RE: CRIME WORM_Sobig.A blocked but dealing with the residual addr ess...

From: Kuo, Jimmy (Jimmy_Kuo@private)
Date: Tue Jan 21 2003 - 17:45:01 PST

  • Next message: Crispin Cowan: "Re: CRIME WORM_Sobig.A blocked but dealing with the residual address..."

    From http://vil.nai.com/vil/content/v_99950.htm
    
    Outgoing messages are formatted as follows:
    
    From: big@private 
    
    Subject: One of the following: 
    Re: Movies 
    Re: Sample 
    Re: Document 
    Re: Here is that sample 
    
    Attachment: 65,536 bytes with one of the following filenames: 
    Movie_0074.mpeg.pif 
    Document003.pif 
    Untitled1.pif 
    Sample.pif 
    
    -----Original Message-----
    From: Andrew Plato [mailto:aplato@private]
    Sent: Monday, January 20, 2003 3:36 PM
    To: Brent Irwin; crime@private
    Subject: RE: CRIME WORM_Sobig.A blocked but dealing with the residual
    address...
    
    
    Well, if the from address was consistently big@private you could filter
    it out via a mail proxy or anti-spam system. However, since the address
    may change that probably isn't possible. Basically you would need some
    kind of reactive and dynamic filtering product that sits before your
    mail server. Trend Micro has a virus wall product that can drop emails
    that contain known intrusions. Other in-line prevention systems like
    attack mittigator from Top Layer would have that capability as well. 
    
    ___________________________________
    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Corporation
     
    503-644-5656 Office
    503-644-8574 Fax
    503-201-0821 Mobile
    www.anitian.com 
    ___________________________________
    
    -----Original Message-----
    From: Brent Irwin [mailto:birwin@private] 
    Sent: Monday, January 20, 2003 8:15 AM
    To: crime@private
    Subject: CRIME WORM_Sobig.A blocked but dealing with the residual
    address...
    
    
    My servers have been consistently visited by our new best friend
    "WORM_Sobig.A." Fortunately, our Filtering software has been able to
    block it. We are able to strip the attached file and all the contents
    but we are still receiving email from various IP hosts claiming to be
    "big@private". Any idea how I can filter this? 
    I am unable to filter the address since the IP addresses are most likely
    forged and the sender addresses are constantly changing. 
    Thanks for your help,
    B r e n t  I r w i n
    I n f r a s t r u c t u r e  M a n a g e r
    D e s k t o p  S u p p o r t  a n d  E n g i n e e r i n g
    D e s k t o p  I n f r a s t r u c t u r e  a n d  S e r v i c e s
    



    This archive was generated by hypermail 2b30 : Tue Jan 21 2003 - 18:04:40 PST