Thread: The ..... worm
<OT about the worm> Jeessh, a lot of people have my email address. I have received about 500 copies of the worm in the last 24 hours. My mail spool at work was sooooo full I couldn't get out or relay or anything. The wierd part is that it's my work address, and I'm subscribed to almost all my lists through the address above or my previous home address. YEARS ago I was using the work address for lists, but not for a LOOOOOOOOOOOONG time. </OT about the worm>
Running mozilla on linux and having my mail processed by postini, _http://www.postini.com_, I haven't had any problems other that lots of quarantined mail at postini. Having the mail quarantined off site saves bandwith as well. I work at an ISP and we use postini for all email that ends up on our mail servers. We used to run Spam Assassin for all our mail, but since we moved to postini our bandwith savings have been great. I still have Spam Assassin running for my account but postini is so good that I only get about 1% of the UE {unsolicited email} that makes it through and Spam Assassin usualy catches about half of the ones that make it through. In a week I usaualy get about one UE to my inbox, 5 into my Spam Assassin mail box and about 500 quarantined at postini. Now that I ahve my white lists setup at postine I only get one or two legitimate messages captured per week. I normaly get around 5000-10,000 messages a week, so the time savings of having all UE quarantined off site where I can delete them without downloading them save a lot of time and bandwidth. I don't work for, or get kick backs for, Postini. They are worth while looking into especialy for medium to large organizations, because they keep their virus checkers and UE algorithms up to date and most large to medium sized organizations can recoup their postini costs with their savings in bandwidth, and lost productivity of staff having to download and pick out the UE from the real mail, possibly getting infected by a virus while doing so. NOTE: I use UE so that Hormel {http://www.spam.com/} doesn't get upset with me ;-) Guy PS Keep your worm to your self :-D Dennis Gearon wrote: > <OT about the worm> > Jeessh, a lot of people have my email address. > > I have received about 500 copies of the worm in the last 24 hours. My > mail spool at work was sooooo full I couldn't get out or relay or > anything. The wierd part is that it's my work address, and I'm > subscribed to almost all my lists through the address above or my > previous home address. YEARS ago I was using the work address for > lists, but not for a LOOOOOOOOOOOONG time. > </OT about the worm> >
On 22/08/2003 22:18 Dennis Gearon wrote: > <OT about the worm> > Jeessh, a lot of people have my email address. > > I have received about 500 copies of the worm in the last 24 hours. My > mail spool at work was sooooo full I couldn't get out or relay or > anything. The wierd part is that it's my work address, and I'm > subscribed to almost all my lists through the address above or my > previous home address. YEARS ago I was using the work address for lists, > but not for a LOOOOOOOOOOOONG time. > </OT about the worm> Asuming you mean Sobig-9... From what I've read, the US seems to have suffered the major hit with this email virus although it it must be spreading to the UK today as it's now officially news over here. I had about 5 or 6 copies sent on Tuesday but nothing since. I used to be paranoid but now I know everybody hates me :) OTOH, the Blaster worm seems to be doing a positive social service as I've noticed a massive drop in Code Red "get default.ida.." requests to the web server on my DSL line. -- Paul Thomas +------------------------------+---------------------------------------------+ | Thomas Micro Systems Limited | Software Solutions for the Smaller Business | | Computer Consultants | http://www.thomas-micro-systems-ltd.co.uk | +------------------------------+---------------------------------------------+
Thing is, in my case it wasn't due to that many people, most were mainly from one guy at rr.com Common header: Received: from LANCE (cs6711150-130.satx.rr.com [67.11.150.130]) And he was the source of 260 in one day, total so far = 609! Really not sure why that happened - shouldn't the worm be sending to many and not blast just one address. Is it blasting 500 copies to each person on all the lists- but how's that going to make it spread faster. At 02:18 PM 8/22/2003 -0700, Dennis Gearon wrote: ><OT about the worm> >Jeessh, a lot of people have my email address. > >I have received about 500 copies of the worm in the last 24 hours. My mail >spool at work was sooooo full I couldn't get out or relay or anything. The >wierd part is that it's my work address, and I'm subscribed to almost all >my lists through the address above or my previous home address. YEARS ago >I was using the work address for lists, but not for a LOOOOOOOOOOOONG time. ></OT about the worm>
Lincoln Yeoh <lyeoh@pop.jaring.my> writes:
> Thing is, in my case it wasn't due to that many people, most were
> mainly from one guy at rr.com
>
> Common header:
>
> Received: from LANCE (cs6711150-130.satx.rr.com [67.11.150.130])
^^^^^
You should filter on this string (which MUST contain a dot according
to RFC 2821). You can do this by rejecting HELO/EHLO commands which
lack a ".". Be sure to activate this filter only for mail received
from the Internet; your local Windows clients might generate it, too.
