[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MS BS



Thomas Horsten disse:
On Mon, 22 Sep 2003, Ted Roby wrote:
My secalert account for these lists is being drenched with 40 to 70 of
these fake Microsoft Update emails per day.

Mine too, i needed to move all my e-mails to a new account (this)
'cause i couldn't hand the flood  }:-O
And as i use webmail, my former account didn't have any blocking feature, it only dumps to a folder, quickly fulflling my inbox capacity. (REALLY QUICK, in a matter of 1/2 hour my inbox was already full).
Media must be too much occupied (accounting new m$ $pon$oring)
to cover this worm flood.

My filters on my client dump them to a Junk folder, but I would prefer
it if my Exim filter would do the job at the server level instead. I am
running Nigel Metheringham's system_filter.exim.
The single part MIME filter doesn't seem to catch it though. What are
others on this list using or doing to blatently block this stuff? There
is no valid .exe I could receive, ever.

I got my mailbox and others on my server filled with these, over the
weekend it was as high as 20MB/day in one mailbox with these worms. I'm
surprised the press coverage hasn't been higher, since this must be the
most spreading MS-worm to date. But I guess people are getting fed up with
reading about these..
Since HD space is an issue on my server I needed to block these at the
SMTP level, to that end I found a qmail patch from Russell Nelson that
works wonders. It does block any executable base64, which may be a bit
over the top, but people will just have to learn to zip such files if they
want to send them through my server.
The patch for qmail can be found here:
http://www.qmail.org/qmail-smtpd-viruscan-1.1.patch
"This patch changes qmail-smtpd so that it parses incoming emails.  It
looks at the first line of MIME attachments to see if they're Windows
executables which are base64-encoded.  This catches nearly all current
Microsoft viruses."
I don't know the status of any similar patches for other MTA's, but I
guess they are out there. Anyway, if you are truly security conscious you
should consider switching to qmail in any case. Regards, Thomas

--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



-
Linux, 'cause reboot is only to install hardware. Linux, pq reiniciar é só pra instalar hardware.




--
POP. Nem parece internet grátis.
Seja POP você também!
Acesse: http://www.pop.com.br/pop_discador.php e baixe o POPdiscador.



Reply to: