Test mail

Test mail

Post by Anton Altaparmako » Tue, 31 Jul 2001 11:00:05




Quote:>Hi, just verifying email, enjoy the attached file.

Would it be possible to have lkml setup to filter out this kind of crap?!?

It had no valid email addresses as From: nor To:...

And if anyone running Windows without an anti virus checker for email
didn't notice, the zipped attachment had a virus in it...

Cheers,

Anton

--
   "Nothing succeeds like success." - Alexandre Dumas
--

Linux NTFS Maintainer / WWW: http://linux-ntfs.sf.net/
ICQ: 8561279 / WWW: http://www-stu.christs.cam.ac.uk/~aia21/

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

Test mail

Post by Rik van Rie » Tue, 31 Jul 2001 13:10:06




> >Hi, just verifying email, enjoy the attached file.

> Would it be possible to have lkml setup to filter out this kind of crap?!?

IIRC lkml already has pretty strict filters.

However, you cannot have your filters prepared for
any random thing. Eventually something will get
through.

It seems that this month's something just got through.

such is life,

Rik
--
Virtual memory is like a game you can't win;
However, without VM there's truly nothing to lose...

http://www.surriel.com/             http://distro.conectiva.com/


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

Test mail

Post by Paul G. Alle » Tue, 31 Jul 2001 15:20:04


My solution to 99.9% of the trojan/virus problems:

I don't run Windows, and I don't enable Java/Javascript for mail, news,
and web sites (unless I trust the site, I MUST view it, and it requires
Java/Javascript).

PGA

--
Paul G. Allen
UNIX Admin II/Network Security
Akamai Technologies, Inc.
www.akamai.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

Test mail

Post by Paul G. Alle » Tue, 31 Jul 2001 15:40:08


Well The e-mail looks like it may be a variation on SirCam or Code Red
(I could be wrong). It appears to have its own mailer attached (from
what I saw in the header - I have not opened the attached .zip) and it
came from:

cx852567-a.ocnsd1.sdca.home.com

Oceanside, California, USA (about 30 miles North of me).

If this is someone on this list (I'm not about to search all the headers
of all the mail in my mailbox to find who it is) - and I believe it very
well may be - then it's time to re-install Windows.

(Oh, and I wouldn't use MS Oulook anymore, and be careful with Netscape
mail as well.)

PGA

--
Paul G. Allen
UNIX Admin II/Network Security
Akamai Technologies, Inc.
www.akamai.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

Test mail

Post by Riley William » Tue, 31 Jul 2001 16:40:07


Hi Rik.



 >>>Hi, just verifying email, enjoy the attached file.

 >> Would it be possible to have lkml setup to filter out this kind of
 >> crap?!?

 > IIRC lkml already has pretty strict filters.
 >
 > However, you cannot have your filters prepared for
 > any random thing. Eventually something will get
 > through.
 >
 > It seems that this month's something just got through.

Surely it should be simple to check that each piece of mail has a from
address in it, and either kill any that doesn't, or at least plug in
the envelope from address in its place?

Best wishes from Riley.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

Test mail

Post by Paul G. Alle » Tue, 31 Jul 2001 17:50:07



> Hi Paul,

> I forwarded the message to a Trend Micro based smtp Viruswall
> which reported it as the TROJ_MUSIC.B virus.  Trend reports
> it as being a non-destructive, low-risk virus that plays a
> tune (taps?) when activated.

> Even a low-risk virus can be a pain to exorcise, I hope that
> no one here was infected.

Music anyone? ;-)

--
Paul G. Allen
UNIX Admin II/Network Security
Akamai Technologies, Inc.
www.akamai.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

Test mail

Post by Chris Crowthe » Tue, 31 Jul 2001 18:50:06



> Well The e-mail looks like it may be a variation on SirCam or Code Red
> (I could be wrong). It appears to have its own mailer attached (from
> what I saw in the header - I have not opened the attached .zip) and it
> came from:

        It got caught by my AMaViS scan - apparently it's Worm.Music.

