ATTACK TO MY SYSTEM

ATTACK TO MY SYSTEM

[german aracil boned]

[-- Attachment #1: Type: text/plain, Size: 668 bytes --]


Please

I have an important attack in my system!
I received many mails from many nets! with virus attachment.
I don't have virus in my unix system. But people send mails with my mail
address. Please see mail's header. It's not from my system ip.

I close now my system to more of 700 nets!! and continuous receiving
mails now :(:(:(

See attachment to see nets closed from my system.

Please help. I don't send any virus !



-- 
La riqueza consiste mucho más en el disfrute que en la posesión".
                  Aristóteles (384 a.C.-322 a.C.)


-- 
La riqueza consiste mucho más en el disfrute que en la posesión".
                 Aristóteles (384 a.C.-322 a.C.)

[-- Attachment #2: listip.txt --]
[-- Type: text/plain, Size: 8862 bytes --]

67.72.78.0
64.119.36.0
10.0.0.0
195.235.59.0
213.97.62.0
66.28.139.0
80.88.129.0
207.36.47.0
62.58.168.0
62.177.188.0
164.77.181.0
81.23.193.0
213.94.226.0
66.166.160.0
64.110.82.0
210.104.189.0
212.0.117.0
80.35.174.0
65.167.155.0
139.134.6.0
212.74.114.0
195.11.231.0
80.32.150.0
217.126.106.0
144.135.24.0
172.26.102.0
219.133.19.0
216.191.6.0
200.54.66.0
212.59.199.0
80.38.49.0
216.148.227.0
68.81.163.0
80.26.59.0
193.220.178.0
62.166.232.0
213.36.80.0
81.32.4.0
203.155.210.0
211.158.88.0
67.162.76.0
210.203.68.0
12.2.211.0
200.175.3.0
194.69.248.0
80.25.41.0
202.81.246.0
219.91.102.0
24.185.109.0
219.91.87.0
65.114.63.0
210.15.245.0
210.85.28.0
165.228.3.0
211.238.138.0
212.43.206.0
63.202.122.0
219.91.101.0
81.255.49.0
67.92.110.0
219.91.91.0
220.89.72.0
216.41.116.0
216.74.149.0
80.179.254.0
216.243.162.0
62.15.142.0
218.103.33.0
200.204.125.0
194.224.199.0
209.225.8.0
66.214.47.0
216.133.202.0
219.91.109.0
67.72.99.0
218.9.183.0
212.216.176.0
66.187.233.0
68.77.153.0
39.26.127.0
155.89.28.0
204.127.202.0
68.32.61.0
204.127.198.0
63.247.131.0
200.60.255.0
68.23.113.0
12.208.193.0
12.238.214.0
68.6.19.0
68.5.84.0
129.22.104.0
129.22.160.0
213.180.130.0
212.191.172.0
207.151.228.0
68.1.17.0
68.96.42.0
68.104.142.0
193.113.154.0
194.7.124.0
202.188.95.0
202.188.40.0
193.252.22.0
217.128.9.0
68.39.50.0
195.205.44.0
24.93.67.0
24.25.101.0
202.52.255.0
202.52.253.0
64.224.219.0
64.225.178.0
24.131.157.0
81.51.240.0
207.88.19.0
203.199.114.0
202.134.198.0
62.4.16.0
62.212.118.0
81.49.188.0
65.32.1.0
65.35.194.0
193.70.192.0
193.249.124.0
205.152.59.0
208.63.195.0
167.206.5.0
194.154.205.0
148.110.136.0
148.110.115.0
195.238.2.0
80.200.186.0
207.41.171.0
211.158.80.0
68.99.120.0
68.12.182.0
68.11.95.0
66.157.61.0
24.159.69.0
80.8.175.0
207.155.252.0
64.91.50.0
64.90.128.0
64.90.135.0
216.120.129.0
68.157.221.0
24.93.36.0
67.10.178.0
194.230.0.0
195.121.6.0
195.121.182.0
195.168.35.0
209.250.128.0
207.188.72.0
64.118.96.0
64.118.97.0
64.118.111.0
193.252.12.0
209.214.14.0
65.83.193.0
159.134.118.0
194.125.175.0
64.238.96.0
64.238.102.0
213.140.2.0
66.156.18.0
12.226.126.0
62.151.11.0
80.28.23.0
195.121.180.0
213.46.243.0
62.163.171.0
202.182.64.0
203.55.91.0
12.254.98.0
81.51.252.0
80.201.59.0
209.226.175.0
64.229.71.0
69.49.100.0
154.5.92.0
216.193.128.0
216.193.165.0
172.22.159.0
68.34.48.0
63.163.68.0
193.253.220.0
199.185.220.0
