[Dshield] vunerability windows
afrayer at frayernet.com
Fri Feb 6 21:01:36 GMT 2004
On Fri, 2004-02-06 at 13:26, Jonathan C. Webster wrote:
> Alan Frayer wrote:
> > We were forced to notify recipients when a
> > virus was intercepted heading their way,
> Is a related issue of FAKE notifications of sending mydoom.a relevant?
> In the past weeks I have received two such, claiming I sent Mydoom.A loaded emails to an address in
> .tw and one in .au. I did neither. The commonality in these was the Message-Id. (BTW I run Linux on
> both boxes in my tiny network.)
> Message-Id: <20040129080338.1227660029 at services.ibab.ac.in>
> Message-Id: <20040206061034.CA8966007C at services.ibab.ac.in>
> So is ibab.ac.in likely the source of the fake notices, or are they stopping email with spoofed
> addresses that really did carry Mydoom.A ?
The big difference here is that we made no effort to notify the sender
of the virus outside our network that he was infected, since we knew
spoofing could happen. No, we made two notifications:
1) The recipient, when on our network (using our mail server) was
notified when we saw the virus incoming. The virus was stripped, but we
had to tell the recipient, on the possibility the attachment (without a
virus) was expected but never delivered.
2) The sender, when on our network was stopped and notified when we
detected unusual port 25 activity from his connection. If/when the
sender gave us a logical reason for the activity (such as an in-house
SMTP server), we reopened the connection, but made note for future
reference. In most cases, the sender was more than cooperative, and glad
we were watching out for him.
Alas, such exceptional customer service did little in the face of rising
operating costs and dropping client connection rates. We went bankrupt
(they still owe me money).
Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
Member: Independent Consultants Association (ICA)
Consultants - FREE Directory Listing - http://www.ica-assn.org
More information about the list