nanog mailing list archives
Re: Possibly yet another MS mail worm
From: "Rubens Kuhl Jr." <rubens () email com>
Date: Sun, 29 Feb 2004 23:32:17 -0300
I'm not aware of any mail scanner that does this without running an external anti-virus or something alike, although is not that intensive to follow the zip headers (as they already do with the MIME headers in order to drop external attachments). Most scanners can accept an anti-virus plugin and them scan inside zip files, but that requires more processing power, more queue disk space, more RAM, more administration to update virus patterns, and so on. The cost/benefit usually pays off, but more complexity means less people will adopt the solution, thus making worm spreading easier. Rubens ----- Original Message ----- From: "Michael Wiacek" <lists () iroot net> To: "Rubens Kuhl Jr." <rubens () email com> Cc: "Todd Vierling" <tv () duh org>; <nanog () merit edu> Sent: Sunday, February 29, 2004 11:16 PM Subject: Re: Possibly yet another MS mail worm
I believe the point is, your mail scanner should be able to scan something as simple as zip compressed attachments. If it can't, you may want to rethink which program you use. Most open source and commercial scanners can scan inside zip files. mike On Sat, 28 Feb 2004, Rubens Kuhl Jr. wrote:It's annoying how easily these things spread even though they don't
rely
ona specific OS vulnerabililty -- hell, it's an executable *in a
zipfile*,
soit requires opening the zipfile and then running the program inside
it.
Ofcourse everyone will run it, even though it's named dygfwefuih.exe
(random
characters before .exe). <grumble>Being in a zipfile is exactly why these things work: most mail systems nowadays drop executable attachments without mercy, but a zipfile may be
a
compressed document. Not every mail system screen incoming messages with anti-virus. People writing this worms don't know just a bit about human behaviour,
they
seem to keep up with trends in mail systems administration as well. Rubens !DSPAM:404137ae74191246918873!
Current thread:
- Re: Possibly yet another MS mail worm Michael Wiacek (Feb 29)
- Re: Possibly yet another MS mail worm Rubens Kuhl Jr. (Feb 29)
- Message not available
- Re: Possibly yet another MS mail worm Rubens Kuhl Jr. (Feb 29)
- Re: Possibly yet another MS mail worm Michael Wiacek (Feb 29)
- RE: Possibly yet another MS mail worm Steve Birnbaum (Mar 01)
- Possibly even yet another MS mail worm Mike Nice (Mar 01)
- Re: Possibly even yet another MS mail worm Stephen J. Wilcox (Mar 01)
- Re: Possibly even yet another MS mail worm Jeff Shultz (Mar 01)
- Re: Possibly even yet another MS mail worm Laurence F. Sheldon, Jr. (Mar 01)
- Message not available
- Re: Possibly yet another MS mail worm Rubens Kuhl Jr. (Feb 29)
- <Possible follow-ups>
- Re: Possibly yet another MS mail worm Curtis Maurand (Mar 01)
- Re: Possibly yet another MS mail worm Todd Vierling (Mar 01)
- Re: Possibly yet another MS mail worm Laurence F. Sheldon, Jr. (Mar 01)
- Re: Possibly yet another MS mail worm Todd Vierling (Mar 01)