Yes, the amount of auto-response mails from AV products and virus mails from infected PCs to our service mail account is flooding that mailbox and choking our mail servers, that we're even considering changing that email address! Toh Hong Kuan Network Engineer -----Original Message----- From: Bruce Martins [mailto:BMartinsat_private] Sent: Thursday, August 21, 2003 7:55 PM To: Valdis.Kletnieksat_private; wirepair Cc: incidentsat_private Subject: RE: lots of sobig virus emails. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think the most annoying think to come out of this is the way people have their AV software configured on their mail servers to send a message back to the spoofed sender who is not even the real culprit, and then to get even more e-mail from users that claim you are sending them viruses, that includes some people subscribed to the security focus mailing lists. Is there really any point anymore to have the AV software automatically reply to the sender with every virus it detects considering the software uses the forged from field ? Now those message bog down the mail servers everywhere Bruce Martins Systems Administrator EXTEND>>MEDIA 190 Liberty Street Toronto, Ontario Canada M6K 3L5 _______________________ e:bmartinsat_private t: (416) 535-4222 ext. 2307 f: (416) 535-1201 http://www.extend.com - -----Original Message----- From: Valdis.Kletnieksat_private [mailto:Valdis.Kletnieksat_private] Sent: Wednesday, August 20, 2003 12:30 AM To: wirepair Cc: incidentsat_private On Tue, 19 Aug 2003 09:44:15 PDT, wirepair <wirepairat_private> said: > because i'm not infected. It also looks like i'm getting a ton from 'security peoples' email addresses. > sans/securityfocus.com/other people. Maybe someone released the virus using a list of people from security lists? Nothing that devious... :) *YOU* are getting a ton from "security people" because the people you are getting copies from have security people's addresses in their mail folders. Some poor Microsoft-using drudge gets infected, it trolls the folders, spams using what addresses it finds - and due to "locality of reference", you'll get mostly security-related addresses because that's the crowd you hang with. Remember, if you get a Sobig-F claiming to be from somebody, all that *really* means is that the *real* problem user has both you and that somebody in their mail folders someplace... Meanwhile, over on the dachsund-breeders list, everybody is wondering why the virus was released with a bunch of dachsund owners as the list, and the canoe-builders list is getting hammered by addresses from outdoor-activity lists, and so on.... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (MingW32) iD8DBQE/RLMggU0CXm2DmsMRAi0BAJ9zs5gZ06WjeOCtBMr4CU0J8vk4uwCfaEKG eoLXc2cOYP3UawowrW4AC/8= =odBz -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 08:25:45 PDT