Professional Web Applications Themes

How Can I Block Latest Worm-Generated SPAM? - SCO

I know I am one of very many hapless souls receiving message after message totaling around 150K/message purporting to be M$ patches or undeliverable or some such muck. When receiving similar SPAM generated by SoBig.F, it all (for me) came from one IP address so it was fairly easy to insert a statement in my .maildelivery file to eliminate it but today's has no discernible pattern I can see. Any suggestions on how to stem the flow other than closing port 25 which would only defer the problem? My email server is UW7.1.0 with PTF7130e installed. I even though about ...

  1. #1

    Default How Can I Block Latest Worm-Generated SPAM?

    I know I am one of very many hapless souls receiving message after message
    totaling around 150K/message purporting to be M$ patches or undeliverable
    or some such muck. When receiving similar SPAM generated by SoBig.F, it
    all (for me) came from one IP address so it was fairly easy to insert a
    statement in my .maildelivery file to eliminate it but today's has no
    discernible pattern I can see.

    Any suggestions on how to stem the flow other than closing port 25 which
    would only defer the problem? My email server is UW7.1.0 with PTF7130e
    installed. I even though about rejecting any messages with attachments but
    am not sure how to do that with sendmail.

    The main headache it is causing me today is that it takes so much of my
    very limited bandwidth that the only thing I can do is send
    (hopefully!) and receive (definately!) email. Everything else, including
    pings time out with Unknown Host.

    Thank you,
    Lucky

    Lucky Leavell Phone: (800) 481-2393 (US/Canada)
    UniXpress - Your Source for SCO OR: (812) 366-4066
    1560 Zoar Church Road NE FAX: (812) 366-3618
    Corydon, IN 47112-7374 Email: com
    WWW Home Page: http://www.UniXpress.com

    Lucky Guest

  2. #2

    Default Re: How Can I Block Latest Worm-Generated SPAM?

    Lucky Leavell wrote (on Fri, Sep 19, 2003 at 06:21:32PM +0000): 

    The solution would be to tell your firewall to limit port 25 traffic, while
    speeding through port 80. You can do this (traffic shaping? TOS bits?) but I
    don't know how to do it on my system, let alone yours.

    Tell sendmail, perhaps, to limit it to one concurrent connection?

    NYZ

    --
    _________________________________________
    Nachman Yaakov Ziskind, EA, LLM com
    Attorney and Counselor-at-Law http://ziskind.us
    Economic Group Pension Services http://egps.com
    Actuaries and Employee Benefit Consultants
    Nachman Guest

  3. #3

    Default Re: How Can I Block Latest Worm-Generated SPAM?

    Lucky Leavell typed (on Fri, Sep 19, 2003 at 06:21:32PM +0000):
    | I know I am one of very many hapless souls receiving message after message
    | totaling around 150K/message purporting to be M$ patches or undeliverable
    | or some such muck. When receiving similar SPAM generated by SoBig.F, it
    | all (for me) came from one IP address so it was fairly easy to insert a
    | statement in my .maildelivery file to eliminate it but today's has no
    | discernible pattern I can see.
    |
    | Any suggestions on how to stem the flow other than closing port 25 which
    | would only defer the problem? My email server is UW7.1.0 with PTF7130e
    | installed. I even though about rejecting any messages with attachments but
    | am not sure how to do that with sendmail.
    |
    | The main headache it is causing me today is that it takes so much of my
    | very limited bandwidth that the only thing I can do is send
    | (hopefully!) and receive (definately!) email. Everything else, including
    | pings time out with Unknown Host.

    I hate sendmail and run smail here. It pipes incoming main to Chip
    Salzenburg's 'deliver'; ~part~ of my /usr/local/lib/deliver.sys reads:

    #!/bin/ksh
    # /usr/local/lib/deliver.sys
    # 1.4 JPR 18Sep03

    typeset -l TO=`header -f To -f Cc -f Apparently-To -f Sender $HEADER`
    ID=`header -f Message-ID $HEADER`
    typeset -l FR=`header -f From $HEADER | sed '
    s/.*<\(.*\)>.*/\1/
    s/[("].*[)"]//
    s/ //g'`
    typeset -l CT=`header -f Content-Type $HEADER | sed 's/;.*//'`
    typeset -l CN=`header -f Control $HEADER`
    IP=`header -f Received $HEADER | sed -n '1s.*\\[\\(.*\\)].*\\1p'`
    : ${IP:=localhost}
    USER=$1

    # Configure the email server to block or remove email that contains file
    # attachments that are commonly used to spread viruses, such as .vbs, .bat,
    # .exe, .pif and .scr files.

    for X in EXE BAT PIF SCR VBS
    do
    grep -iq "^Content-.*name=.*\.$X" $BODY &&
    echo "A .$X file mailed by $FR\nto $TO\nvia $IP\nwas dumped in the garbage."|
    mutt -s "Dumped .$X file" $USER &&
    /usr/local/bin/addfilter $IP &&
    echo DROP &&
    exit
    done

    /usr/local/bin/addfilter collects IP addresses which an overnight cron
    job adds to my local RBL list.

