RE: Klez.H attack
- From: Meral KESKINER <MeralK@xxxxxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
- Date: Thu, 23 May 2002 12:34:27 +0300
You can use Content Filtering and add the all subject lines below.
And also you can find Sybari's recommandations at
http://www.sybari.com/alerts/filter.asp for file filtering.
Undeliverable mail--"[Random word]"
Returned mail--"[Random word]"
a [Random word] [Random word] game
a [Random word] [Random word] tool
a [Random word] [Random word] website
a [Random word] [Random word] patch
[Random word] removal tools
how are you
let's be friends
darling
so cool a flash,enjoy it
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
sos!
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures
Regards,
-----Original Message-----
From: Matthew Payne [mailto:mattp@xxxxxxxxxxxxxx]
Sent: 23 Mayis 2002 Persembe 12:25
To: [ExchangeList]
Subject: [exchangelist] RE: Klez.H attack
http://www.MSExchange.org/ - Re-Vamped!
Hmmm Having read all of your antigen comment s I've decided to change from
Trend ScanMail. What filers should I sensibly apply to antigen?
-----Original Message-----
From: Matt Dillingham [mailto:mdilling@xxxxxxxxx]
Sent: 21 May 2002 19:09
To: [ExchangeList]
Subject: [exchangelist] RE: Klez.H attack
http://www.MSExchange.org/
aorlowski@xxxxxxxxxxx wrote:
>
> Well Said Matt. I love Antigen, however has your campus received
> hundreds of hits lately. Our college has. I am not real worried about
> because of antigen cleans all of these out, but it seems to me that
> these hits are not a good sign. We are also filtering exe,scr,etc..
> all seems to work well.
>
> Allen Orlowski
> MCP, A+, Network +
> aorlowski@xxxxxxxxxxx <mailto:aorlowski@xxxxxxxxxxx>
Allen-
Yeah, we have been seeing a ton of these being filtered/purged. I would say
lately, that Klez.X (usually coupled with a HTML/MimeExploit.IFRAME alert)
has been making up about 95%+ of our virus traffic. I suspect that the
reason that this virus is so persistent and is seeming to spread so well is
because of the spoofed SENDER field. it is very difficult to track down
where the virus originated from.
if i could not scan everyone's mailbox, i would be pretty nervous.
Does anyone know a practical way to actually track the real sender down?
with antigen, it can automatically send alerts to any infected external or
internal senders, once detected. the alerts are a completely automated,
customizable email message. unfortunately, i have had to disabled this
feature right now because it is useless with klez. since the SENDER field
is forged, antigen will send the klez alerts to the randomly selected person
in the SENDER field, which is just a random address from the infected
person's addressbook.
anyone have any ideas about how to track down and alert these people?
-matt
PS> Allen- Just curious... what college do you work for?
--
__________________________________________________________________
Matt Dillingham Systems Administrator II
University of Michigan, Bioinformatics
>
> -----Original Message-----
> From: Matt Dillingham [mailto:mdilling@xxxxxxxxx]
> Sent: Tuesday, May 21, 2002 12:04 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: Klez.H attack
>
> Denise Dorrance wrote:
> >
> > What exactly is Antigen? Is it a virus software or an Anti-spam
> software??
> >
>
> Denise-
>
> Antigen is an antivirus engine that can scan all writes to the
> exchange information store (mailboxes, ect) in real-time, can scan
> inside the store (as a scheduled task, on demand, ect), and can scan
> and intercept messages being sent across the SMTP virt-server
> (incoming and outgoing) in real-time.
>
> since we have installed it and cleaned the information store for the
> first time, we have not had ANY viruses actually infect anyone's
> mailbox. everything has been stopped as incoming SMTP traffic.
>
> i dont know if there is any other solution out there that will work as
> well or better than antigen... because once i tried this, i stopped
> looking. i highly recommend it.
>
> -matt
>
> PS> however, it does not intercept spam... unless it has a virus- heh
> PS> heh.
>
> PS> also, i forgot to mention, antigen also has file filtering
> PS> capability
> (block all .exe & .scr, ect), but we are not using it. i do know some
> people that are, and i have heard that it works fine.
> -- __________________________________________________________________
> Matt Dillingham Systems Administrator II
> University of Michigan, Bioinformatics
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
mattp@xxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
meralk@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
