[Dshield] headers of MS patch

Stephane Grobety security at admin.fulgan.com
Mon Sep 22 15:01:03 GMT 2003


DW> Is it possible that the propagation is via totally spoofed IP numbers?  I did
DW> not think this would be possible.

Well, sppofing a TCP connection isn't impossible, but it's rather hard
to do and extremely more so without an operator controling the
program (unless you happen to be on the same subnet as the machine you
want to fool).

Now, there are other ways around this: you can use all kind of relay
that do NOT include the real sender's IP address to send your nasty
stuff: SOCKS proxies, formmail scripts, even badly configured FTP
servers. It is, however, usually not very usefull for virii and worms
as it would require them to have access to a list of "usable" proxies,
something that should change pretty often. It also make it's spreading
less effective as an open proxy has quite a lot of chance to be
rapidely listed on RBLs and therefore have a large number of mail
server simply refuse to accept mail comming from it.

DW> The end result is that my mail server is receiving around 100 of these per hour,
DW> from three general geographic areas, but never the same IP number. (it, de and
DW> au)   The destination is to a single address in one of the domains I serve as a
DW> gateway for.

Well, it could be that this address is known to a number of people and
therefore often referenced by infected machines.

DW>  So far Amavis+AntiVir has been catching them and generates a lot
DW> of email to the postmaster account.

Drop the notification or simply refuse (without notification) any
Email that contains an EXE attachement.

DW> I wanted to try to see if I could create
DW> some rules in the Linux Firewall to drop these connections, but am a bit
DW> overwhelmed by the sheer quantity.

I don't think it is worth the trouble: you're likely to end up in the
situation where every infection attempt is made by a different host.
Filtering on the transport/session level is therefore pointless.
Filtering on the application level (SMTP) makes much more sense.

Good luck,
Stephane




More information about the list mailing list