At 9:24 +0100 9/20/2001, Phil Chambers wrote:
>The filter published at www.exim.org will reject the Nimda worm because of the
>.exe file extension. I don't use that but put in a simple filter to diver
>anything with readme.exe in the body to postmaster. That trapped 8 copies
>in 24
>hours and am surprised there were so few. On the basis of those 8 I revised my
>filter again and am now using:
I, too, have been surprised at the infrequency of the email form of the
attack. One of the early descriptions indicated that a newly-infected
computer does its email thing *once* only (unlike eg SirCam), which
probably is intended to reduce the chance of warnings coming back to the
user, or something.
Also, it appears to gather its addresses from the mail In box and from
cached web pages...our users on average do not have their email addresses
in web pages (I do, but not widely interesting ones), and therefore not in
the pages in the browser cache.
--John
--
John Baxter jwblist@??? Port Ludlow, WA, USA
