Re: Virus Flood to LSM list

From: Steve Beattie (steveat_private)
Date: Tue Sep 02 2003 - 23:20:16 PDT

  • Next message: Russell Coker: "Re: Virus Flood to LSM list"

    On Tue, Sep 02, 2003 at 09:39:33PM -0700, Crispin Cowan wrote:
    > John S. Wolter wrote:
    > >I've been receiving an flood EMail with a virus removed and addressed 
    > >to the list.   Do you think the list is under deliberate attack?
    > I doubt that. I'm receiving zillions of Sobig.F virus posts from all 
    > sorts of addresses, not just LSM. There is a major storm going on.
    Yes, I don't believe the list is under any more attack than the rest of
    the internet.
    > >  Is there anything the list managers can do to eliminate the problem 
    > >EMails?  If this continues I will be forced to unsubscribe, too bad. 
    > Not without pissing off a whole lot of other people who would 
    > unsubscribe if we started putting ham-handed filters on the list. I 
    > thought of filtering for the obvious subject lines that Sobig sends, but 
    > the subject lines are too short and generic, so such a filter has a 
    > significant chance of trapping legitimate posts.
    However, spamassassin is able to correctly identify such posts as
    containing microsoft executables, but the list server's default score
    for such was too low to make the spamassassin threshhold, which is what
    we use to moderate on. I have a request into the server's admin to up
    the score, and until that is in place, I've put in a filtering regexp
    that looks for the spamassassin notation marking it as an executable.
    It appears to be working, as it's trapped two copies of SoBig while I
    was composing this email.
    My apologies to the list for not realizing that this was happening
    earlier; I had a locally modified spamassassin configuration that was
    trapping the messages sent to me from the list.
    Thanks for your patience, and again, my apologies to the list.
    Steve Beattie                               Don't trust programmers?
    <steveat_private>                         Complete StackGuard distro at                  
   -- Audit code, earn respect.

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private

    This archive was generated by hypermail 2b30 : Tue Sep 02 2003 - 23:59:04 PDT