At 09:59 2001-11-28 -0500, Charlie Summers wrote:
Does it make sense, with any of these viral traps, to send a note to the
sender telling them they are infected? I mean, if it might help, I'd be more
than happy to spend a little bandwidth to send a note back, but _does_ it
really do any good? Does the poor schlub really go for days not knowing s/he
In the current incarnation of this worm, the _envelope_ address appears to
be valid, but the From: address is not (it is, at least currently, the
sender address with a prefixing underscore - which of course could be used
as another check for the virus I guess). Who knows if the virus will be
changed in the near future to forge the envelope sender - but at least
currently, yes, you could send an automated reply.
That said, currently, I choose to send out notifications manually - I've
received only a handful of these so far. Yes, there are some twits out
there which don't get around to dealing with it (it's always a joy to
receive a copy of the virus in response to a notification to the twit).
As for whether it works -- well, if the person who is infected is never
notified of this by SOMEONE, they're probably not going to fix it any time
soon.
I have an automated notification mechanism called "vermicelli" which I
wrote for my webservers, which addresses CodeRed and Nimda worms (not the
emailed variety, but rather the ones hammering on the webserver). This
manages cacheing events (so it doesn't send a flood of notifications) and
looks up all the responsible parties for the attacking host and emails them
a notice of the event containing the calibrated time, source IP, PTR record
if found, links to further information about the worm in question, and a
request that the problem be dealt with.
While large ISPs could give a rats' about it (personal note: IMO, 9netave
is a really shoddy outfit - AND they're a spamhost to boot), the smaller
outfits seem to respond favourably - taking the machine offline and
applying the recommended patches, etc.
Without some notification, these people would continue to operate zombie
servers.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail