Educause Security Discussion mailing list archives

Re: Sobig Traffic

From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Tue, 9 Sep 2003 14:45:06 -0500

I've asked our Messaging team for specific technical details...as was
said in another reply, I'm sure it's fairly simple procmail rules.  I
think the subject component of the RFC 822 header is fairly easy (and
quick) to check.
M.

-- 
Mark S. Bruhn, CISSP, CISM

Chief IT Security and Policy Officer
Associate Director, Center for Applied Cybersecurity Research
(http://cacr.iu.edu)

Office of the Vice President for Information Technology and CIO
Indiana University
812-855-0326

Incidents involving IU IT resources: it-incident () iu edu
Complaints/kudos about OVPIT/UITS services: itombuds () iu edu




-----Original Message-----
From: Greg Graeff [mailto:ggraeff () PPC EDU] 
Sent: Tuesday, September 09, 2003 7:41 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Sobig Traffic


If you are doing this with sendmail,  can you share this with the group?

Thanks.

-Greg


-----Original Message-----
From: Bruhn, Mark S. [mailto:mbruhn () INDIANA EDU]
Sent: Monday, September 08, 2003 12:54 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Sobig Traffic


We're filtering on these subject lines, at our mail relays.  Obviously,
some of these can easily be legitimate subjects, but we've had very few
complaints.
M.

Re: Thank you!
Thank you!
Your details
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie


--
Mark S. Bruhn, CISSP
Chief IT Security and Policy Officer
Indiana University
812-855-0326


-----Original Message-----
From: Barros, Jacob [mailto:jkbarros () GRACE EDU]
Sent: Monday, September 08, 2003 11:51 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Sobig Traffic


Our exchange server is still getting hit with email messages containing
the Sobig.f virus. The viruses is being deleted but we're losing system
resources in the process.  Do any of you know if there is a way that I
can filter/block those messages before it hits the exchange server? Can
it even be done or should we just ride out the storm.  Am I on the wrong
track in thinking that this bug is on the outside and in fact may be
resident on one of our internal machines?

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Sobig Traffic Barros, Jacob (Sep 08)
- <Possible follow-ups>
- Re: Sobig Traffic Bruhn, Mark S. (Sep 08)
- Re: Sobig Traffic Greg Francis (Sep 08)
- Re: Sobig Traffic F.M. Taylor (Sep 08)
- Re: Sobig Traffic Jamie Aiello (Sep 08)
- Re: Sobig Traffic Greg Graeff (Sep 09)
- Re: Sobig Traffic Scott Bradner (Sep 09)
- Re: Sobig Traffic Bruhn, Mark S. (Sep 09)
- Re: Sobig Traffic Scott Bradner (Sep 09)
- Re: Sobig Traffic Hahn, Jacob (Sep 09)