Discussion:
(9) bounced SOBIG.Fs so far
(too old to reply)
n***@novirus.com
2003-08-19 19:45:02 UTC
Permalink
I haven't had any host trying to send me the worm directly, but I've gotten 9
bounces from MXs so far today. (None have actually detected the worm yet.)
There's probably nothing I can do about worms forging my email address, right?
I doubt it, but I'm just checking.

Some MXs return the whole large attachment to me, so it takes a while to
download all of them. Otherwise, I wouldn't mind much.

Oops, correction: at 10th one just came in, bounced from star.net.uk, and
their AV did identify SOBIG.F
--
Ken
Mal Franks
2003-08-20 08:18:01 UTC
Permalink
On Tue, 19 Aug 2003 19:45:02 GMT Thorin sat down and started singing
about gold. Gandalf entered. Gandalf said "Hurry up". After being
threatened with a cloven skull from one well placed blow,
Post by n***@novirus.com
I haven't had any host trying to send me the worm directly, but I've gotten 9
bounces from MXs so far today. (None have actually detected the worm yet.)
There's probably nothing I can do about worms forging my email address, right?
I doubt it, but I'm just checking.
Some MXs return the whole large attachment to me, so it takes a while to
download all of them. Otherwise, I wouldn't mind much.
Oops, correction: at 10th one just came in, bounced from star.net.uk, and
their AV did identify SOBIG.F
We received 5 of them this morning - only one recognised it (DrWeb a/v
detected it as Reteras aka SOBIG)

Wonder why those a/v programs which are able to identify which worm/virus
it is are not also taught to not send warnings "back" to the From:
address when it is known that this worm/virus spoofs the sender?

I noticed that the recipients of this worm are in the same or related
industries to our company. This is not surprising especially as I seem to
spend my time sending e-mail based wrist slappings to employees of
certain investment/insurance companies for putting every recipients
address in the To: field of their mailing lists!
--
Mal Franks
] ***@eitherofdomainsbelow.org
[ www.speccies.org : a comp.sys.sinclair site
] www.guildsofcamelot.org.uk : set-up your DAoC guild's private forum
Ted Davis
2003-08-21 20:53:25 UTC
Permalink
On Thu, 21 Aug 2003 08:25:37 -0400, "Joe Blizzard"
This is becoming as bad as the viruses themselves - in fact I have to
make far more office calls to faculty to reassure them that they do
*not* have the virus some bounce message told them they did.
The questions are what is the best way to get the word out to the
people who need to take action to stop this, and who are those people.
I'm one of those people (I administer a corporate mail server) and I already
have the word. My mail scanner is configured to *not* send out notifications
when a virus is detected, for exactly the reasons discussed here. I think
maybe the default setup on some av apps is to send notices and a lot of
people load the app and either don't bother to configure anything or don't
know how.
They are driving me crazy today - I've put so many sledghammer filters
in the server that they are interfering with things like sending
attachments to mailing lists (yeah, I know it's wrong, but try telling
that to a college professor). I'm currently stopping about two worms
a minute on the only address on that server that gets mail from the
outside, and many many bounce messages. It looks like about 800
copies of Sobig.f and Sobig bounce messages were sent to me today.

It's comforting to know that at least some people have turned the
brain dead auto responder off.




T.E.D. (***@gearbox.maem.umr.edu)
SPAM filter: Messages to this address *must* contain "T.E.D."
somewhere in the body or they will be automatically rejected.
n***@novirus.com
2003-08-23 04:25:35 UTC
Permalink
Post by n***@novirus.com
There's probably nothing I can do about worms forging my email address, right?
Practicing email address hygiene helps...
- use throwaway alias when a working email address is demanded
so people can't find me in a month or a year?
- filter throwaway alias to Trash, or clear from server
- use BCC: when sending to more than one recipient
- turn off the "harvest addresses to address book" feature
- don't allow Outbreak to be scripted, keep it empty
how about just: don't use Outlook
- don't post addresses in public forums
and lose a client that might pay me $10k a month? HA!!! Okay, the high paying
days are over, but they might come back...

Quote: "It could happen" (J. Tenuta)
--
Ken
cquirke
2003-08-23 10:17:03 UTC
Permalink
Post by n***@novirus.com
Practicing email address hygiene helps...
- use throwaway alias when a working email address is demanded
so people can't find me in a month or a year?
Exactly. Hint: Not everyone who demands your email address are ppl
you'd want to give it to (registration forms etc.)
Post by n***@novirus.com
- filter throwaway alias to Trash, or clear from server
- use BCC: when sending to more than one recipient
- turn off the "harvest addresses to address book" feature
- don't allow Outbreak to be scripted, keep it empty
how about just: don't use Outlook
That's a given. But just because you don't use Outbreak doesn't mean
other entities don't use Outbreak; it's scriptable.
Post by n***@novirus.com
- don't post addresses in public forums
and lose a client that might pay me $10k a month? HA!!! Okay, the high paying
days are over, but they might come back...
What part of "public forums" did you miss? The typical approach is to
mung the address (e.g. ***@isp.com becomes
***@nospam.com or spam.me at isp dot com. That way, humans
can find you but bots can POAGF.
Post by n***@novirus.com
--------------- ----- ---- --- -- - - -
Error Messages Are Your Friends
Post by n***@novirus.com
--------------- ----- ---- --- -- - - -
n***@novirus.com
2003-08-24 00:10:35 UTC
Permalink
Post by cquirke
Post by n***@novirus.com
so people can't find me in a month or a year?
Exactly. Hint: Not everyone who demands your email address are ppl
you'd want to give it to (registration forms etc.)
oh, take a hike with your condescending "advice". you really think you're
possessing some superior knowledge? You don't even address the topic of the
thread
Post by cquirke
What part of "public forums" did you miss? The typical approach is to
this arrogant, hypocritical crap from someone using <***@iafrica.com>

Having done anti-spamming for years, I (and most people alive) know what
munging is

into the twit file you go. *plonk*. I don't have time for your foolish kind.
Go put your little Napolean hat on and play somewhere else
--
Ken
Loading...