Re: [Clamav-users] Ethics Question
At 08:19 PM 6/10/2004, Bit Fuzzy wrote: At this point we are looking at 2 options. 1) Block offending IP's as they occur. -- Effective, but could be aggravating to potential customers For about a month, we've been adding virus-generating IPs to a local blacklist with a 4-day expiration. It's a compromise, since it's possible for the IP to get reassigned during that time, but it has helped cut down our server load, and we've had two customers discover they were infected when they couldn't send email. Then there was the one that tried to forward a virus message to an outside consultant asking Should we be concerned about this? I forget whether it had come in through another channel or just before freshclam picked up the signature, but they ended up on our blacklist because of the forward. So there are risks to anything. Kelson Vibber SpeedGate Communications www.speed.net --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ethics Question
I think the only way I could think is reporting the IP to some DNSBLs. That way you can stop receiving their mails and you leave the cleansing problem to their ISP. And just hope that the next person to dial in to the ISP who gets that IP address from DHCP is the same person... -Nigle -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ethics Question
On Thu, 10 Jun 2004, Nigel Horne wrote: And just hope that the next person to dial in to the ISP who gets that IP address from DHCP is the same person... If it's done immediately, then the chance of alerting the wrong machine is pretty small, isn't it? Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ethics Question
On Wed, 9 Jun 2004, Tris Forster wrote: With a ridiculous number of Somefools arriving at our server daily I was trying to think of a proactive way do deal with them. One possible solution I came up with was sending winpopups to the offending IP informing them that they are infected (there's a pretty good chance they'll get through as the infected machine is most likely not firewalled). While the aim of doing this may be completely honourable, sending winpopups to a non-firewalled machine stinks of spamming and thus I am in two minds about putting it into practice We recently had our mailserver being repeatedly hit with virus traffic, which logs showed was coming mostly from a single IP. I contacted their ISP, and they really didn't care. So I sent a few popups to them, spaced several hours apart (so as not to be a nuisance) and the machine stopped its virus traffic in about 2 days. Automating this would be nice, but I didn't ever bother. Hard to imagine it breaking anything, though. And as long as it's sent in response to an attack (they punched you first!) and doesn't advertise anything, I don't think anyone could complain. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ethics Question
Damian Menscher wrote: On Wed, 9 Jun 2004, Tris Forster wrote: With a ridiculous number of Somefools arriving at our server daily I was trying to think of a proactive way do deal with them. One possible solution I came up with was sending winpopups to the offending IP informing them that they are infected (there's a pretty good chance they'll get through as the infected machine is most likely not firewalled). While the aim of doing this may be completely honourable, sending winpopups to a non-firewalled machine stinks of spamming and thus I am in two minds about putting it into practice We recently had our mailserver being repeatedly hit with virus traffic, which logs showed was coming mostly from a single IP. I contacted their ISP, and they really didn't care. So I sent a few popups to them, spaced several hours apart (so as not to be a nuisance) and the machine stopped its virus traffic in about 2 days. Automating this would be nice, but I didn't ever bother. Hard to imagine it breaking anything, though. And as long as it's sent in response to an attack (they punched you first!) and doesn't advertise anything, I don't think anyone could complain. Damian Menscher There's really no good way to handle this We've been sending emails for 2 solid months to Road Runner giving everything but the kitchen sink, and they yet are to do anything. (you'd think they'd at least contact their user(s) and inform them that their systems are infected) While we have though about creating a pop up on the offending machine, we opted not to due to potential legal issues (It considered a hack and thus could be illegal) At this point we are looking at 2 options. 1) Block offending IP's as they occur. -- Effective, but could be aggravating to potential customers 2) Warn the ISP in question, that if something isn't done soon, you're going to post their non-action along with email transcripts to the news media, whom have taken the position in the past that ISP's should be taking measures to keep the Internet (users) safe. -- Could be effective as well as in-effective. :( There's no easy way around this issue, so I guess what I'm trying to say, if a solution works for you go for it --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Ethics Question
I'd say so. You aren't talking about doing this after the fact, but as the message is received and detected as viral - right? They'd have to have hung up immediately and even then, it's unlikely the modem handshake would be complete yet on the next call ;-) On Thu, 10 Jun 2004, Nigel Horne wrote: And just hope that the next person to dial in to the ISP who gets that IP address from DHCP is the same person... If it's done immediately, then the chance of alerting the wrong machine is pretty small, isn't it? Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Ethics Question
Tris Forster Sent: Wednesday, June 09, 2004 1:02 PM While the aim of doing this may be completely honourable, sending winpopups to a non-firewalled machine stinks of spamming and thus I am in two minds about putting it into practice You are right. That could be even worst that the virus, because you are sending it on purpose while the infected computer it's just a victim. Any thoughts or experiences with similar situations would be appreciated.. I think the only way I could think is reporting the IP to some DNSBLs. That way you can stop receiving their mails and you leave the cleansing problem to their ISP. -Samuel --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Ethics Question
