RE: virus from "tshinder"

  • From: "John Tolmachoff" <jtolmachoff@xxxxxxxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 18 Apr 2002 09:58:03 -0700

Here is my approach:

When I identify a large number of incoming bad from an IP or a limited
range of IPs, I send the following notice to the host domain:

We are receiving a large amount of (viruses/spam/hacks/scans) (in e-mail
to our users and clients/servers) from an IP address on your network of
xxx.xxx.xxx.xxx.
Please investigate and correct this problem ASAP!
Otherwise, we will be forced to blacklist that IP address for due cause.
Evidence is available upon reasonable request.

I send it once. If I do not receive a decent response within 24 hours, I
block the IP.

John Tolmachoff 
IT Manager, Network Engineer
211 E. Imperial Hwy., Suite 106
Fullerton, CA  92835
714-578-7999, ext. 104
jtolmachoff@xxxxxxxxxxxxxxxx
www.reliancesoft.com
 


-----Original Message-----
From: Dan Bartley [mailto:dan@xxxxxxxxxxxxxxx] 
Sent: Thursday, April 18, 2002 9:33 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: virus from "tshinder"

http://www.ISAserver.org


I blocked several ISPs in Korea due to repeated scans and other hack
attempts. Despite repeated complaints to the providers, and seemingly
cooperative responses, the same source IPs kept popping up. I've not
lost anything important as a result. There seems to be very little
legitimate activity coming from that part of the globe, in my realm
anyway.

Dan Bartley, MCSE+Internet
dan@xxxxxxxxxxxxxxx


-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, April 18, 2002 12:21
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: virus from "tshinder"

http://www.ISAserver.org


Hi John,

Thanks for the info. Which reminds me, there's been a lot of talk in the
press about blocking the Pacific rim net blocks because of viruses and
spam. I haven't implemented this at any of our locations yet, but I'm
wondering if anyone here has done this in their own company?

Thanks!

Tom
www.isaserver.org/shinder


-----Original Message-----
From: John Tolmachoff [mailto:jtolmachoff@xxxxxxxxxxxxxxxx] 
Sent: Thursday, April 18, 2002 11:12 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: virus from "tshinder"

http://www.ISAserver.org


And Tom is such a great guy.

Who would do a thing like that?

Of course, we could look at the headers and file a complaint.

Ah, 202.157.155.35 is in Singapore.

75% of the virus notices that I receive are from infected e-mail from
that part of the world.

John Tolmachoff 
IT Manager, Network Engineer
211 E. Imperial Hwy., Suite 106
Fullerton, CA  92835
714-578-7999, ext. 104
jtolmachoff@xxxxxxxxxxxxxxxx
www.reliancesoft.com
 


-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Thursday, April 18, 2002 9:02 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] virus from "tshinder"

http://www.ISAserver.org


Hi folks,

    If you get a mail from "tshinder" with a heading of "this
configuration
can get" on it, drop it like the hot potato it is.
    Don't open it, don't preview it, nada.

    It's a HTML MIME.exploit/IFrame virus and WAS NOT sent by Tom.  The
one
I received came from:

    cebitasia@xxxxxxxxxxxx

--
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!




------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jtolmachoff@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dan@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jtolmachoff@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



Other related posts: