Re: Regarding recent spam on the list
From: "Brandon S. Allbery KF8NH" <[EMAIL PROTECTED]> > On Tue, 2003-08-19 at 18:03, Bill Moran wrote: > > Just curious if anyone knows the origin of all these auto-responses, etc. > > > > I'm seeing a lot of these on every list I'm subscribed to (not all of them > > FreeBSD related) so I was wondering if some Windows trojan is running rampant > > and using these list addresses as return addys? > > It's W32/[EMAIL PROTECTED] It's spreading *fast* > The first day it appeared, I received 8000+ virus and virus warning messages in my inbox. The only way I could stop it from filling my inbox was to change my e-mail address, and place a permanent failure code in the access table for the old address. But, our mail server was still getting a Denial of Service, since it would max out the connections to both our primary and secondary mail servers. Today I believe I have solved the problem. I wrote a couple of scripts, that retrieves the IP address from the maillog for all servers/virus infected systems that are using the old email address. Then I setup IPFW to deny access to port 25 for these IP addresses. So far IPFW is dening access to our mail servers for 30,000 Class C's (/24). Scot ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Regarding recent spam on the list
Bill Moran wrote: > Just curious if anyone knows the origin of all these auto-responses, etc. > > I'm seeing a lot of these on every list I'm subscribed to (not all of them > FreeBSD related) so I was wondering if some Windows trojan is running rampant > and using these list addresses as return addys? > > Anyone know? Yes. There are a number of machines in the texas.gov domain that are infected with the SoBIG worm because the morons running them are too dumb to install Windows patches from 6 months ago, and to split their inbound and outbound mail servers and filter out outbound mail from forged "from" addresses with an IP address that happens to be in their netblock, but with a source domain that is not one of the domains under their immediate control. One of these machines is 204.65.42.107, which is in the netblock subdelegated to access.texas.gov. There are about 4 others. but that one in particular has someone who is subscribed to the FreeBSD mailing lists. Be warned that if you post to these mailing lists at all, the user on that machine subscribed to the list will end up using *your* email address will be used to forge outbound email to other people by the worm. Most people who build out email infrastructure have no idea of what they are doing. On the plus side, whoever is running that frigging machine is liable under California law for a fine of $10,000 and up to 3 years in jail, since forging a "from" address belonging to someone else is now a felony in California. -- Terry ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Regarding recent spam on the list
Boy am I glad I use a *real* OS for my mail... --Devon Brandon S. Allbery KF8NH wrote: On Tue, 2003-08-19 at 18:03, Bill Moran wrote: Just curious if anyone knows the origin of all these auto-responses, etc. I'm seeing a lot of these on every list I'm subscribed to (not all of them FreeBSD related) so I was wondering if some Windows trojan is running rampant and using these list addresses as return addys? It's W32/[EMAIL PROTECTED] It's spreading *fast* ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Regarding recent spam on the list
Brandon S. Allbery KF8NH wrote: On Tue, 2003-08-19 at 18:03, Bill Moran wrote: Just curious if anyone knows the origin of all these auto-responses, etc. I'm seeing a lot of these on every list I'm subscribed to (not all of them FreeBSD related) so I was wondering if some Windows trojan is running rampant and using these list addresses as return addys? It's W32/[EMAIL PROTECTED] It's spreading *fast* Stupid Windows. Thanks for the info ... I probably should have just known ... -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Regarding recent spam on the list
On Tue, 2003-08-19 at 18:03, Bill Moran wrote: > Just curious if anyone knows the origin of all these auto-responses, etc. > > I'm seeing a lot of these on every list I'm subscribed to (not all of them > FreeBSD related) so I was wondering if some Windows trojan is running rampant > and using these list addresses as return addys? It's W32/[EMAIL PROTECTED] It's spreading *fast* -- brandon s. allbery[linux,solaris,freebsd,perl] [EMAIL PROTECTED] system administrator [WAY too many hats][EMAIL PROTECTED] electrical and computer engineering, carnegie mellon univ. KF8NH URGENT! E-xpedient nuked APK subdomains; kf8nh.apk.net is DEAD. Sorry. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"