[unisog] should one pull the plug in worm outbreak?

Paul L Schmehl pauls at utdallas.edu
Thu Dec 6 02:32:14 GMT 2001


Join AVIEN.  You'll know about these *before* they hit your network, and 
you'll no longer have to make this decision.  (I'm dead serious.)

http://www.avien.org/

It's the best $99/yr (US) you will ever spend.  And I mean that.  You'll 
have sendmail blocks in place before you see the first copy.

--On Thursday, December 06, 2001 12:58 PM +1300 Russell Fulton 
<r.fulton at auckland.ac.nz> wrote:

>
> On Wed, 05 Dec 2001 08:21:39 -0800 Greg Francis <francis at gonzaga.edu>
> wrote:
>
>>
>> We currently have around 1200 workstations on the main network so our hit
>> isn't nearly as bad as what it would be for a large university.
>>
>
> We are going throught the same process with thousands of machines,  we
> have been at it for months, one faculty at a time.
>
> The problem is that Antivirus software (unless it is heuristic based)
> can not help with these fast spreading worms.  We go our first
> infection at least 2 hours before NAV made the updates available. Since
> this one had a simple subject line we were able to block it using
> Sendmail configs, but not fast enough to stop it hitting several large
> internal lists :(
>
> I'll ask another question.  Should one pull the plug on the your
> mailservers until you can control the spread (either by adhoc filtering
> or AV products) or should one try and ride the storm?
>
> In the past we have opted to ride the storm on the basis that without
> emial fighting the problem is actually much more difficult in a
> distributed enviroment like ours.  There are contrary views being
> expressed here and I would like to hear of others experiences.
>
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
>



Paul L. Schmehl, pauls at utdallas.edu
http://www.utdallas.edu/~pauls/
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member



More information about the unisog mailing list