Re: Taking Precautions...
From: del (del_at_test.com)
Date: 09/24/03
- Next message: helper: "Re: Jupiter Jones"
- Previous message: Bill Sanderson: "Re: Jupiter Jones"
- In reply to: Phil Weldon: "Re: Taking Precautions..."
- Next in thread: Phil Weldon: "Re: Taking Precautions..."
- Reply: Phil Weldon: "Re: Taking Precautions..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Sep 2003 15:10:55 -0700
Wow Phil - incredible effort on your part to stem the
flow!
I too was getting bombarded - my fix...
I POP3 to my isp for mail - at the ISP I implemented SPAM
blocking - spent half a day tagging all incoming and
blocked senders while blocking selected domains.
I also set up filters that now total six to block certain
keywords in the subject.
I'm now averaging 3 to 4 per hour getting through and
that number will lessen as I add filters and block
senders.
Primitive but effective...
>-----Original Message-----
>Blocking address will reduce the spate of messages by an
infinitesimal
>amount. The address are not the source of the e-mail
but are either
>generated by Worm.Automat.AHB or harvested from address
books on infected
>machines or systems. They constantly change. You can
easily classify about
>one third of the messages. At present ALL the HTML
bogus Microsoft e-mails
>have the string 'Run attached file' in the body (the
single quotes are not
>part of the string. The bogus 'Undeliverable e-mail'
type messages can be
>significantly reduced by normal spam blocking rules.
These e-mails are
>permutating and mutating in the headers and the bodies.
A 100% reliable
>indication for classification is the presence of the
infected attachment
>(only the name and extension changes, the worm is not
polymorphic.)
>Unfortunatly if you scan incomming e-mail for infection
(as you should),
>Antivirus programs like Norton Anti-virus don't quite
have the right option.
>You can set it to silently delete e-mail infections, but
you don't have the
>option to delete the entire e-mail message. For the
HTML bogus Microsoft
>type Norton deletes the infectious attachment and
replaces it with a text
>file that explains what has been done; for the MIME
bogus 'Undeliverable
>e-mail' type Norton just deletes the attachment.
Ordinarily this would be
>fine; it'd be a good thing if you were just getting one
or two of these
>messages per day. But more and more that is not the
case. Ideally the
>infections e-mail would just disappear without you ever
seeing it (you'd
>still have to constantly empty your mailbox to keep it
upder the limit
>(usually 10 MBytes, but that problem can only be solved
by your ISP.
>Evidently Symantec just didn't consider the possibility
of such massive worm
>attack. Adding this option would be trivial. Perhaps
one of the other
>antivirus programs has this option.
>
>I am getting 1500 of these e-mails per day. Here's how
I handle the flood -
>
>I have broadband internet access and I keep a machine
running 24/7 to empty
>my mail box every five minutes.
>
>I use Outlook to read e-mail and I have installed
Inboxer for Outlook, a
>plug-in Bayesian analyzer. After Inboxer analyzed a
database of ~1500
>Worm.Automat.AHB generated e-mails I'd received (the
spam) and 265
>legitimate e-mails I'd received recently (the ham) [the
analysis took about
>five minutes], it has correctly categorized the next
4000 e-mails I received
>with no false postives and no false negatives. The e-
mail messages Inboxer
>considers to be generated most like the 'known bad'
messages it shunts to
>folder other than Inbox. I need never see these
messages. I could just
>empty the folder regularly, but I want to track this
worm. At present I
>don't use Inboxer to identify traditional spam - there
is no need. In the
>last four days my usual spam quota has fallen by 80%.
>
>I send a nasty e-mail to all the administrators of mail
servers which are
>sending me inappropriate 'reception of infected e-mail'
notices.
>
>I complain to my ISP, make suggestion as to what they
should be doing, and
>send them this
>URL http://xtra.co.nz/products/0,,8969,00.html for a New
Zealand ISP that is
>doing filtering at the POP3 server.
>
>I use Intelligent updater to manually update my Norton
AntiVirus definitions
>every day.
>
> I use Windows Update and Office Update regularly.
>
>I have a DHCP server between my local area network and
my internet
>connection (it is not a Windows box, but instead an
imbedded system by
>Microsoft in a switcher/wireless base station with WEC
(wired equivalent
>privacy.)
>
>I speculate what the weather on the internet will be by
next week.
>
>I wonder if this worm is part of John Poindexters Raptor
project gone rogue,
>or if it is one of the missing weapons of mass
destruction.
>
>
>Good luck.
>
>Phil Weldon, pweldon@mindspring.com
>
>"del" <del@test.com> wrote in message
>news:002d01c38113$d5ce1380$a101280a@phx.gbl...
>> I too have been inundated with virus laden email
messages.
>>
>> In order to slow the flow I've implemented
>> a 'spamdetector' and it's catching some of them. I'm
also
>> adding the addresses to a blocking list including some
of
>> the domains.
>>
>> Anything else that I can implement to stem the flow?
>>
>> Thanks...
>
>
>.
>
- Next message: helper: "Re: Jupiter Jones"
- Previous message: Bill Sanderson: "Re: Jupiter Jones"
- In reply to: Phil Weldon: "Re: Taking Precautions..."
- Next in thread: Phil Weldon: "Re: Taking Precautions..."
- Reply: Phil Weldon: "Re: Taking Precautions..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