    --
    JP
    Jean-Pierre Guest

  4. #4

    Default Re: How Can I Block Latest Worm-Generated SPAM?

    On 19 Sep 2003, Jean-Pierre Radley wrote:
     
    JP;
    Your solution is certainly much more elegant than the temporary solution
    I came up with: set the maximum message size to, say, 130K which would be
    a Q&D (quick and dirty) way to reclaim my bandwidth as, if I understand
    the Sendmail Operations Guide, would prevent my system from even accepting
    the message to begin with.

    I intend to do a little server shuffle this fall:
    The SCO Linux box will become UnixWare 7.1.3 with LKP and OKP
    The current [aged] UnixWare 7.1 box will become OpenBSD 3.4
    and the new email server/backup internet gateway to
    The MultiTech RF550VPN will get replaced by a RF600VPN which can
    do virus scanning and content filtering

    Thank you,
    Lucky

    Lucky Leavell Phone: (800) 481-2393 (US/Canada)
    UniXpress - Your Source for SCO OR: (812) 366-4066
    1560 Zoar Church Road NE FAX: (812) 366-3618
    Corydon, IN 47112-7374 Email: com
    WWW Home Page: http://www.UniXpress.com

    Lucky Guest

  5. #5

    Default Re: How Can I Block Latest Worm-Generated SPAM?

    On Fri, 19 Sep 2003 18:21:32 GMT, Lucky Leavell <com>
    wrote:
     

    If you're running OSR5 and MMDF, add to you .maildelivery file:

    ### Eat the worms
    From microsoft destroy A -
    To microsoft destroy A -
    Subject microsoft destroy A -

    If you want to save the crap (and fill up your hard disk with spam):
    ### Save the worms
    From microsoft > ? /u/junk/spam
    To microsoft > ? /u/junk/spam
    Subject microsoft > ? /u/junk/spam

    If you're on one of the Microsloth mailing lists, add something like
    this *ABOVE* the spam filters:

    From newsletters.microsoft.com > ? /u/ms/newsletters
    From whatever.microsoft.com > ? /u/ms/whatever

    Some of the messages that it misses include "MS" in the Subject line.
    I'm currently playing with trapping those. For some odd reason:

    Subject " MS " > ? /u/junk/ms

    doesn't seem to work.

    --
    # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
    # 831.336.2558 voice http://www.LearnByDestroying.com
    # santa-cruz.ca.us
    # 831.421.6491 digital_pager com AE6KS
    Jeff Guest

  6. #6

    Default Re: How Can I Block Latest Worm-Generated SPAM?

    Are you still getting those emails? I thought the worm was suppose to time
    out around Sept. 10th.

    "Lucky Leavell" <com> wrote in message
    news:UniXpress.com... 


    willjay Guest

  7. #7

    Default Re: How Can I Block Latest Worm-Generated SPAM?

    On Sat, 20 Sep 2003 00:30:32 GMT, Jeff Liebermann
    <santa-cruz.ca.us> wrote:
     
    >
    >If you're running OSR5 and MMDF, add to you .maildelivery file:
    >
    > ### Eat the worms
    > From microsoft destroy A -
    > To microsoft destroy A -
    > Subject microsoft destroy A -
    >
    >If you want to save the crap (and fill up your hard disk with spam):
    > ### Save the worms
    > From microsoft > ? /u/junk/spam
    > To microsoft > ? /u/junk/spam
    > Subject microsoft > ? /u/junk/spam
    >
    >If you're on one of the Microsloth mailing lists, add something like
    >this *ABOVE* the spam filters:
    >
    > From newsletters.microsoft.com > ? /u/ms/newsletters
    > From whatever.microsoft.com > ? /u/ms/whatever
    >[/ref]

    A bit more if you're using MMDF. The bozo the wrote this worm in
    Visual C++ wasn't into software efficiency. The 150KB/message is
    overflowing my undersized mail spool. Unlike spam and virus filters
    that work on each individual email message as it arrives, my ancient
    UuCP over TCP implimentation requires that *ALL* the mail must be
    download before the .maildelivery file can sort through the crud and
    remove the worms. I've tried various methods of emptying the mail
    spool without much success. No matter what I do, it overflows, LCK's
    the connection, and generates a huge backlog of incoming worms that
    must be manually vaporized.

    Being lazy, I decided that elegance and finese were for those with
    diskspace and programming abilities. So, I used cron and a big
    hammer. I noticed that all the worms are between 130KB and 160KBytes
    big.
    cd /usr/spool/uucp/[isp-name]
    find . \( -size +130 -a -size -160 \) -exec rm {} \;
    will obliterate all these size files from the UUCP spool. The same
    can be probably be done with the SMTP spool in:
    /usr/spool/mmdf/lock/home/q.*
    There's probably a better way to do this, but for now, it's working
    well enough.

    Incidentally, in the past 24 hours, my mail server has digested
    210MBytes of worms with no end in sight.

    --
    # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
    # 831.336.2558 voice http://www.LearnByDestroying.com
    # santa-cruz.ca.us
    # 831.421.6491 digital_pager com AE6KS
    Jeff Guest

  8. #8

    Default Re: How Can I Block Latest Worm-Generated SPAM?

