Re: [Exim] use of _ in HELO... again

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Wakko Warner
Datum:  
To: Adrian Phillips
CC: exim-users
Betreff: Re: [Exim] use of _ in HELO... again
> Wakko> Sobig was a good one for us. 250 emails in the past 3 days
>     Wakko> contained sobig.  All caught by the virus scanner.  I said
>     Wakko> I could stop them by checking their HELO strings.  Answer
>     Wakko> "Don't bother".

>
> What happens when a new SPAM "originates" near you; that happened to
> us with SOBIG-F - we got hit by the virus at least an hour before any
> of our virus systems (Norman and Trend Micro) had a pattern file that
> could catch it; in fact it took Trend Micro several hours to release a
> version that could, although they did have a pre-release pattern file
> available which I had to hand install.


Actually, we use mcafee virus scan for linux. But still, the sobig virus
was caught before I could get the update because of the .pif and .scr
extension.

> Fortunately none of our clients were infected because very few
> individuals received the message and the few that did were either
> clever enough not to click on them or running some Unix variant.


Oddly, one of our users got the virus, but the virus scan on the pc caught
it.

> The question for your management then is how much damage are they
> willing to take on the chance that this scenario happens to them
> noting that if only one machine in the company becomes infected there
> is a good chance that your whole company (or the Windows part of it)
> could be infected very quickly because of the way this particulour
> virus works.


Can't answer that one. I know that the nimda virus infected us. The funny
part was, the firewall was infected first (windows based piece of garbage)

> Catching viruses by other means than relying on a mechanism that is
> always going to trail the release of new viruses seems a no-brainer to
> me (of course many people seem to have managers with no brains so ...).


I already disallow the use of many extensions that can be executed. The
scanner also attempts to verify that an attachment that has a content type
of audio/* or image/* is checked to see if it really is. I have caught
legit files, but the end result is it does block come virii that get past the
executable block.

At this point, the payload of sending the virus was successful (bandwidth
wasting). What I was going to do was check the helo string to keep the
payload down. This is what they said not to bother with because it'll stop
sept 10th anyway.

--
Lab tests show that use of micro$oft causes cancer in lab animals