154.5.1.0
213.228.128.0
212.131.248.0
81.74.58.0
200.248.143.0
194.73.73.0
213.122.50.0
24.201.245.0
24.202.89.0
81.136.203.0
200.50.96.0
164.77.97.0
209.53.115.0
63.231.195.0
66.56.199.0
208.187.79.0
80.35.182.0
213.122.138.0
32.97.166.0
12.65.14.0
66.56.178.0
200.41.237.0
209.209.192.0
209.209.210.0
207.217.120.0
65.176.168.0
200.57.141.0
200.56.111.0
216.178.72.0
195.130.225.0
63.187.232.0
12.65.6.0
81.113.95.0
202.107.216.0
212.93.140.0
81.72.81.0
208.149.60.0
208.149.61.0
212.59.31.0
81.7.119.0
81.131.25.0
203.181.105.0
210.234.191.0
216.209.206.0
216.209.229.0
207.31.181.0
210.203.78.0
216.12.37.0
67.89.231.0
210.172.64.0
210.255.33.0
62.253.162.0
81.98.209.0
63.191.1.0
64.40.67.0
209.102.168.0
209.102.169.0
68.38.58.0
207.69.200.0
69.3.125.0
66.128.174.0
69.132.185.0
68.52.78.0
144.137.22.0
209.91.58.0
68.165.233.0
12.238.21.0
161.184.21.0
208.13.157.0
199.174.114.0
216.80.145.0
64.164.98.0
67.114.220.0
69.132.77.0
63.108.130.0
209.53.83.0
219.76.66.0
67.167.63.0
207.167.96.0
66.42.16.0
61.219.190.0
216.60.151.0
216.244.211.0
216.244.215.0
207.44.129.0
198.64.162.0
203.59.3.0
207.218.217.0
24.94.166.0
65.28.161.0
203.155.0.0
203.107.202.0
195.117.243.0
219.95.17.0
202.188.1.0
219.95.222.0
193.74.71.0
212.239.186.0
168.95.4.0
211.23.87.0
144.135.25.0
203.51.91.0
202.101.10.0
61.172.232.0
12.246.227.0
64.180.44.0
206.147.20.0
206.147.21.0
210.50.30.0
67.30.215.0
210.50.76.0
24.130.95.0
212.59.15.0
62.94.126.0
213.89.218.0
216.146.77.0
210.58.169.0
194.185.175.0
66.126.104.0
61.6.32.0
161.142.171.0
202.56.224.0
61.95.213.0
165.21.101.0
203.125.20.0
66.79.87.0
195.116.217.0
213.76.52.0
81.7.70.0
210.201.144.0
200.216.223.0
219.93.186.0
66.59.189.0
145.53.219.0
63.190.144.0
207.192.213.0
24.121.25.0
209.142.2.0
207.181.89.0
216.123.148.0
208.188.162.0
211.6.83.0
211.6.30.0
128.121.96.0
63.224.135.0
204.127.203.0
12.221.30.0
216.78.142.0
69.2.0.0
69.2.5.0
169.207.3.0
169.207.188.0
24.247.15.0
24.247.99.0
67.34.16.0
151.204.202.0
216.183.11.0
64.187.40.0
24.200.111.0
195.29.150.0
195.29.137.0
68.4.99.0
216.65.71.0
68.163.100.0
12.215.66.0
63.240.76.0
80.13.164.0
81.51.209.0
80.11.51.0
80.9.76.0
204.127.131.0
12.82.169.0
200.57.37.0
148.233.206.0
24.56.12.0
213.107.103.0
203.77.202.0
203.77.197.0
195.68.186.0
195.103.181.0
62.172.195.0
81.130.70.0
202.188.0.0
202.188.228.0
193.253.215.0
209.228.32.0
193.251.1.0
212.59.13.0
202.116.64.0
202.116.84.0
195.121.58.0
217.67.16.0
194.90.9.0
62.0.71.0
212.163.45.0
80.58.236.0
213.186.83.0
213.186.86.0
195.144.200.0
210.230.242.0
210.230.243.0
212.159.14.0
81.174.141.0
218.38.28.0
219.91.100.0
195.202.32.0
195.202.54.0
219.76.64.0
212.59.6.0
193.219.55.0
165.21.6.0
165.21.225.0
192.115.106.0
81.218.252.0
195.121.200.0
212.90.0.0
213.183.138.0
213.26.184.0
63.167.48.0
12.216.254.0
193.95.50.0
193.95.66.0
193.95.81.0
193.95.73.0
217.44.151.0
195.205.35.0
144.144.3.0
80.200.77.0
81.75.128.0
193.219.1.0
193.219.2.0
217.11.80.0
62.94.233.0
80.200.18.0
212.17.43.0
193.203.146.0
213.122.135.0
213.122.56.0
80.105.104.0
195.238.3.0
213.56.195.0
193.250.221.0
213.122.25.0
217.22.66.0
217.22.73.0
219.95.129.0
80.95.96.0
212.122.224.0
194.79.121.0
64.91.144.0
193.250.87.0
12.237.109.0
216.204.11.0
...0
4.18.250.0
217.172.210.0
213.122.76.0
207.166.192.0
