Author: Alan J. Flavell Date: To: Exim users list Subject: Re: [Exim] Mydoom and virus signature updates
On Mon, 26 Jul 2004, Peter Bowyer wrote:
> My consumer-grade McAfee just updated in the past few minutes - it now
> catches a sample of this one. The clamav on my mail relays doesn't yet,
> though.
Well, checking my mail logs, the first one had me confused at first,
into believing that it really -had- done a double-flip around ICL
before they finally sent a misguided bounce to the victim's address.
Of course I could see it had to be an undetected virus, but I was
still initially fooled by the cover story. This was around 14:20 UTC.
Within half an hour it was clear what was going on (a good job I
happened to be on the receiving end of the first one, and not
otherwise occupied - sheer chance), I had arranged to freeze all .zip
attachments for inspection until the issue became clear.
I tried a manual update from sophos instead of waiting for the next
scheduled update, and it seems I had got an IDE (mydoom-o) by
15:55UTC. Although this caught some of them, it still let others
through. However, since the timestamp on the present IDE is 16:31UTC,
I would have to assume (sorry, no Round Tuits available to check
further details) that this is a revised version, downloaded by the
scheduled update cycle.
It just goes to show what I've been saying for years now - an
anti-virus product is a valuable back-stop, but it cannot be one's
only line of defence.
Unfortunately, the Great Bringer of Security Holes has contrived to
make .zip files effectively unusable now. Just what we needed...
And the whole thing is exacerbated by a great forest of autospamming
software out there, which takes any kind of incoming virus attack and
turns it into a pestilential assault on third parties whose only
offence was to have their addresses faked. Thanks to TimJ's
collection, we've been keeping most of those at bay until now...
Except that this time it's faking postmaster, which in the past we've
allowed to bypass most of our usual defences. So all these stupid
virus bounces are landing on our postmaster account, damn it. I see
that there's also a sizeable number of non-delivery reports being
offered to our MAILER-DAEMON, for some reason. (Why ever do we need to
accept any kind of inbound to MAILER-DAEMON - couldn't we just reject
those? I had never needed to think about the problem before.)
Anyway, now I'm forced to build a special blacklist of MTAs which
abused the postmaster address. There are several big-name computer
companies have found their way in there today. Sheesh.