        Erm, appologise to everyone if it send the alert to the list - it
sends warning to the message sender as well...I think I might need to do
some modification to how it picks the person to warn.

--
Chris "_Shad0w_" Crowther

http://www.shad0w.org.uk/

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

Test mail

Post by Alan Co » Tue, 31 Jul 2001 21:20:07


Quote:> > ELM, Pine and Mutt have all at various times had holes that could have been
> > used to write an exact Unix equivalent of the windows virus.
> > <img src="file:/dev/mouse"> hangs some web browser email 4 years after the
> > bug was reported and so on...

> This all goes back to opening things blindly, and also ties in the issue of
> HTML aware email clients.

Most exploits are header parsing flaws, HTML email is irrelevant to this
discussion.

Quote:> Mail clients should simply be dealing with plain text. As soon as things like
> HTML support are introduced into the client, you have the same sort of
> problems that you do with easily exploitable web browsers.

No. Most of them are header parsing flaws, they worked with plain text
email just fine. In fact HTML parsing vulnerabilities (other than privacy
violations) are pretty rare.

Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

Test mail

Post by Paul Mund » Tue, 31 Jul 2001 21:30:10



> > > ELM, Pine and Mutt have all at various times had holes that could have been
> > > used to write an exact Unix equivalent of the windows virus.
> > > <img src="file:/dev/mouse"> hangs some web browser email 4 years after the
> > > bug was reported and so on...

> > This all goes back to opening things blindly, and also ties in the issue of
> > HTML aware email clients.

> Most exploits are header parsing flaws, HTML email is irrelevant to this
> discussion.

Parsing an <img> tag certainly seems to make HTML email relevant...

Quote:> > Mail clients should simply be dealing with plain text. As soon as things like
> > HTML support are introduced into the client, you have the same sort of
> > problems that you do with easily exploitable web browsers.

> No. Most of them are header parsing flaws, they worked with plain text
> email just fine. In fact HTML parsing vulnerabilities (other than privacy
> violations) are pretty rare.

There are far fewer header parsing exploits floating around then there are
users executing things of an unknown origin and unknowingly sending copies of
said thing to everyone in their address book.

While header parsing exploits are indeed an issue, they hardly make up the
bulk of these sort of exploits.

Things like Elm, Pine, and Mutt can be as exploitable as anything else as far
as header parsing issues are concerned. They still account for far less
of the problems than things like Outlook do.

Regards,

--

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

Test mail

Post by Alan Co » Tue, 31 Jul 2001 22:00:10


Quote:> Things like Elm, Pine, and Mutt can be as exploitable as anything else as far
> as header parsing issues are concerned. They still account for far less
> of the problems than things like Outlook do.

Only because the relative %age of the userbase is tiny.

There have actually been some very serious pine based attacks using header
parsing bugs to steal password files.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

Test mail

Post by Jakob ?stergaar » Wed, 01 Aug 2001 02:30:12



> Would it not be simple and effective to filter out mail produced by
> Outlook?

http://unthought.net/msworms.html

Quote:> It sounds to me the equivalent of RBL & co.
> RBL filter out mail from open relay used to spam us.
> NoOutlook filter out mail from poor software/OS used to propagate viruses.

Any agent could be vulnerable.

Discrimination is hardly a viable solution.

Quote:

> I guess that 100% of incomming viruses in lkml come from a Outlook mailer.
> And for the last two ones I'm sure.

Life sucks get a helmet.

--
................................................................

:.........................: putrid forms of man                :
:   Jakob ?stergaard      : See him rise and claim the earth,  :
:        OZ9ABN           : his downfall is at hand.           :
:.........................:............{Konkhra}...............:
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

Test mail

Post by Jim Potte » Wed, 01 Aug 2001 03:00:12


One problem with the idea of banning "MS virus express" is that most of the
lemmings stuck with MS's windows are also stuck with the MS's mail app.  If they
had the wherewithall (personal, political, whatever) to switch to a different
mail app, they'de probably know how & be able to switch the whole thing to a
better environment.

