Re: Son of Swen?

To: debian-user@lists.debian.org, Ross Boylan <RossBoylan@stanfordalumni.org>
Subject: Re: Son of Swen?
From: Ross Boylan <RossBoylan@stanfordalumni.org>
Date: Fri, 26 Sep 2003 12:22:06 -0700
Message-id: <[🔎] 20030926192206.GV2341@wheat.boylan.org>
Mail-followup-to: debian-user@lists.debian.org, Ross Boylan <RossBoylan@stanfordalumni.org>
In-reply-to: <[🔎] 20030926165442.GA12902@dman13.dyndns.org>
References: <[🔎] 20030926063908.GR2341@wheat.boylan.org> <[🔎] 20030926165442.GA12902@dman13.dyndns.org>

On Fri, Sep 26, 2003 at 12:54:42PM -0400, Derrick 'dman' Hudson wrote:
> On Thu, Sep 25, 2003 at 11:39:08PM -0700, Ross Boylan wrote:
> 
> | I just received a MS upgrade worm that appears to have a complete
> | executable that's 0.1k.  So the whole message is quite brief.
> 
> Are you sure there was really an executable in that message?  I've
> received quite a few similar messages, except there is absolutely no
> content in the .exe mime part.
There was an .exe file that mutt said was .1k.  I didn't try to
actually run it.  I figured it probably connects to the net and
bootstraps the whole virus.

> 
> BTW, a rule like this in your mail system's mime header checks is
> quite effective against certain forms of trash :
>     /^Content-Type: .*x-(?:wav|midi);.*\.exe\b/ DISCARD LookOut! exploit
>     /^Content-Type: .*x-wav;.*\.txt\b/          DISCARD LookOut! exploit
> (this particular syntax is a pcre map in postfix (>= 2.0) mime_header_checks)

Thanks.  I'm still getting the hang of how far mailfilter can look
down in the message.  I also wish it had a more sophisticated control
syntax with if's, and's, or's...

> 
> -D
>

Reply to:

References:
- Son of Swen?
  - From: Ross Boylan <RossBoylan@stanfordalumni.org>
- Re: Son of Swen?
  - From: Derrick 'dman' Hudson <dman@dman13.dyndns.org>

Prev by Date: multisesion cd gcombust
Next by Date: Re: Anyone else notice that Swen is slowing down?
Previous by thread: Re: Son of Swen?
Next by thread: Re: Son of Swen?
Index(es):
- Date
- Thread