stuff from email address books has
an interesting implication: "hiding" your email address
by making changes, such as you've done, should not be much
help. That's because the folks who store your address in
their address books will have repaired the modifications.

Thanks,
- Win

 

[Dusty Rhodes]

Dusty Rhodes wrote...

Yes, from what I've read it uses adress book info. I got a peak of
750 in a single 5-minute period Friday morning, dropping to 1200/day
and now down to about 820 per day, a real pain to deal with.

Apparently I'm in the address books of quite a few folks who failed
to download updates to their Microsoft operating system. BTW, Dusty,
was that loser or user you were referring to? Or a combination?

No one in particular. But it's very BOFHish to consider those who don't
bother to keep their systems patched or secured to be clueless lusers.

Cheers,

Dusty

 

[Jim Thompson]

Jim Thompson wrote...

You should have gotten a few, before your ISP learned all
the new email worm's details. Another interesting tidbit,
my domain provider uses the highly-acclaimed spam assassin,
which sadly fails to get more than about 1% of the offending
email, possibly due to its semi-random naming scheme, which
has prevented me from coming up with viable filters.

BTW, propagating this stuff from email address books has
an interesting implication: "hiding" your email address
by making changes, such as you've done, should not be much
help. That's because the folks who store your address in
their address books will have repaired the modifications.

Thanks,
- Win

Never got a single one. Indeed quite strange, but I'll not complain.

(My *web forwarding* ISP uses SpamCop *and* SPEWS lists plus "filters"
which they won't divulge to me.)

...Jim Thompson

 

[Tony Williams]

BTW, propagating this stuff from email address books has
an interesting implication: "hiding" your email address
by making changes, such as you've done, should not be much
help. That's because the folks who store your address in
their address books will have repaired the modifications.

Apparently the addresses are being actively harvested from news
spools, using the From: (and Reply To:?) lines in the headers of
posts. The fastest I've seen reported so far is about 40 minutes,
from a usenet post with a brand new address to the receipt of a
Swen email. This is possibly why Jim_T has not been affected.

It has been reported that Swen also discards addresses
with the ASCII strings 'delete' or 'nospam' in them.

So how do you like my new address?

 

[Rex]

But it's very BOFHish

I think I knew once, remind me what BOFH means.

 

[Daniel Haude]

On 24 Sep 2003 16:27:32 -0700,

Apparently I'm in the address books of quite a few folks who failed
to download updates to their Microsoft operating system.

Like in mine. But that's a Pine addressbook on a Unix system.
It ain't my fault! ;-)

--Daniel

 

[Doug McLaren]

| Apparently I'm in the address books of quite a few folks who failed
| to download updates to their Microsoft operating system. BTW, Dusty,
| was that loser or user you were referring to? Or a combination?

http://www.faqs.org/docs/jargon/L/luser.html

It's basically an insult. Usually only used by the `elite'
(http://www.faqs.org/docs/jargon/E/elite.html) or the bofh-types
(http://www.faqs.org/docs/jargon/B/BOFH.html) but Dusty has made it
his own as well.

 

[Guest]

quoting [email protected] (Doug McLaren) :

http://www.faqs.org/docs/jargon/L/luser.html
It's basically an insult...

it's become less so over time, more a generic <sigh> as in
"we are all born lusers here, using Microsloth products"...
(yes, one can say that, it's the d@mn truth!)

 

[Winfield Hill]

[email protected] ( wrote...

quoting Winfield

Indeed, I'm well over 10000 so far, sheesh!

the worm gathers addresses from USEnet posts, so if you don't
use your work email address to post...

That's not what I read at Symantec, but I've had it, as of
now my email address will require hand-editing to function.

Thanks,
- Win

 

[Winfield Hill]

Winfield Hill wrote...

... I've had it, as of now my email address will
require hand-editing to function.

OK, one more try...

Thanks,
- Win

 

[Winfield Hill]

Winfield Hill wrote...

Winfield Hill wrote...

OK, one more try...

OK, two more tries...

Thanks,
- Win

 

[Winfield Hill]

Winfield Hill wrote...

Winfield Hill wrote...
OK, two more tries...

Whew, three attempts should do it!

Thanks,
- Win

whill_at_picovolt-dot-com

 

[Winfield Hill]

Winfield Hill wrote...

Winfield Hill wrote...
Whew, three attempts should do it!

Double-check, sorry folks...

Thanks,
- Win

whill_at_picovolt-dot-com

 

[Joe Legris]

Winfield Hill wrote...



Double-check, sorry folks...

Thanks,
- Win

whill_at_picovolt-dot-com

What about [email protected]?

 

[Winfield Hill]

Joe Legris wrote...

What about [email protected]?

Newsguy has a mailbox service with 25MB of space (about
6 hours of the full-scale email bombs I've experienced),
but I haven't learned how to use it. As far as I can see
sending mail to [email protected] doesn't work.
When I create a posting whill_a@t_picovolt-dot-com is the
new From: address I see, but [email protected]
is the address you get, go figure.

In future y'all will have to edit my address above. :>(

Thanks,
- Win

whill_at_picovolt-dot-com

 

[Michael A. Terrell]

Jim Thompson wrote...

You should have gotten a few, before your ISP learned all
the new email worm's details. Another interesting tidbit,
my domain provider uses the highly-acclaimed spam assassin,
which sadly fails to get more than about 1% of the offending
email, possibly due to its semi-random naming scheme, which
has prevented me from coming up with viable filters.

BTW, propagating this stuff from email address books has
an interesting implication: "hiding" your email address
by making changes, such as you've done, should not be much
help. That's because the folks who store your address in
their address books will have repaired the modifications.

Thanks,
- Win

Win, I have never used an address book on a computer. I have a folder
of text files with names and addresses that I copy and paste into the
e-mail program.

Take a look at this page: http://home.earthlink.net/~mike.terrell/
and you will see that you can't find the e-mail address in the page
source. I only use that e-mail address for the website. The actual
address is stored in a small JavaScript on the web server. If you look
at other pages on the site and click one an e-mail button you will see
that each page generates a customized subject line to let me identify
the page an e-mail was sent from.

 

[[email protected]]

Not for the current worm. I received yesterday ca. 100 virus eMails, today
300, hoping the big providers will install sending filters, if the costs
are getting to high for them. But I don't want to think about what could be
possible, if a worm attacks sendmail and uses all the eMail addresses of
it.

Any comments about this program: http://tmda.net ?

I don't have time at the moment to install it on my server, but it looks
like a good solution to all spam and virus problems.

I have been using spam bouncer for a long time, and until a few days ago,
I only got 3-5 spams a week. Now I get about 10 a week, and installed
spam assassin to catch those spma boucner did not. I am back down to 3-5
week.

http://spambouncer.org

 

[Russell Shaw]

[snip]

Windows defaults to least-secure settings when installed. Why?

Apple/UNIX/Linux/VMS/Solaris security lapses are measured in bugs per
year, and often clock in at zero. Windows bugs run several per week.

John

not to mention - at least as far as Linux is concerned - the kernel team
(or whatever the article one of the Linux mags called it) responds
quikly to reported vulnerabilities. one guy reported that he sent
himself a malformed packet that screwed things up and they had the patch
ready within 24 hrs. it was an "In the Trenches Article."

MS, on the other hand likes to deny vulnerabilities. it's pretty
negligent, AFAIC.

mike

A large monoculture of identical os/apps with the same holes is
the cause of an increasing population of virus writers and anti-virus
vendors that all feed on each other and make networks vulnerable
to cascading failure: http://dc.internet.com/news/article.php/3084381