Quote:> >> Would it not be simple and effective to filter out mail produced by
> >> Outlook?
> >> It sounds to me the equivalent of RBL & co.
> >> RBL filter out mail from open relay used to spam us.
> >> NoOutlook filter out mail from poor software/OS used to propagate viruses.

> >> I guess that 100% of incomming viruses in lkml come from a Outlook mailer.
> >> And for the last two ones I'm sure.

> >> Christophe

> > Um, that's just a little (LITTLE?!?) draconian/elitist. How about
> > putting in a handler that renames EXEs attachments and EXEs in
> > compressed files to something a little less executable?

> > Don't get me wrong. I'm no fan of Outlook or OE, but you
> > can't just step on people who use them.

> This is a lot less draconian/elitist than banning ISPs. People
> seldom have a choice between multiple ISPs that offer affordable
> high-speed connections. Consider yourself lucky if both DSL and
> cable modem service are available and affordable in your area.

> Banning Outlook isn't so bad. Assuming you are stuck with Windows,
> you still have many choices. Netscape/Mozilla and Eudora would be
> the obvious choices. I think you can get pine. Emacs has been
> ported to Windows, so you have the rmail/gnus stuff. Surely you
> can tolerate at least one of these many choices.

--
Sincerely,

Jim Potter
45th Parallel Processing

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

 
 
 

Test mail

Post by Torrey Hoffma » Wed, 01 Aug 2001 03:40:06


I hate to jump in and extend this mostly off-topic thread, but I would be
a little annoyed if Outlook was banned from LKML.  I've got two machines
on my desk here at work - one is Win2K, and is used almost exclusively for
Outlook and Word.  It's very difficult to give those up when the rest of
the company uses them extensively.  The automatic meeting scheduling and
other MS Exchange features of Outlook are not available in other clients,
and why should I switch when Outlook works fine?  

Of course the other computer runs Linux, and is where all my real work
gets done.  It's convenient to have both environments.

Why not just filter all non-text attachments instead?  Patches, log files,
output of lspci, and the like should all be inlined anyway.  It's easy
to configure Outlook to send plain text emails, like this one - I've sent
kernel patches from Outlook before, and no one has complained.

Torrey

- - - - -


> Ignacio Vazquez-Ab writes:

> >> Would it not be simple and effective to filter out mail produced by
> >> Outlook?

[...]

Quote:> > Don't get me wrong. I'm no fan of Outlook or OE, but you
> > can't just step on people who use them.

[...]

Quote:> Banning Outlook isn't so bad. Assuming you are stuck with Windows,
> you still have many choices. Netscape/Mozilla and Eudora would be
> the obvious choices.

[...]
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
 
 
 

Test mail

Post by Colon » Wed, 01 Aug 2001 04:30:10




>> The problem is that in plenty of large companies not only are you stuck with
>> Windows, but you're also stuck with either Outlook or Notes because of
>> corporate decisions (i.e., Exchange or Domino). Trust me; been there, done
>> that.

>Hmm... linux developers at large corporations are stuck with [only]
>windows?  How do they get anything done?  Just because you're stuck with
>outlook for scheduling or whatever doesn't mean you can't send to mailing
>lists from another mailer, another OS, or another country.

I've dealt with "you've gotta run" before.  I had the required
hardware & software running over in the corner, with shared disk space
or remote access from the linux box on the desktop.  It wasn't easy,
but I simply stuck to my insistance that I _needed_ this (only one
example required) and that I was meeting the company's requirements.
Nowdays, that situation is on my checklist to determine if I want to
work there.

The really funny thing about the initial email is the amount of
interest in the followups and their meanderings.

--
Windows 2001: "I'm sorry Dave ...  I'm afraid I can't do that."
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/