RE: Klez.H attack
- From: Matt Dillingham <mdilling@xxxxxxxxx>
- To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>, aorlowski@xxxxxxxxxxx
- Date: Tue, 21 May 2002 14:08:48 -0400
aorlowski@xxxxxxxxxxx wrote:
>
> Well Said Matt. I love Antigen, however has your campus received hundreds of
> hits lately. Our college has. I am not real worried about because of antigen
> cleans all of these out, but it seems to me that these hits are not a good
> sign. We are also filtering exe,scr,etc.. all seems to work well.
>
> Allen Orlowski
> MCP, A+, Network +
> aorlowski@xxxxxxxxxxx <mailto:aorlowski@xxxxxxxxxxx>
Allen-
Yeah, we have been seeing a ton of these being filtered/purged. I would say
lately, that Klez.X (usually coupled with a HTML/MimeExploit.IFRAME alert) has
been making up about 95%+ of our virus traffic. I suspect that the reason that
this virus is so persistent and is seeming to spread so well is because of the
spoofed SENDER field. it is very difficult to track down where the virus
originated from.
if i could not scan everyone's mailbox, i would be pretty nervous.
Does anyone know a practical way to actually track the real sender down? with
antigen, it can automatically send alerts to any infected external or internal
senders, once detected. the alerts are a completely automated, customizable
email message. unfortunately, i have had to disabled this feature right now
because it is useless with klez. since the SENDER field is forged, antigen
will send the klez alerts to the randomly selected person in the SENDER field,
which is just a random address from the infected person's addressbook.
anyone have any ideas about how to track down and alert these people?
-matt
PS> Allen- Just curious... what college do you work for?
--
__________________________________________________________________
Matt Dillingham Systems Administrator II
University of Michigan, Bioinformatics
>
> -----Original Message-----
> From: Matt Dillingham [mailto:mdilling@xxxxxxxxx]
> Sent: Tuesday, May 21, 2002 12:04 PM
> To: [ExchangeList]
> Subject: [exchangelist] RE: Klez.H attack
>
> Denise Dorrance wrote:
> >
> > What exactly is Antigen? Is it a virus software or an Anti-spam
> software??
> >
>
> Denise-
>
> Antigen is an antivirus engine that can scan all writes to the exchange
> information store (mailboxes, ect) in real-time, can scan inside the store
> (as a scheduled task, on demand, ect), and can scan and intercept messages
> being sent across the SMTP virt-server (incoming and outgoing) in real-time.
>
> since we have installed it and cleaned the information store for the first
> time, we have not had ANY viruses actually infect anyone's mailbox.
> everything has been stopped as incoming SMTP traffic.
>
> i dont know if there is any other solution out there that will work as well
> or better than antigen... because once i tried this, i stopped looking. i
> highly recommend it.
>
> -matt
>
> PS> however, it does not intercept spam... unless it has a virus- heh heh.
>
> PS> also, i forgot to mention, antigen also has file filtering capability
> (block all .exe & .scr, ect), but we are not using it. i do know some
> people that are, and i have heard that it works fine.
> --
> __________________________________________________________________
> Matt Dillingham Systems Administrator II
> University of Michigan, Bioinformatics
Other related posts:
