[Dshield] headers of MS patch

Doug White doug at clickdoug.com
Mon Sep 22 14:00:13 GMT 2003


This is a question for those that have already become familiar with these worm
e-mails.

Is it possible that the propagation is via totally spoofed IP numbers?  I did
not think this would be possible.

The end result is that my mail server is receiving around 100 of these per hour,
from three general geographic areas, but never the same IP number. (it, de and
au)   The destination is to a single address in one of the domains I serve as a
gateway for.  So far Amavis+AntiVir has been catching them and generates a lot
of email to the postmaster account.  I wanted to try to see if I could create
some rules in the Linux Firewall to drop these connections, but am a bit
overwhelmed by the sheer quantity.

I did note that some of the infected email have made it past the virus scanner,
however the attachment on those is only either a zero-byte or a 2 byte size,
These are not a problem as the fragmented attachment is of no danger.

I have advised all clients to disable the instant view as well as to disable
iframe execution in their mail client, which seems to be preventing the ones
that are crafted as a bounce, but contain an iframe command to infect the unwary
user.


======================================
Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
======================================
If you are not satisfied with my service, my job isn't done!




More information about the list mailing list