On Fri, 22 Aug 2003 14:18:19 -0700 Dennis Gearon <gearond@fireserve.net> wrote: I don't have it, but I did get a spam from gearond@oit.edu or was that real? Why does this list even use real addresses? Why not have From and To the same? i.e. pgsql-general@postgresql.org Is it a social issue or technical? I'd be surprised if it was the latter. > <OT about the worm> > Jeessh, a lot of people have my email address. > > I have received about 500 copies of the worm in the last 24 hours. My > mail spool at work was sooooo full I couldn't get out or relay or > anything. The wierd part is that it's my work address, and I'm > subscribed to almost all my lists through the address above or my > previous home address. YEARS ago I was using the work address for lists, > but not for a LOOOOOOOOOOOONG time. > </OT about the worm> > > > ---------------------------(end of broadcast)--------------------------- > TIP 8: explain analyze is your friend > >
On Wed, Aug 27, 2003 at 15:49:26 -0700, expect <expect@ihubbell.com> wrote: > > Why does this list even use real addresses? Why not have From and To the same? > i.e. pgsql-general@postgresql.org > > Is it a social issue or technical? I'd be surprised if it was the latter. As you have been told previously, not everyone who posts to these lists are on the lists and their address is needed to get replies.
On Wed, 27 Aug 2003 22:35:17 -0500 Bruno Wolff III <bruno@wolff.to> wrote: > On Wed, Aug 27, 2003 at 15:49:26 -0700, > expect <expect@ihubbell.com> wrote: > > > > Why does this list even use real addresses? Why not have From and To the same? > > i.e. pgsql-general@postgresql.org > > > > Is it a social issue or technical? I'd be surprised if it was the latter. > > As you have been told previously, not everyone who posts to these lists > are on the lists and their address is needed to get replies. Really? I don't remember anyone pointing that out. Anyway it's a social issue then...it's unfortunate. Since signing on to the list my inbox is looking a lot worse than I've ever seen it. Other lists I subscribe to do not suffer from the spam plague in the way this list does. I wish I'd known that before signing on rather than after. <shrug> > >
expect <expect@ihubbell.com> writes:
> Other lists I subscribe to do not suffer from the spam plague in the way this
> list does. I wish I'd known that before signing on rather than after.
[ raised eyebrow ] I subscribe to many mailing lists. On most of the
other lists I have to apply spam filtering to what arrives, but the PG
lists are very nearly spam-free (thanks to Marc's hard work). I dunno
what you are complaining about.
regards, tom lane
On Thu, Aug 28, 2003 at 12:17:21AM -0400, Tom Lane wrote: > expect <expect@ihubbell.com> writes: > > Other lists I subscribe to do not suffer from the spam plague in the way this > > list does. I wish I'd known that before signing on rather than after. > > [ raised eyebrow ] I subscribe to many mailing lists. On most of the > other lists I have to apply spam filtering to what arrives, but the PG > lists are very nearly spam-free (thanks to Marc's hard work). I dunno > what you are complaining about. It is a valid complaint. The fact was that the archives (at least on archives.postgresql.org) kept the email addresses verbatim, right in front of the eyes of any spammer's web crawler. Fortunately, Cristoph Dalitz's repeated complaints have finally caused Marc to reconfigure MHonArc so it won't publish the addresses. You are right in that there is very little spam coming from the lists themselves... -- Alvaro Herrera (<alvherre[a]dcc.uchile.cl>) We take risks not to escape from life, but to prevent life escaping from us.
Tom Lane wrote: >expect <expect@ihubbell.com> writes: > > >>Other lists I subscribe to do not suffer from the spam plague in the way this >>list does. I wish I'd known that before signing on rather than after. >> >> > >[ raised eyebrow ] I subscribe to many mailing lists. On most of the >other lists I have to apply spam filtering to what arrives, but the PG >lists are very nearly spam-free (thanks to Marc's hard work). I dunno >what you are complaining about. > > regards, tom lane > >---------------------------(end of broadcast)--------------------------- >TIP 8: explain analyze is your friend > > > I get no spam or worms from the email I use on this list.
