[Dshield] phishing e-mails

Johannes B. Ullrich jullrich at sans.org
Sat Jan 24 04:23:33 GMT 2004


Just a quick note about 'phishing emails':

Please keep posting them to the list, or send them to me off list.
However, if you post them to the list, please remove the 'exploit'
(0x001@) and replace it with something harmless (e.g. _001_ ).

I am not afraid about people on the list clicking on it. But there are
plenty of list subscribers with brain dead AV engines, and whenever such
a post hits the list, I see about a dozen bounces from these AV
gateways.

Please:

If you run Anti Virus software on your mail server (which is a very good
thing to do), configure it NOT TO REPLY to virus e-mails. In almost all
cases, the 'From' address is spoofed anyway. Many AV engines allow
adjusting this for each signature if necessary.

maybe one of these days I will post a 'list of shame', or just approve
the bounce ;-).

Also remember: These AV bounces will give away the type and sometimes
version of AV engine you are running. A real attacker could use this
information to craft a virus to bypass it.




-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040123/80c61193/attachment.bin


More information about the list mailing list