None, we only protect those customers who additionally pay for our antivirus
services.
These services comprise of systems which decode the mime, unzip, untar, unarc
(etc) and then run any files thro commercial virus checker engines which are
updated automatically daily or manually in the case of a new emerging threat
that cant wait.
We dont filter by file type.. people do send exe's legitimately!
Steve
Stephen J. Wilcox wrote:
We dont filter by file type.. people do send exe's legitimately!
You can zip the exe, or you can rename the exe, or you can ask not to have exe's filtered at all.
Sometimes solutions can be simple.
-Jack
Just like what some viruses do you mean?
Steve
Stephen J. Wilcox wrote:
Just like what some viruses do you mean?
A zipped virus or a renamed virus to say exd or dat is less likely to get an infection hold than .pif, .bat, or .exe
-Jack
Jack Bates wrote:
Stephen J. Wilcox wrote:
> We dont filter by file type.. people do send exe's legitimately!
>You can zip the exe, or you can rename the exe, or you can ask not to
have exe's filtered at all.Sometimes solutions can be simple.
Unless your AV software has a clue, like most do, and unzips archives and
see what's inside.
And thank goodness they do or else the Mimail (with its message.zip
attachment) could have been worse.
Crist Clark wrote:
Unless your AV software has a clue, like most do, and unzips archives
and see what's inside.
which is ideal for virus scanning, but not for blanket-blocking of email.
A zipped archive containing an executable cannot (unless something has
changed that I don't know about) be automatically opened by any mail
client - the user must make a deliberate attempt to open the archive then
exectute the attachment (although the actual extraction can be performed
automatically by many decompression utilities if you double-click an
executable or document inside its browser)
there is of course no allowing for the stupidity of users - but if you
have a stupid enough user you could induce him to bypass any protection
anyhow.
No one loves me and I don't get much email from the folks who tolerate
me. I just got back from having lunch with some guys who tolerate me and
I found scads of messages from all over -the funniest among the bunch
for our Nanog readers:
<user>@cisco.com
<user>@tacnet.com
<user>@wcom.com
<user>@sprint.com
Looks like my internetwork equipment vendor and my two favorite peers
have their Windoze stuff in a complete state of 'higgledy piggledy' - a
technical term from Bloom County cartoons, for those not old enough to
remember.
I hate to rub it in, but I've got fifty days of uptime on everything
I'm responsible for and the only reason it isn't a hundred and fifty is
due to me taking them down for an OS upgrade.
root 1 0.0 0.1 552 0 ?? ILs 3Jul03 0:01.56
/sbin/init --
Windows is a question presented to each of us. Some find their answer
here ==> http://freebsd.org
Even they don't like you dude ... the sources are forged ... 
-Steve
* neal rauhauser said:
No one loves me and I don't get much email from the folks who tolerate
me. I just got back from having lunch with some guys who tolerate me and
I found scads of messages from all over -the funniest among the bunch
for our Nanog readers:<user>@cisco.com
<user>@tacnet.com
<user>@wcom.com
<user>@sprint.com
it (sobig) forges the source email address using the same set of files
that it looks in to find email adresses to send to... So all you can
insure is that the user sending it to you is on some mailing list you're
on or your email address is in their browser cache someplace... you have
to look at the source ip address for the first hop to identify the
culprit...
joelja
No, it looks like some poor schmuck who happened to have those e-mail
addresses somewhere on the disk has their windows system in trouble.
W32/SoBig-F is known to forge the From: field. Which explains why I've gotten
at least 103 "you sent us a virus" postings regarding my Linux laptop.. 
Which of course just goes to show that people can be "behind the knowledge curve"
no matter *what* operating system they happen to be using.
I prefer to think of it as having evolved to a higher plane of
existence
Probably not. The virus grabs a From address at random from the infected person's email in box. So its more likely someone who has got mail FROM those people rather than those people. See
http://vil.nai.com/vil/content/v_100561.htm
To quote,
"The "From:" address may be spoofed with an address extracted from the victim machine."