207.166.220.0
145.53.26.0
154.5.25.0
200.255.54.0
194.176.32.0
62.212.192.0
207.100.203.0
216.146.81.0
63.100.198.0
209.94.102.0
216.179.103.0
216.170.230.0
69.21.29.0
199.199.151.0
63.175.56.0
69.4.192.0
62.94.0.0
212.117.129.0
212.116.182.0
212.34.224.0
81.204.46.0
64.74.188.0
65.205.96.0
208.252.202.0
195.80.171.0
from unspecified.host ([195.80.0
1.1.1.0
202.248.37.0
218.229.241.0
137.186.22.0
151.99.250.0
213.82.91.0
213.134.128.0
62.89.112.0
168.58.33.0
10.135.202.0
81.134.176.0
165.21.220.0
66.167.119.0
204.60.203.0
204.60.210.0
165.121.52.0
212.100.101.0
212.100.98.0
81.135.70.0
212.80.64.0
194.125.2.0
193.203.144.0
24.220.0.0
24.220.253.0
66.109.74.0
194.79.96.0
66.250.68.0
64.132.240.0
66.82.4.0
66.82.208.0
168.243.238.0
213.122.161.0
80.105.44.0
159.134.55.0
213.122.14.0
213.204.195.0
213.204.202.0
218.36.80.0
212.150.48.0
82.166.93.0
200.196.48.0
209.226.51.0
209.196.232.0
200.72.138.0
62.62.156.0
62.62.132.0
24.136.205.0
207.38.0.0
195.121.188.0
208.45.228.0
196.3.81.0
66.98.19.0
206.210.69.0
208.0.8.0
216.139.197.0
24.73.45.0
67.30.16.0
81.7.107.0
140.239.119.0
209.150.206.0
200.129.141.0
200.129.140.0
66.60.192.0
66.60.209.0
24.92.226.0
24.195.195.0
209.120.196.0
209.120.200.0
68.51.254.0
81.74.95.0
68.168.78.0
24.53.155.0
24.53.99.0
200.250.8.0
24.61.19.0
212.163.0.0
159.134.77.0
65.111.222.0
204.94.153.0
212.135.6.0
212.134.22.0
64.105.120.0
138.217.112.0
212.142.9.0
213.93.187.0
199.224.64.0
205.238.249.0
69.22.65.0
209.167.188.0
207.61.64.0
207.115.63.0
68.121.240.0
24.29.99.0
68.173.212.0
62.253.164.0
62.253.36.0
200.83.1.0
24.54.255.0
200.186.136.0
66.130.18.0
203.91.141.0
216.138.0.0
63.206.94.0
24.71.223.0
10.0.141.0
24.80.110.0
211.133.224.0
62.131.150.0
142.173.195.0
67.38.174.0
80.6.13.0
24.50.169.0
81.19.66.0
195.46.161.0
207.155.248.0
69.19.16.0
195.67.199.0
212.181.157.0
216.212.0.0
65.16.153.0
203.51.187.0
202.57.191.0
203.113.37.0
68.53.12.0
202.66.152.0
211.94.218.0
216.211.26.0
204.50.160.0
195.113.177.0
208.234.228.0
64.207.66.0
64.207.64.0
65.201.86.0
10.198.9.0
161.58.168.0
200.77.78.0
81.73.167.0
216.147.196.0
200.82.54.0
216.166.193.0
203.120.90.0
202.156.182.0
195.235.39.0
80.24.161.0
211.43.197.0
211.233.28.0
210.181.75.0
216.106.88.0
216.106.36.0
161.142.152.0
128.118.141.0
66.71.87.0
24.49.125.0
209.68.192.0
216.120.4.0
209.165.29.0
208.163.74.0
66.179.96.0
203.125.17.0
202.9.50.0
161.184.45.0
194.65.5.0
213.13.218.0
63.185.0.0
82.89.212.0
64.180.227.0
63.189.19.0
68.164.66.0
211.94.219.0
217.67.140.0
217.67.141.0
209.121.231.0
200.13.224.0
200.58.217.0
144.137.132.0
81.134.27.0
24.170.140.0
213.235.135.0
216.254.136.0
216.254.159.0
65.163.254.0
217.76.128.0
217.76.130.0
203.87.95.0
203.87.117.0
217.25.80.0
212.116.224.0
212.116.236.0
195.146.100.0
195.146.102.0
212.97.32.0
212.97.54.0
192.106.1.0
151.19.223.0
196.44.128.0
210.8.231.0
210.10.246.0
194.134.35.0
62.234.155.0
81.72.108.0
196.44.133.0
213.107.90.0
217.35.97.0
81.75.152.0
213.217.149.0
66.129.118.0
62.165.128.0
81.193.96.0
195.58.112.0
212.105.7.0
200.74.160.0
195.250.128.0
212.20.113.0
128.242.207.0
213.56.31.0
194.206.161.0
213.75.186.0
217.59.2.0
81.73.203.0
213.75.170.0
213.218.75.0
62.21.130.0
62.255.216.0
200.195.94.0
81.130.80.0
195.244.37.0
211.18.182.0
212.239.187.0
194.224.226.0

