Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Fwd: RE: Sexy fun making rounds again]

From: "J. J. Horner" <jhorner () 2JNETWORKS COM>
Date: Thu, 15 Feb 2001 15:40:10 -0500
Is anyone else's IDS going nuts over messages like these?

My IDS keeps telling me I have an outgoing Mail worm and this time, it flagged this
message.

Thanks,
JJ

* Justin Shore (macdaddy () NEO PITTSTATE EDU) [010215 13:34]:

A very basic fix for this one for of Hybris is this:

LOCAL_RULESETS
HSubject: $>Check_Subject
# crude check for Melissa virus

D{MPat}Snowhite and the Seven Dwarfs - The REAL story!
D{MMsg}  ***REJECTED***  This message is infected with the W95.Hybris.gen
virus.

SCheck_Subject
R${MPat} $*     $#error $: 553 ${MMsg}
RRe: ${MPat} $* $#error $: 553 ${MMsg}

Works on sendmail 8.9x boxes.  Haven't tried it on newer ones.  No matter
how many times that virus has mutated over the weeks since it's release,
I still reject a couple hundred messages that match this filter.

HTH
  Justin


On 2/15/01 10:18 AM Eric Kimminau said...


You have to love 2 week response time...

-------- Original Message --------
Subject: RE: Sexy fun making rounds again
Date: Tue, 13 Feb 2001 04:56:01 -0400
From: "Security" <security () internet codetel net do>
To: <eric () kimminau org>
CC: "Security" <security () internet codetel net do>

Good afternoon,

We appreciate the gesture of reporting this incident. We will conduct
an investigation and will deal with it in the terms stated, for those
cases, by our Internet Acceptable Use Policy
(http://www.codetel.net.do/politicas/politicas.htm).

Any comment or question please do not hesitate to contact Us.

Thanks for your cooperation,

Regards,

InfoSec
security () internet codetel net do
CODETEL/Verizon
http://www.codetel.net.do

-----Original Message-----
From: eric () dns kimminau org [mailto:eric () dns kimminau org]On Behalf Of
Eric Kimminau
Sent: Tuesday, January 30, 2001 2:10 PM
To: incidents () securityfocus com; abuse () codetel net do;
JULISSA.VARGAS () codetel net do; JSALCEDO () codetel net do
Subject: Sexy fun making rounds again



It looks like the "do" domain is now host to someone spreading "sexy
fun". I just received this:

Received: from codetel.net.do (mail2.codetel.net.do [196.3.81.52])
       by (me) with ESMTP id TAA85757
       for (me); Mon, 29 Jan 2001 19:21:43 -0500 (EST)
Received: from host2 ([206.105.235.211]) by codetel.net.do  with
Microsoft SMTPSVC(5.5.1877.447.44); Mon, 29 Jan 2001 19:56:29 -0400
From: Hahaha <hahaha () sexyfun net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEWHUFKDYNKPIFO5YBWTU3"
Bcc:
Message-ID: <081072956231d11M30MAIL2 () codetel net do>
Date: 29 Jan 2001 19:56:29 -0400
Parts/attachments:
  1 Shown    5 lines
Text
  2         25 KB
Application
----------------------------------------

Today, Snowhite was turning 18. The 7 Dwarfs always where very
educated and polite with Snowhite. When they go out work at mornign,
they promissed a  *huge* surprise. Snowhite was anxious. Suddlently,
the door open, and the Seven Dwarfs enter...

 [Part 2, Application/OCTET-STREAM (Name: "joke.exe")  34KB]
 [Cannot display this part. Press "V" then "S" to save in a file]

--
.--------1---------2---------3---------4---------5---------6---------7.
                  Eric Kimminau eric () kimminau org
                "I speak my mind and no one else's."
 "I am a bomb technician. If you see me running, try to keep up..."




--
Justin Shore                    Pittsburg State University
Network & Systems Manager       Kelce 157Q
Office of Information Systems   Pittsburg, KS 66762
Voice: (620) 235-4606           Fax: (620) 235-4545
http://www.pittstate.edu/ois/

Warning:  This message has been quadruple Rot13'ed for your protection.


-- 
J. J. Horner
jjhorner () bellsouth net

Apache, Perl, mod_perl, Web security, Linux

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: