[ On Wednesday, July 25, 2001 at 10:49:05 (-0600), Peter Krawczyk wrote: ] > Subject: Tracking SirCam > > This may help those of you who want to filter on headers and not on > message body. From an SMTP point of view the headers are part of the body. The savings over filtering just the headers, vs. filtering up to at least the the second MIME part in this case, is virtually nonexistant on any kind of modern hardware. (BTW, I seriously doubt any of the so-called experts who have been commenting on the relative impact this worm compared to others before it -- so far it's by and far the worst I've ever seen, either in my own inbox, or in the way it's affected mail servers, particularly at ISPs. I personally know of at least several hundred or so infected machines, and yet one of the comments I read on CNet suggested only 7,100 total had been reported so far. Obviously not many of the infected hosts are being reported yet. I think it's impact has partly to do with the average size of the attached file (>150KB it seems), and partly to do with the social engineering aspect. It seems very successful at getting people to open it, and once going it often sends multiple random files over and over again.) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoodsat_private> <woodsat_private> Planix, Inc. <woodsat_private>; Secrets of the Weird <woodsat_private> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 15:12:16 PDT