Re: ATTACK TO MY SYSTEM

[Mike Galbraith]

At 11:12 AM 9/23/2003 +0200, german aracil boned wrote:

>Please
>
>I have an important attack in my system!
>I received many mails from many nets! with virus attachment.
>I don't have virus in my unix system. But people send mails with my mail
>address. Please see mail's header. It's not from my system ip.
>
>I close now my system to more of 700 nets!! and continuous receiving
>mails now :(:(:(

You aren't alone, I'm getting the same crap in my lkml account.  I'm using 
a pop previewer with filter to nuke it.  I don't know what else you can do 
about it other than to nuke the account, or hope that the ignorant twit 
who's doing this manages to irritate one of the network gods.

         -Mike

Re: ATTACK TO MY SYSTEM

[Jan Evert van Grootheest]

Me too.
And I won't be able to kill off this account.
I thought another virus had popped up! Many of them have their 
attachments removed by the virusscanner.

-- Jan Evert

Mike Galbraith wrote:

> At 11:12 AM 9/23/2003 +0200, german aracil boned wrote:
> 
>> Please
>>
>> I have an important attack in my system!
>> I received many mails from many nets! with virus attachment.
>> I don't have virus in my unix system. But people send mails with my mail
>> address. Please see mail's header. It's not from my system ip.
>>
>> I close now my system to more of 700 nets!! and continuous receiving
>> mails now :(:(:(
> 
> 
> You aren't alone, I'm getting the same crap in my lkml account.  I'm 
> using a pop previewer with filter to nuke it.  I don't know what else 
> you can do about it other than to nuke the account, or hope that the 
> ignorant twit who's doing this manages to irritate one of the network gods.
> 
>         -Mike
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

[OFFTOPIC] Re: ATTACK TO MY SYSTEM

[Russell King]

On Tue, Sep 23, 2003 at 02:01:24PM +0200, Jan Evert van Grootheest wrote:
> Me too.
> And I won't be able to kill off this account.
> I thought another virus had popped up! Many of them have their 
> attachments removed by the virusscanner.

The collateral effects caused by email-based virus scanner software
creating bounces to faked email addresses is getting to be more of a
problem to control than the viruses themselves.

I've recently been getting mails from sites "helpfully" informing me
that someone tried to send me a virus - they're not helpful at all.

I suggest that anyone receiving such things complain to the originating
site - if the virus is known to use faked sender addresses, it is
irresponsible for any site to generate a bounce.

