Re: lots of sobig virus emails.

From: Rich Puhek (rpuhekat_private)
Date: Thu Aug 21 2003 - 08:16:24 PDT

Next message: Rich Puhek: "Sobig.F style email with no attachments"

Previous message: Harlan Carvey: "RE: Software vendor clueless"
In reply to: Kee Hinckley: "Re: lots of sobig virus emails."
Next in thread: Kevin Patz: "Re: lots of sobig virus emails."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Kee Hinckley wrote:
> At 9:44 AM -0700 8/19/03, wirepair wrote:
> 
>> heh anyone else seeing this or am i being targeted. Getting a lot of 
>> bounce backs saying i'm sending off virii which is impossible because 
>> i'm not infected. It also looks like i'm getting a ton from 'security 
>> peoples' email
> 
> 
> Join the club.  My account and lots of other accounts at somewhere.com 
> are getting innundated.  I'm getting far more "you sent a virus" 
> warnings than the viruses themselves.  Which is completely irresponsible 
> on the part of the anti-virus vendors.  They know this virus forges the 
> from address, they shouldn't be sending mail to the from address.  Never 
> mind the ones that send mail to postmaster of the domain as well as the 
> "user".  The fact that most of these "helpful" messages read far more 
> like an advertisement for the anti-virus software than anything truly 
> helpful, makes me wonder whether the companies aren't deliberately 
> avoiding fixing this misfeature.

What I found in my config (Amavis+(clamav&&trophie&&sophie) was that the 
virus signature files weren't up to date (auto-update once every 24 
hours didn't quite do it this time). As a result, only the unsafe 
attachment rules got triggered until I manually updated my virus signatures.

In my Amavis config (mostly default), the sender of a banned filename is 
notified, resulting in the embarrasing participation in a worm Joe Job. 
Once Amavis saw the emails as containing a virus/worm, it stopped 
notifying the sender.

--Rich

_________________________________________________________

Rich Puhek
ETN Systems Inc.
2125 1st Ave East
Hibbing MN 55746

tel:   218.262.1130
email: rpuhekat_private
_________________________________________________________


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

Next message: Rich Puhek: "Sobig.F style email with no attachments"
Previous message: Harlan Carvey: "RE: Software vendor clueless"
In reply to: Kee Hinckley: "Re: lots of sobig virus emails."
Next in thread: Kevin Patz: "Re: lots of sobig virus emails."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Aug 23 2003 - 13:51:40 PDT