[Dshield] new Netsky.b virus - quick analysis (incl. hexdump)

Tony Earnshaw tonye at billy.demon.nl
Thu Feb 19 20:49:09 GMT 2004


ons, 18.02.2004 kl. 19.58 skrev Erik van Straten:

> We may as well prohibit all email attachments.
> 
> We desparately need *smart* and *fast* solutions for SMTP problems.
> I've not seen a single useful solution that cannot be bypassed, and
> at the same time will not render legitimate use of SMTP problematic,
> if not totally impossible (the ultimate solution may not exist).

My daughter recently sent me an .mp3, fantastic. Then a couple more. She
enclosed them as mime base64-encoded e-mail attachments, 5MB swells up
to 7MB. She'd got it from a Kazaa-like site, somewhere. She uses Windows
XP on ADSL (in another country far to the North of here) and understands
*nothing*, in spite of what I tell her, apart from that she must never
click on attachments and that her Windows crashes now and again and has
to be reinstalled to work again. I am a dyed-in-the-wool Windows/Unix
sysadmin, run Linux and do not have her problems. Well, if she won't
listen and doesn't care, what the hell?

The thing is, between her ISP (12-18 hundred kilometers of fiber away)
and mine there are routers. Border routers, at least, are perfectly
capable of recognizing patterns in IP data packets and are, in fact,
already trained to do so. And do already filter on IP packet data, for
the national security agencies (Erik will know about this, my source for
this is a KPN - a main Dutch Telecom - data admin friend).

Surely it's not beyond the bounds of human intelligence (though probably
above mine) to configure routers that are already trained to filter, to
recognize aggressive content? Even dynamically? If I as Unix mailadmin
can configure my own Linux 2.6.2 kernel and associated firewall and smtp
content filter to recognize aggressive content? *I* receive neither spam
nor virus (don't accept any misplaced bounces any more, either, Erik ;)
Not because I'm especially clever, but purely through trial and error -
they're there o.k., but I don't let most of them in, or those I have to
go right down the sink. And there's no commercial stuff involved
whatsoever, it's all Open Source.

--Tonni

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl




More information about the list mailing list