On Wed, 2004-06-09 at 20:10, Samuel Benzaquen wrote: I think the only way I could think is reporting the IP to some DNSBLs. That way you can stop receiving their mails and you leave the cleansing problem to their ISP. Or simply block the IP with sendmails acces database (or the equivalent for your choice of MTA) BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Ethics Question
[EMAIL PROTECTED] wrote: On Wed, 2004-06-09 at 20:10, Samuel Benzaquen wrote: I think the only way I could think is reporting the IP to some DNSBLs. That way you can stop receiving their mails and you leave the cleansing problem to their ISP. Or simply block the IP with sendmails acces database (or the equivalent for your choice of MTA) Considering how many (if not most) of these IPs are on client machines that send mail directly, and not through their ISP's mail host, you can probably drop the entire block of dynamic addresses in your firewall. That's what I've had to do with some optonline blocks, as the ISP seems uninterested in stopping the abuse. -Don --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Ethics Question
What's the harm? You aren't selling them anything... Spam is something done for commercial gain by definition isn't it? they are hurting you - wasting your bandwidth etc... and as many of my customers could prove - they can go for MONTHS not knowing they are infected. Your message could say something like: Notice from SMTP server @ YOUR_IP: We have detected incoming mail from you containing virus X. We are sending this notification as a public service. Please contact your computer support person or visit one of the many PC Antivirus providers. Many have free solutions to your problem. my 2 cents. m/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Samuel Benzaquen Sent: Wednesday, June 09, 2004 12:10 PM To: [EMAIL PROTECTED] Subject: RE: [Clamav-users] Ethics Question Tris Forster Sent: Wednesday, June 09, 2004 1:02 PM While the aim of doing this may be completely honourable, sending winpopups to a non-firewalled machine stinks of spamming and thus I am in two minds about putting it into practice You are right. That could be even worst that the virus, because you are sending it on purpose while the infected computer it's just a victim. Any thoughts or experiences with similar situations would be appreciated.. I think the only way I could think is reporting the IP to some DNSBLs. That way you can stop receiving their mails and you leave the cleansing problem to their ISP. -Samuel --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Ethics Question
On Wed, 9 Jun 2004, Mitch (WebCob) wrote: We are sending this notification as a public service. Please contact your computer support person or visit one of the many PC Antivirus providers. Many have free solutions to your problem. That does sound reasonable to me. I wonder if there isn't a technical reason why this might be a Bad Idea, though. For example, it used to be courteous to send an e-mail to a sender to let them know their computer was infected, but now trying to do things like that is a nuisance because it's highly unlikely that you're actually going to be contacting the original sender. Popping up a message on the machine with the proper IP number of the source of the infection sounds useful at best and harmless at worst...but is it really harmless? Could these popups interrupt running processes on poorly configured servers and such? Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ethics Question
On Wednesday, June 09, 2004 6:50 PM [EDT], jef moskot [EMAIL PROTECTED] wrote: Popping up a message on the machine with the proper IP number of the source of the infection sounds useful at best and harmless at worst...but is it really harmless? Could these popups interrupt running processes on poorly configured servers and such? No, under Windows NT/2k/XP/2k3 its a system service called Messenger that handles incoming messages. All it does is popup a rather intrusive but harmless dialog box that doesn't block other activity from continuing. In Win9x/ME you have to be running Winpopup or one of its variants to get the message. Its worth a shot. I will note that people are welcome to contact me offlist to discuss possibly sending the AHBL data on infected hosts, since I can get them added quick. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Ethics Question
If they are in fact unprotected by a firewall, it's likely they are receiving popups from all kinds of people... we can only hope they read yours. Personally I'd be interested in the script you end up using - I'm assuming you'd call smbclient to generate the popup - an interesting experiment... m/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of jef moskot Sent: Wednesday, June 09, 2004 3:50 PM To: [EMAIL PROTECTED] Subject: RE: [Clamav-users] Ethics Question On Wed, 9 Jun 2004, Mitch (WebCob) wrote: We are sending this notification as a public service. Please contact your computer support person or visit one of the many PC Antivirus providers. Many have free solutions to your problem. That does sound reasonable to me. I wonder if there isn't a technical reason why this might be a Bad Idea, though. For example, it used to be courteous to send an e-mail to a sender to let them know their computer was infected, but now trying to do things like that is a nuisance because it's highly unlikely that you're actually going to be contacting the original sender. Popping up a message on the machine with the proper IP number of the source of the infection sounds useful at best and harmless at worst...but is it really harmless? Could these popups interrupt running processes on poorly configured servers and such? Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users