When there are enough complaints to mail server admins, hopefully the
philosophy will change.

Any further discussion of this topic should be done off list.

-- 
Russell King (rmk@arm.linux.org.uk)	http://www.arm.linux.org.uk/personal/
      Linux kernel    2.6 ARM Linux   - http://www.arm.linux.org.uk/
      maintainer of:  2.6 PCMCIA      - http://pcmcia.arm.linux.org.uk/
                      2.6 Serial core

Re: [OFFTOPIC] Re: ATTACK TO MY SYSTEM

[Jörn Engel]

On Tue, 23 September 2003 13:17:15 +0100, Russell King wrote:
> 
> Any further discussion of this topic should be done off list.

Right, but since those 200+ mails really hurt, here is one little
advice from my .procmailrc:

        # Spam
	:0 D
	* ^SUBJECT:
	$MAILDIR/autospam

Kills those virus spams to 100% with 0% false positives so far.

Problem solved, EOT.

Jörn

-- 
Mundie uses a textbook tactic of manipulation: start with some
reasonable talk, and lead the audience to an unreasonable conclusion.
-- Bruce Perens

Re: ATTACK TO MY SYSTEM

[Breno]

I am receiving too :(

----- Original Message -----
From: "Mike Galbraith" <efault@gmx.de>
To: "german aracil boned" <german@tecnoxarxa.com>
Cc: <linux-kernel@vger.kernel.org>
Sent: Tuesday, September 23, 2003 7:01 AM
Subject: Re: ATTACK TO MY SYSTEM


> At 11:12 AM 9/23/2003 +0200, german aracil boned wrote:
>
> >Please
> >
> >I have an important attack in my system!
> >I received many mails from many nets! with virus attachment.
> >I don't have virus in my unix system. But people send mails with my mail
> >address. Please see mail's header. It's not from my system ip.
> >
> >I close now my system to more of 700 nets!! and continuous receiving
> >mails now :(:(:(
>
> You aren't alone, I'm getting the same crap in my lkml account.  I'm using
> a pop previewer with filter to nuke it.  I don't know what else you can do
> about it other than to nuke the account, or hope that the ignorant twit
> who's doing this manages to irritate one of the network gods.
>
>          -Mike
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: [OFFTOPIC] Re: ATTACK TO MY SYSTEM

[Maciej Soltysiak]

> When there are enough complaints to mail server admins, hopefully the
> philosophy will change.
It is changing. I have been talking to antivirus software people (nod32)
and I suggested that their virus signatures could have information whether
the virus spoofs the sender address or not, and then simply do not send
replies for infected mail. I got a response that they are working on it,
and that other antivirus software developers like dudes from symantec,
sophos, mcaffe, etc... are working on it also.

So we should have a slightly better solution to that when the software
gets better.

Also note the disinformative effect of the virus on plain users.
We will have all of these problem until the protocols get seriously
improved. We urgently need a reliable and secure SMTP replacing or
extending protocol, which would aid in tracking down the culprits.
TCP/IP Ideas like icmp traceback messages (it's still an IETF draft)
and other ideas will hopefully help us cut down on spoofing, flooding,
etc, as the detection will improve. Anyway these are my wishes for the
Internet Community. The protocols we are using today (SMTP, IP) are
inadequate due to lacks in their defensive value.

I also heard that there is work in progress conerning SMTP
replacement/improvement by enhancements.

Regards,
Maciej

Re: ATTACK TO MY SYSTEM

[J.A. Magallon]

On 09.23, Mike Galbraith wrote:
> At 11:12 AM 9/23/2003 +0200, german aracil boned wrote:
> 
> >Please
> >
> >I have an important attack in my system!
> >I received many mails from many nets! with virus attachment.
> >I don't have virus in my unix system. But people send mails with my mail
> >address. Please see mail's header. It's not from my system ip.
> >
> >I close now my system to more of 700 nets!! and continuous receiving
> >mails now :(:(:(
> 
> You aren't alone, I'm getting the same crap in my lkml account.  I'm using 
> a pop previewer with filter to nuke it.  I don't know what else you can do 
> about it other than to nuke the account, or hope that the ignorant twit 
> who's doing this manages to irritate one of the network gods.
> 

Me too.
Some pointer to that pop previewer ?
Filter based on attachments ?