---Mike
Today's problem virus forges the "from" field. So all those emails "from" <user>@cisco/tacnet/wcom/sprint were sent from an infected computer (or computers) that had those email addresses in it. Probably from a computer on a competitor's network. You need to look at the received headers to find out where the emails are are *really* coming from.
jc
Email for me is becoming more of a pain in the ass than it's worth..
neal rauhauser wrote:
No one loves me and I don't get much email from the folks who tolerate
me. I just got back from having lunch with some guys who tolerate me and
I found scads of messages from all over -the funniest among the bunch
for our Nanog readers:<user>@cisco.com
<user>@tacnet.com
<user>@wcom.com
<user>@sprint.comLooks like my internetwork equipment vendor and my two favorite peers
have their Windoze stuff in a complete state of 'higgledy piggledy' - a
technical term from Bloom County cartoons, for those not old enough to
remember.
--snip--
Aww, Neal, you know that I still love you and send you email from time
to time;)
In some cases you can determine the infected machine from the IP in the
header. Of course, if it's that IP is dynamically assigned it's a little
harder. If the volume of email from one source IP gets too high, a
friendly call to their company or ISP might get results--a lookup of the
IP at whois.arin.net should give you the contact info you need.
This virus has been a royal pain for me. My personal, work, postmaster
and webmaster accounts have finally dropped off receiving it, but if
anyone wants the more than several thousand I received Tues. and Wed.,
they're welcome to it.
Anyway, just a note on the consequences here. Each time one of these
silly things hit that forge sender addresses, the number of possible
future infectees who have your email address increases. Let's say that
your brother was infected by Klez. His computer sent out a bunch of
emails as other people--some of them as you. One of those folks gets
infected. Their computer sends out a bunch of emails as other
people--some of them as you. Now you've got people that are friends and
co-workers of other friends that were infected. Each time that circle
gets larger and the number of folks who potentially have your email
address somewhere on their system widens. THIS SUCKS!
The postmaster account is by far the worst one as far as receiving.
If anyone ever finds out where to send the bill and the firing squad,
I'll be at the front of the line;)
Dave Howe wrote:
Crist Clark wrote:
> Unless your AV software has a clue, like most do, and unzips archives
> and see what's inside.
which is ideal for virus scanning, but not for blanket-blocking of email.
A zipped archive containing an executable cannot (unless something has
changed that I don't know about) be automatically opened by any mail
client - the user must make a deliberate attempt to open the archive then
exectute the attachment (although the actual extraction can be performed
automatically by many decompression utilities if you double-click an
executable or document inside its browser)
Automatic opening by Outlook and Outlook Express (I'm not aware of any
other MUAs that have actually had worms in the wild that do this) has
actually only been used by a few worms.
As I mentioned in the original mail, this is how Mimail from a week or
two ago spread. An *.htm (not even "executable," whatever that means
on Windows anymore) was inside of a zip.
there is of course no allowing for the stupidity of users - but if you
have a stupid enough user you could induce him to bypass any protection
anyhow.
AFAIK, the present scurge of the net, Sobig.F, requires the reader to
"click on it." It's not one of those that takes advantage of Outlook or
IE bugs to auto-execute. Most moron^H^H^H^H^Husers do so out of curiousity.
We've been telling them not to do this for several years. They still do
it. Face it, they are never going to stop doing it.
I don't want the users to be able to "click-through" to execute the file,
whether it is one or two steps. It's too easy for the curious. My goal is
to have the ones who _really_ want to get a "forbidden" extension through
the system need to actually *gasp* use the keyboard to rename the file!
That means they have to save the mangled name to a file, rename it back,
and then "run" it. Ju-ust that little bit of effort is enough to stop
several nines of the curious. I remember wa-ay back in the Melissa days,
before AV email gateways were widely used, implementing MIMEdefang which
did these simple things. That was, and still is, enough to stop an awful
lot of this junk.
Similarly, if someone wants to zip some things up, mangle the zip extension,
and the then send it on through, it's OK with me. That's enough to stop
the curious.