On Thu, 28 Aug 2003, Alvaro Herrera wrote: > Fortunately, Cristoph Dalitz's repeated complaints have finally caused > Marc to reconfigure MHonArc so it won't publish the addresses. Actually, someone finally providing me with a means to 'mangle' the addresses caused me to reconfigure it ... Christoph could complain until his face turned blue, but if I didn't have a means to do it, it would never have been done *shrug*
> Date: Thu, 28 Aug 2003 01:40:28 -0400 > From: Alvaro Herrera <alvherre@dcc.uchile.cl> > To: Tom Lane <tgl@sss.pgh.pa.us> > Cc: expect <expect@ihubbell.com>, pgsql-general@postgresql.org > Subject: Re: The ..... worm > Message-ID: <20030828054028.GE7382@dcc.uchile.cl> > > On Thu, Aug 28, 2003 at 12:17:21AM -0400, Tom Lane wrote: > > expect <expect@ihubbell.com> writes: > > > Other lists I subscribe to do not suffer from the spam plague in the > > > way this list does. I wish I'd known that before signing on rather > > > than after. > > > > [ raised eyebrow ] I subscribe to many mailing lists. On most of the > > other lists I have to apply spam filtering to what arrives, but the PG > > lists are very nearly spam-free (thanks to Marc's hard work). I dunno > > what you are complaining about. > > It is a valid complaint. The fact was that the archives (at least on > archives.postgresql.org) kept the email addresses verbatim, right in front of the eyes > > of any spammer's web crawler. > > Fortunately, Cristoph Dalitz's repeated complaints have finally caused Marc to > reconfigure MHonArc so it won't publish the addresses. Hi everyone, While we are still on this topic, can I put in another request? What I didn't realise when I joined the postgresql mailing lists is that emails to the mailing lists are sent to usenet comp.databases.postgresql.* WITHOUT obfuscation/removal of email addresses. While I am happy for my email address to be visible to private members of a mailing list, I wasn't aware until after I had posted to the list and the spam started trickling in that the email address was available publically on usenet :(. Mark, would it cause anyone any great problems if posts gated onto the newsgroups had their email addresses removed, and would this be possible? I can't see that it would cause anybody any problems since casual readers could then still read/post to the group, and anyone involved with any of the postgresql lists long enough for this to be a problem would probably end up subscribing via email anyway. Anyone else have any feelings on this? I know it's too late for most of us but it might help some newbies... Cheers, Mark. -- Mark Cave-Ayland Webbased Ltd. Tamar Science Park Derriford Plymouth PL6 8BX England Tel: +44 (0)1752 764445 Fax: +44 (0)1752 764446 This email and any attachments are confidential to the intended recipient and may also be privileged. If you are not the intended recipient please delete it from your system and notify the sender. You should not copy it or use it for any purpose nor disclose or distribute its contents to any other person.
> Mark, would it cause anyone any great problems if posts gated onto the > newsgroups had their email addresses removed, and would this be > possible? I can't see that it would cause anybody any problems since > casual readers could then still read/post to the group, and anyone > involved with any of the postgresql lists long enough for this to be a > problem would probably end up subscribing via email anyway. Anyone else > have any feelings on this? I know it's too late for most of us but it > might help some newbies... I am not sure this is really going to help, because the e-mail addresses are also harvested from the web-based archives. Still doesn't such a reknowned ML tool as Majordomo have a feature that can hide e-mail addresses (like automatically write them as someone AT any DOT com) in the web archives? Cheers. --------------- Francois Home page: http://www.monpetitcoin.com/ "Would Descartes have programmed in Pascal?" - Umberto Eco
On Wed, Sep 10, 2003 at 14:12:43 +0200, Francois Suter <dba@paragraf.ch> wrote: > > I am not sure this is really going to help, because the e-mail > addresses are also harvested from the web-based archives. Still doesn't > such a reknowned ML tool as Majordomo have a feature that can hide > e-mail addresses (like automatically write them as someone AT any DOT > com) in the web archives? That isn't a real solution. Any standard way of munging addresses in a reversable way will result in spammers writing a tool to extract the addresses. So if you don't spammers to get addresses off the web archives, then you don't want addresses there.