-- 
J.A. Magallon <jamagallon()able!es>     \                 Software is like sex:
werewolf!able!es                         \           It's better when it's free
Mandrake Linux release 9.2 (Cooker) for i586
Linux 2.4.23-pre5-jam1 (gcc 3.3.1 (Mandrake Linux 9.2 3.3.1-2mdk))

Re: [OFFTOPIC] Re: ATTACK TO MY SYSTEM

[jw schultz]

On Tue, Sep 23, 2003 at 02:55:57PM +0200, Maciej Soltysiak wrote:
> > When there are enough complaints to mail server admins, hopefully the
> > philosophy will change.
> It is changing. I have been talking to antivirus software people (nod32)
> and I suggested that their virus signatures could have information whether
> the virus spoofs the sender address or not, and then simply do not send
> replies for infected mail. I got a response that they are working on it,
> and that other antivirus software developers like dudes from symantec,
> sophos, mcaffe, etc... are working on it also.
> 
> So we should have a slightly better solution to that when the software
> gets better.

What they should do is send the alerts to MS. ;-))))

No, because if the company whose mascot is a big blue bug
that reproduces by spreading worms were to actually fix the
problem the market for anti-virus software would shrink
faster than SCO's sales revenue.


-- 
________________________________________________________________
	J.W. Schultz            Pegasystems Technologies
	email address:		jw@pegasys.ws

		Remember Cernan and Schmitt

iptables kernel

[german aracil boned]

I have problems with iptables and openmosix system. The kernel is halted 
  when I write DENY by default in INPUT keys. This machine boot from net 
and have root in other coputer..

What is the solution ? ( and problem:( )

My kernel 2.4.20 - with openmosix patch
(same problem if don't work with openmosix patch)

Can this kernel work with DENY politic boot first from net ?

thanks

wrote:
> Kills those virus spams to 100% with 0% false positives so far.
> 
> Problem solved, EOT.

I build an automatic system. This read mails from any folder of my 
client, update a list with bad ip's (spamers) and update firewall with 
new ips. Now the attack to my system is very small. I have more of 1000 
senders checked ;)

Thanks to all !


-- 
La riqueza consiste mucho más en el disfrute que en la posesión".
                 Aristóteles (384 a.C.-322 a.C.)

[OT] Re: ATTACK TO MY SYSTEM

[Steven Cole]

First, apologies to all since this is technically offtopic, but there
does seem to be enough interest in this subject that I'll provide a
short answer here.

On Tue, 2003-09-23 at 07:40, J.A. Magallon wrote:
> On 09.23, Mike Galbraith wrote:
> > At 11:12 AM 9/23/2003 +0200, german aracil boned wrote:
> > 
> > >Please
> > >
> > >I have an important attack in my system!
> > >I received many mails from many nets! with virus attachment.
> > >I don't have virus in my unix system. But people send mails with my mail
> > >address. Please see mail's header. It's not from my system ip.
> > >
> > >I close now my system to more of 700 nets!! and continuous receiving
> > >mails now :(:(:(
> > 
> > You aren't alone, I'm getting the same crap in my lkml account.  I'm using 
> > a pop previewer with filter to nuke it.  I don't know what else you can do 
> > about it other than to nuke the account, or hope that the ignorant twit 
> > who's doing this manages to irritate one of the network gods.
> > 
> 
> Me too.
> Some pointer to that pop previewer ?
> Filter based on attachments ?

The problem with the W32.Swen.A@mm worm/virus  became severe enough that
my home account on 56k dialup was almost unusable.  I've been getting
hundreds of these large emails per day for the past several days, and
the problem seems to be getting worse, not better.

At my home account, I've switched from Evolution to Kmail for my MUA. 
Under receiving options, you can select 'Filter messages if they are
greater than' some value you put in.  I've selected 40K, and this
results in a few false positives, but Kmail allows you to then select
each message individually to be received, stay on the pop server, or get
trashed. This is clearly suboptimal, but better than getting all that
junk.  It would be nice if 'getting trashed' was selectable as the
default, but that's a Kmail development issue.

Others have posted more elegant solutions using procmail.  Perhaps some
email gurus can put together a FAQ and post its URL. Thanks in advance
if you do.

Steven

Re: [OT] Re: ATTACK TO MY SYSTEM

[Wakko Warner]

> First, apologies to all since this is technically offtopic, but there
> does seem to be enough interest in this subject that I'll provide a
> short answer here.

Hate to keep it going, but...

