ietf
[Top] [All Lists]

Re: FW: Virus alert

2003-08-30 14:48:51
On Sat, 30 Aug 2003, Dean Anderson wrote:

How beautiful to be immune behind an open-source kernel;)  The rest of the
world worries.  I eat a sandwich.

Scott




On Fri, 29 Aug 2003, David Frascone wrote:

With the current virii usually forging the from field with random
addresses from its victim's address book, I turned off my virus
scanner's warning to the senders . . I only send a polite note to the
intended recipient.

Don't do that. That is quite likely what the Virus writer wants you to do:
Stop notifying people about infections.  The worst that happens is that
people get notifications, and update their anti-virus, which finds
nothing.  The best that happens is that the headers included in such a
notification reveal the IP address of an infected zombie.

Also, in the current cases, I don't think the addresses aren't taken from
address books.  I'm getting responses to addresses that haven't been used
for email and addresses that haven't been used in years. Certainly, these
aren't in anyone's address book.  In one case, the address is on a little
used web site (but even spammers rarely spam it, and in another, its in a
reasonably public area, but not used)

The Virus writer obviously went to some trouble to pick valid addresses.
It stands to reason that they expect that someone is getting mail to these
addresses.  It also stands to reason that the abuser expects those persons
to get Virus notifications.

Most probably, virus notifications tend to frustrate the purposes of
the Virus operator, since the infected will not stay infected. It seems
possible that the virus operators are trying to manipulate people to stop
sending or responding to virus notifications.

In past cases, the forged from address was the target of the abuse: the
abuser hoped to have people block mail with the common from address, thus
getting some measure of revenge on that person.  Most people have
filtering on From: addresses for this reason.

The best thing to do in response to such an attack is to do things that
frustrate purposes the abuser, catch the abuser, or nothing at all.
Never succumb to what might be a desired manipulation--That only
encourages more abuse.


              --Dean





sleekfreak pirate broadcast
world tour 2002-3
live from the pirate hideout
http://sleekfreak.ath.cx:81/




<Prev in Thread] Current Thread [Next in Thread>