    On Sat, 20 Sep 2003, willjay wrote:
     
    Different Worm - The one you are referring to was SoBig.F which was fairly
    easy to deal with once I noticed that all the spam I received came from
    the same [infected] IP address. I added a line in my .maildelivery to
    dispatch all messages from that IP address to the bit bucket.

    Yesterday's worm was reportedly the Swen variant of Gibe (whatever on
    earth they are!) and offers few means of identifying the messages. I
    finally settled on using the sendmail MaxMessageSize which doesn't prevent
    wasted bandwidth downloading the messaged (as the SEndmail Operations
    Guide seems to imply) and does increase internet traffic by bouncing the
    rejects back to whence they came from. Things finally settled down last
    night and today to mangeable volumes.

    (It should be noted that at no time were any of my systms actually
    infected by the worm as I do not allow M$ systems to touch email; I was
    merely the lucky recipient of spam generated by other, infected systems.)

    Guess I better start saving my pennies so I can upgrade my MultiTech
    Rf550VPN to the RF600VPN which offers optional virus scanning and content
    filtering.

    (I wish these latest bozos would realize that when they clog us low
    bandwidth folks with their worm-generated spam, it hampers our ability to
    receive all the "normal" spam!)

    Thank you,
    Lucky

    Lucky Leavell Phone: (800) 481-2393 (US/Canada)
    UniXpress - Your Source for SCO OR: (812) 366-4066
    1560 Zoar Church Road NE FAX: (812) 366-3618
    Corydon, IN 47112-7374 Email: com
    WWW Home Page: http://www.UniXpress.com

    Lucky Guest

  9. #9

    Default Re: How Can I Block Latest Worm-Generated SPAM?


    "willjay" <com> wrote in message
    news:qA4bb.8430$bellsouth.net... 
    time [/ref]
    message [/ref]
    undeliverable [/ref]
    which [/ref]
    but [/ref]
    including [/ref]

    I'm still getting them, 1 ever 4-5 minutes.. Over 3000 of them over the
    past weekend.

    Just spending more time deleting crap than I usually do..

    bkx


    Stuart Guest

  10. Moderated Post

    Default Re: How Can I Block Latest Worm-Generated SPAM?

    Removed by Administrator
    Stephen Guest
    Moderated Post

  11. #11

    Default Re: How Can I Block Latest Worm-Generated SPAM?

    On Sun, 21 Sep 2003 04:14:05 GMT, Lucky Leavell
    <com> wrote:
     

    You can see the increase in spam traffic since mid July in some of the
    international backbone traffic statistics.
    http://west-boot.mfnx.net/traffic/backbone/index.html

    This is China Telecom to Palo Alto.
    http://west-boot.mfnx.net/traffic/peers/pao1-chinatelecom.html
    Note the drastic increase on the Yearly graphs. Most of the other
    international traffic shows no such increase.

    I've also noticed that my local non-Swen spam traffic has decreased
    somewhat in the last week. My guess(tm) is that some of the spammers
    mail servers crashed as a result of the Swen worm.


    --
    Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
    (831)421-6491 pgr (831)336-2558 home
    http://www.LearnByDestroying.com AE6KS
    santa-cruz.ca.us com
    Jeff Guest

  12. #12

    Default Re: How Can I Block Latest Worm-Generated SPAM?

    ... Oh, by the way ..

    # grep -c WORM_SWEN virus.log.2003.09.{19,2*}
    virus.log.2003.09.19:194
    virus.log.2003.09.20:435
    virus.log.2003.09.21:313
    virus.log.2003.09.22:249

    Go virus scanner on Linux gateway .. ;)


    Stuart Guest

  13. #13

    Default Re: How Can I Block Latest Worm-Generated SPAM?

    I had to virus emails hitting my cellphone email. I had to call AT&T and
    ask them to disable email to my phone.
    wj

    "Stuart J. Browne" <com.au> wrote in message
    news:3f6e2f22$tpgi.com.au... 
    > time [/ref]
    > message [/ref]
    > undeliverable [/ref][/ref]
    it [/ref][/ref]
    a [/ref]
    > which [/ref]
    > but [/ref][/ref]
    my [/ref]
    > including [/ref]
    >
    > I'm still getting them, 1 ever 4-5 minutes.. Over 3000 of them over the
    > past weekend.
    >
    > Just spending more time deleting crap than I usually do..
    >
    > bkx
    >
    >[/ref]


    willjay Guest

Similar Threads

  1. Template-generated pages block editing
    By wizardchef in forum Macromedia Contribute Connection Administrtion
    Replies: 6
    Last Post: February 22nd, 08:43 PM
  2. Replies: 0
    Last Post: September 9th, 07:11 PM
  3. Replies: 3
    Last Post: July 31st, 10:43 AM
  4. Need to block grey box pop-up spam
    By Catherine Cymore in forum Windows Setup, Administration & Security
    Replies: 3
    Last Post: June 30th, 08:01 PM
  5. Replies: 0
    Last Post: January 8th, 08:52 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139