> The problem with the W32.Swen.A@mm worm/virus  became severe enough that
> my home account on 56k dialup was almost unusable.  I've been getting
> hundreds of these large emails per day for the past several days, and
> the problem seems to be getting worse, not better.

I'm running my own mailserver and it's hard not to accept it.  I have
basically done checks in the from and to headers.  If it appears as a virus,
i lockout the smtp sender.  It's not permenant.  When the virus stops, i
unblock every one.

-- 
 Lab tests show that use of micro$oft causes cancer in lab animals

Re: [OFFTOPIC] Re: ATTACK TO MY SYSTEM

[Gerhard Mack]

Worse than this is the fact that some idiot wrote spam software that tells
each RECPIANT that someone tried to send them spam.  I saw a cc list hat
included half of linux-kernel.

	Gerhard

On Tue, 23 Sep 2003, Maciej Soltysiak wrote:

> Date: Tue, 23 Sep 2003 14:55:57 +0200 (CEST)
> From: Maciej Soltysiak <solt@dns.toxicfilms.tv>
> To: Russell King <rmk@arm.linux.org.uk>
> Cc: Jan Evert van Grootheest <j.grootheest@euronext.nl>,
>      Mike Galbraith <efault@gmx.de>,
>      german aracil boned <german@tecnoxarxa.com>,
>      linux-kernel@vger.kernel.org
> Subject: Re: [OFFTOPIC] Re: ATTACK TO MY SYSTEM
>
> > When there are enough complaints to mail server admins, hopefully the
> > philosophy will change.
> It is changing. I have been talking to antivirus software people (nod32)
> and I suggested that their virus signatures could have information whether
> the virus spoofs the sender address or not, and then simply do not send
> replies for infected mail. I got a response that they are working on it,
> and that other antivirus software developers like dudes from symantec,
> sophos, mcaffe, etc... are working on it also.
>
> So we should have a slightly better solution to that when the software
> gets better.
>
> Also note the disinformative effect of the virus on plain users.
> We will have all of these problem until the protocols get seriously
> improved. We urgently need a reliable and secure SMTP replacing or
> extending protocol, which would aid in tracking down the culprits.
> TCP/IP Ideas like icmp traceback messages (it's still an IETF draft)
> and other ideas will hopefully help us cut down on spoofing, flooding,
> etc, as the detection will improve. Anyway these are my wishes for the
> Internet Community. The protocols we are using today (SMTP, IP) are
> inadequate due to lacks in their defensive value.
>
> I also heard that there is work in progress conerning SMTP
> replacement/improvement by enhancements.
>
> Regards,
> Maciej
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

--
Gerhard Mack

gmack@innerfire.net

<>< As a computer I find your faith in technology amusing.

[OFFTOPIC] Re: ATTACK TO MY SYSTEM

[Maciej Soltysiak]

On Tue, 23 Sep 2003, Gerhard Mack wrote:

> Worse than this is the fact that some idiot wrote spam software that tells
> each RECPIANT that someone tried to send them spam.  I saw a cc list hat
> included half of linux-kernel.
My wishes maybe are comming true...

Do a search on AMTP (Authenticated Mail Transfer Protocol) at
http://www.ietf.org

It is still a draft, but maybe will become a standard some day.
I'm off to reading this paper. It has been released in August 2003.

Regards,
Maciej

Re: [OT] Re: ATTACK TO MY SYSTEM

[Wade]

Wakko Warner wrote:
>>First, apologies to all since this is technically offtopic, but there
>>does seem to be enough interest in this subject that I'll provide a
>>short answer here.
> 
> 
> Hate to keep it going, but...
> 
> 
>>The problem with the W32.Swen.A@mm worm/virus  became severe enough that
>>my home account on 56k dialup was almost unusable.  I've been getting
>>hundreds of these large emails per day for the past several days, and
>>the problem seems to be getting worse, not better.
> 
> 
> I'm running my own mailserver and it's hard not to accept it.  I have
> basically done checks in the from and to headers.  If it appears as a virus,
> i lockout the smtp sender.  It's not permenant.  When the virus stops, i
> unblock every one.
> 

Why not block mail with attachments which end in .pif or .exe? Who needs 
that?

Re: [OT] Re: ATTACK TO MY SYSTEM

[Willy Tarreau]

On Tue, Sep 23, 2003 at 11:50:39AM -0400, Wakko Warner wrote:
 
> I'm running my own mailserver and it's hard not to accept it.  I have
> basically done checks in the from and to headers.  If it appears as a virus,
> i lockout the smtp sender.  It's not permenant.  When the virus stops, i
> unblock every one.

