Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Fwd: RE: Sexy fun making rounds again]

From: Justin Shore <macdaddy () NEO PITTSTATE EDU>
Date: Thu, 15 Feb 2001 15:17:55 -0600
Yes.  I received a bounce from someone on this list from vistech.ie.
They are apparently using MailScan on their border MX host and it's
rejecting all messages that contain the string "Hahaha".  See for
yourself:

On 2/15/01 1:01 PM postmaster () vistech ie said...


The following email you sent was not delivered to the
intended recipients as it had restricted contents in it!
The restricted content present was "Hahaha".

Action taken: The email was Deleted.

=============================================================
The Mail came from    : macdaddy () NEO PITTSTATE EDU
The Mail recipient    : t_crispie () vistech ie
Subject of the Mail   : Re: [Fwd: RE: Sexy fun making rounds again]
Message-ID            : <3A8C1C96.C319C5EF () apache org>
=============================================================

Use  MailScan on your  EMail  Servers  and  eScan on your
Windows-based PCs and Servers for maximum protection from
Internet-borne viruses.



That is completely nuts.  I frequently send and receive messages that
have such a string in use.  It also doesn't match the Hybris virus if it
doesn't check the actual headers (at least the 1st generation of it).
The reply-to address was Hahaha () sexyfun net.  That string appeared no
where in the body or subject line of the message.  The subject line was
something about Snow White and some dwarfs.  That filter boggles my mind.
 What do they think that would accomplish?  Do they think it couldn't
bounce legit mail too?

Justin





On 2/15/01 2:40 PM J. J. Horner said...


Is anyone else's IDS going nuts over messages like these?

My IDS keeps telling me I have an outgoing Mail worm and this time, it
flagged this
message.

Thanks,
JJ

* Justin Shore (macdaddy () NEO PITTSTATE EDU) [010215 13:34]:

A very basic fix for this one for of Hybris is this:

LOCAL_RULESETS
HSubject: $>Check_Subject
# crude check for Melissa virus

D{MPat}Snowhite and the Seven Dwarfs - The REAL story!
D{MMsg}  ***REJECTED***  This message is infected with the W95.Hybris.gen
virus.

SCheck_Subject
R${MPat} $*     $#error $: 553 ${MMsg}
RRe: ${MPat} $* $#error $: 553 ${MMsg}

Works on sendmail 8.9x boxes.  Haven't tried it on newer ones.  No matter
how many times that virus has mutated over the weeks since it's release,
I still reject a couple hundred messages that match this filter.

HTH
  Justin


On 2/15/01 10:18 AM Eric Kimminau said...


You have to love 2 week response time...

-------- Original Message --------
Subject: RE: Sexy fun making rounds again
Date: Tue, 13 Feb 2001 04:56:01 -0400
From: "Security" <security () internet codetel net do>
To: <eric () kimminau org>
CC: "Security" <security () internet codetel net do>

Good afternoon,

We appreciate the gesture of reporting this incident. We will conduct
an investigation and will deal with it in the terms stated, for those
cases, by our Internet Acceptable Use Policy
(http://www.codetel.net.do/politicas/politicas.htm).

Any comment or question please do not hesitate to contact Us.

Thanks for your cooperation,

Regards,

InfoSec
security () internet codetel net do
CODETEL/Verizon
http://www.codetel.net.do

-----Original Message-----
From: eric () dns kimminau org [mailto:eric () dns kimminau org]On Behalf Of
Eric Kimminau
Sent: Tuesday, January 30, 2001 2:10 PM
To: incidents () securityfocus com; abuse () codetel net do;
JULISSA.VARGAS () codetel net do; JSALCEDO () codetel net do
Subject: Sexy fun making rounds again



It looks like the "do" domain is now host to someone spreading "sexy
fun". I just received this:

Received: from codetel.net.do (mail2.codetel.net.do [196.3.81.52])
       by (me) with ESMTP id TAA85757
       for (me); Mon, 29 Jan 2001 19:21:43 -0500 (EST)
Received: from host2 ([206.105.235.211]) by codetel.net.do  with
Microsoft SMTPSVC(5.5.1877.447.44); Mon, 29 Jan 2001 19:56:29 -0400
From: Hahaha <hahaha () sexyfun net>
Subject: Snowhite and the Seven Dwarfs - The REAL story!
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEWHUFKDYNKPIFO5YBWTU3"
Bcc:
Message-ID: <081072956231d11M30MAIL2 () codetel net do>
Date: 29 Jan 2001 19:56:29 -0400
Parts/attachments:
  1 Shown    5 lines
Text
  2         25 KB
Application
----------------------------------------

Today, Snowhite was turning 18. The 7 Dwarfs always where very
educated and polite with Snowhite. When they go out work at mornign,
they promissed a  *huge* surprise. Snowhite was anxious. Suddlently,
the door open, and the Seven Dwarfs enter...

 [Part 2, Application/OCTET-STREAM (Name: "joke.exe")  34KB]
 [Cannot display this part. Press "V" then "S" to save in a file]

--
.--------1---------2---------3---------4---------5---------6---------7.
                  Eric Kimminau eric () kimminau org
                "I speak my mind and no one else's."
 "I am a bomb technician. If you see me running, try to keep up..."




--
Justin Shore                    Pittsburg State University
Network & Systems Manager       Kelce 157Q
Office of Information Systems   Pittsburg, KS 66762
Voice: (620) 235-4606           Fax: (620) 235-4545
http://www.pittstate.edu/ois/

Warning:  This message has been quadruple Rot13'ed for your protection.


--
J. J. Horner
jjhorner () bellsouth net

Apache, Perl, mod_perl, Web security, Linux






--
Justin Shore                    Pittsburg State University
Network & Systems Manager       Kelce 157Q
Office of Information Systems   Pittsburg, KS 66762
Voice: (620) 235-4606           Fax: (620) 235-4545
http://www.pittstate.edu/ois/

Warning:  This message has been quadruple Rot13'ed for your protection.
Previous By Date Next
Previous By Thread Next

Current thread: