lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <005101c36765$4ea7bf40$0100a8c0@p3600>
From: chows at ozemail.com.au (gregh)
Subject: Re: Filtering sobig with postfix

> ----- Original Message ----- 
> From: vogt@...senet.com 
> To: madduck@...duck.net ; full-disclosure@...ts.netsys.com 
> Sent: Wednesday, August 20, 2003 11:27 PM
> Subject: AW: [Full-Disclosure] Re: Filtering sobig with postfix


> > > /see attached file for details/ REJECT
> > 
> > this incurs a factor 2-4 performance drop, and it could also elicit
> > false positives. you should definitely do more than just REJECT
> > (i.e. write out a message: s/REJECT/554 Suspected virus/).

> Agree, a message would be good.


Just wanted to mention that I have been testing a few Windows based anti spam progs for customers. Spamkiller has the ability to pick things out quite nicely that some others dont appear to do. I have found the Sobig emails all seem to have a header line in it with "Found to be clean" as a way to attempt to fool something or other that there is no virus attached to the email. Filtering on that header seems to keep them all out so far.

Noted the FROM header can be anyone, like other viruses have done in the past, from the infected system's email address book or possibly anywhere on the hard disk.

Greg.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