I've noticed that they *ALL* have their From:, To:, and Subject: written in
uppercase. So it's really easy to filter them out depending on the tools used.
If a mail header either matches ^FROM:, ^TO: or ^SUBJECT: then it has high
chances to be a spam/virus. I checked all my recent mails and a few months
back in LKML and did not found anything except spam/viruses which match this.
At least, we should be lucky that these virus writers don't fully respect
protocols...

HTH,
Willy

Re: [OT] Re: ATTACK TO MY SYSTEM

[Jörn Engel]

On Wed, 24 September 2003 10:46:16 +0200, Willy Tarreau wrote:
> On Wed, Sep 24, 2003 at 08:40:35AM +0100, John Bradford wrote:
>  
> > RFC 822, section 3.4.7, makes clear that case is _not_ significant for
> > these field names.  RFC 2822 doesn't change this.
> 
> Sorry John about the mis-information. Of course case is not significant,
> otherwise we would simply not receive these mails. I should have said
> "common usage" and not "protocols", since I really thought the former
> eventhough I wrote the later.
> 
> > Just because no commonly used E-Mail application seems to generate
> > uppercase field names, how do you know something like a password
> > auto-responder script won't?
> 
> I don't know. It's only an empirical choice based on observations. Many of us
> are more concerned by hundreds of mails a day than risking to get a rare
> false-positive. But I agree, I should have been clearer.
> 
> I have nearly the same .procmailrc as the one Joern Engel proposed :
> 
>   :0 D
>   * ^FORM:
>   spam/swen
> 
> And I too agree that I have 0% false positive so far. But just like any filter,
> use at your own risk...

All right, let's do this on-list *once* before the already off-topic
thread spreads too far.

o Filtering by all-uppercase subject, etc. if effective for swen.
o This filter has produces 0% false positives *so far*.
o This filter, just like any filter, can produce false positives.
o Anyone using filters without checking for false positives it at his
  and her own mercy.  Tough luck, deal with it.

EOT.

Jörn

-- 
A defeated army first battles and then seeks victory.
-- Sun Tzu

Re: [OT] Re: ATTACK TO MY SYSTEM

[Willy Tarreau]

On Wed, Sep 24, 2003 at 08:40:35AM +0100, John Bradford wrote:
 
> RFC 822, section 3.4.7, makes clear that case is _not_ significant for
> these field names.  RFC 2822 doesn't change this.

Sorry John about the mis-information. Of course case is not significant,
otherwise we would simply not receive these mails. I should have said
"common usage" and not "protocols", since I really thought the former
eventhough I wrote the later.

> Just because no commonly used E-Mail application seems to generate
> uppercase field names, how do you know something like a password
> auto-responder script won't?

I don't know. It's only an empirical choice based on observations. Many of us
are more concerned by hundreds of mails a day than risking to get a rare
false-positive. But I agree, I should have been clearer.

I have nearly the same .procmailrc as the one Joern Engel proposed :

  :0 D
  * ^FORM:
  spam/swen

And I too agree that I have 0% false positive so far. But just like any filter,
use at your own risk...

Willy

Re: [OT] Re: ATTACK TO MY SYSTEM

[John Bradford]

> > I'm running my own mailserver and it's hard not to accept it.  I have
> > basically done checks in the from and to headers.  If it appears as a virus,
> > i lockout the smtp sender.  It's not permenant.  When the virus stops, i
> > unblock every one.
>
> I've noticed that they *ALL* have their From:, To:, and Subject: written in
> uppercase. So it's really easy to filter them out depending on the tools used.
> If a mail header either matches ^FROM:, ^TO: or ^SUBJECT: then it has high
> chances to be a spam/virus. I checked all my recent mails and a few months
> back in LKML and did not found anything except spam/viruses which match this.
> At least, we should be lucky that these virus writers don't fully respect
> protocols...

What protocols are you referring to?

RFC 822, section 3.4.7, makes clear that case is _not_ significant for
these field names.  RFC 2822 doesn't change this.

Just because no commonly used E-Mail application seems to generate
uppercase field names, how do you know something like a password
auto-responder script won't?

That may not be a concern for you, but please don't spread
mis-information to others.

John.