CRIME Re: Microsoft patch now virus

• Previous message: Seth Arnold: "Re: CRIME [VIRUS] Don't Use this patch immediately !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This e-mail spoofs the sender so it only looks like it comes from
security.microsoft.com.  The real originator from the last copy I received
was a Verizon DSL user using an account in Everett, Washington.   The
publicly visible address was 4.47.73.9 but the individual actual address
may be natted.  You can check your PC by running ipconfig (Win2K and above)
from the dos line or winipcfg (win 9x) and looking at the gateway address.
Your PC may be assigned a private address like 192.168.1.x but the DSL
modem/router translates that address into its publicly visible address.  If
your gateway address begins with 4.47.x.x then your PC may be the actual
source of the Microsoft Patch now emails that have been hitting the CRIME
mailing list.  I say this on the possibility that the infected machine is
one of our regular responders.

Craig A Schiller, CISSP
Global Information Security Officer
RadiSys Corporation
craig.schiller@private
503.615.1646


This electronic message contains information which may be confidential,
privileged or otherwise protected from disclosure.  The information is
intended to be used solely by the named recipient(s).  If you are not a
named recipient, any review, disclosure, copying, distribution or use
of this transmission or its contents is prohibited.  If you have received
this transmission in error, please notify me immediately.


|---------+---------------------------->
|         |           Crispin Cowan    |
|         |           <crispin@immunix.|
|         |           com>             |
|         |           Sent by:         |
|         |           owner-crime@private|
|         |           x.edu            |
|         |                            |
|         |                            |
|         |            10/12/2003 10:01|
|         |           PM               |
|         |                            |
|---------+---------------------------->
  >-------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                               |
  |       To:       carter@private                                                                                              |
  |       cc:       crime@private                                                                                              |
  |       Subject:  Re: CRIME ADMININSTRATOR:                                                                                     |
  >-------------------------------------------------------------------------------------------------------------------------------|




Carter Ames wrote:

>Is there ANY possible way to block messages from
>security.microsoft.com "download this patch" from
>posting to the list?  Now that I posted my frustration
>about it, the amount doubled.  I asked again, the
>amount doubled again.  Is the amount of these emails
>going to be doubled again because I'm suggesting a
>change?
>
For the lists that we administer @ immunix.com, what we did was set the
Spamassassin score for "attached .exe" to be 5.0, which is the default
threshhold for scoring an item as spam.

Crispin

--
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
            http://www.immunix.com/shop/

• Next message: Buelna, Derek: "RE: CRIME [VIRUS] Don't Use this patch immediately !"
• Previous message: Seth Arnold: "Re: CRIME [VIRUS] Don't Use this patch immediately !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 16 2003 - 11:24:09 PDT