Francois Suter wrote: >> Mark, would it cause anyone any great problems if posts gated onto the >> newsgroups had their email addresses removed, and would this be >> possible? I can't see that it would cause anybody any problems since >> casual readers could then still read/post to the group, and anyone >> involved with any of the postgresql lists long enough for this to be a >> problem would probably end up subscribing via email anyway. Anyone else >> have any feelings on this? I know it's too late for most of us but it >> might help some newbies... > > > I am not sure this is really going to help, because the e-mail > addresses are also harvested from the web-based archives. Still > doesn't such a reknowned ML tool as Majordomo have a feature that can > hide e-mail addresses (like automatically write them as someone AT any > DOT com) in the web archives? > > Cheers. > > --------------- > Francois > > Home page: http://www.monpetitcoin.com/ > > "Would Descartes have programmed in Pascal?" - Umberto Eco > > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > > Unfortunatly harvesting (.*) at (.*)( dot (.*)){1,3} is not difficult either. I would not be suprised if harvesting tools don't already support most obfuscation techniques. The only way to quell spam is by having laws put in place that will make such activities illegal, and to force ISP's to enforce a minimum standard for their acceptable use policy. I work for an ISP and we have dumped a number of customers for spam related activities. Even though there is nothing legaly wrong with what they were doing, it is against our acceptable use policy. Unsolicited email cost us money, usualy more than what the service costs the perpetrator. In Canada their are general rules that CAIP {Canadian Assosiation of Internet Providers} expect members to follow. On the other hand starting in January 2004 the new privacy laws come into effect in Canada and in some ways may protect unsolicited email perpetrators by making customers log activities private. Although in raw form, ISP are expected to keep archives of logs in case a warant is issued. It makes enforcement of AUP's difficult, but internet access is not a right and we are not obliged to renew access to anyone once the service they paid for expires. If more ISP's banned such activities, there would not be such a problem. But I know from experience that once you have tracked down a spammer or hacker, it can be next to impossible to get many ISP's to stop the perpetrator. Most of the time law enforcement are just as disinterested, unless the action is media worthy. Good luck -- Guy Fraser Network Administrator The Internet Centre 780-450-6787 , 1-888-450-6787 There is a fine line between genius and lunacy, fear not, walk the line with pride. Not all things will end up as you wanted, but you will certainly discover things the meek and timid will miss out on.
Bruno Wolff III wrote: > On Wed, Sep 10, 2003 at 14:12:43 +0200, > Francois Suter <dba@paragraf.ch> wrote: > >>I am not sure this is really going to help, because the e-mail >>addresses are also harvested from the web-based archives. Still doesn't >>such a reknowned ML tool as Majordomo have a feature that can hide >>e-mail addresses (like automatically write them as someone AT any DOT >>com) in the web archives? > > > That isn't a real solution. Any standard way of munging addresses in a > reversable way will result in spammers writing a tool to extract the > addresses. So if you don't spammers to get addresses off the web archives, > then you don't want addresses there. > Check this out: http://nlug.org/listserv.php They only show graphical images of the return addresses. You'd have to use text recognition software to harvest them. Don't know what software they use, though; might be homegrown for all I know.
Some of these image generating apps are even using a background similar to the color blindness tests. I think even an image recognition program would have a hard time with those. Keith G. Murphy wrote: > Bruno Wolff III wrote: > >> On Wed, Sep 10, 2003 at 14:12:43 +0200, >> Francois Suter <dba@paragraf.ch> wrote: >> >>> I am not sure this is really going to help, because the e-mail >>> addresses are also harvested from the web-based archives. Still >>> doesn't such a reknowned ML tool as Majordomo have a feature that >>> can hide e-mail addresses (like automatically write them as someone >>> AT any DOT com) in the web archives? >> >> >> >> That isn't a real solution. Any standard way of munging addresses in a >> reversable way will result in spammers writing a tool to extract the >> addresses. So if you don't spammers to get addresses off the web >> archives, >> then you don't want addresses there. >> > Check this out: > > http://nlug.org/listserv.php > > They only show graphical images of the return addresses. You'd have > to use text recognition software to harvest them. > > Don't know what software they use, though; might be homegrown for all > I know. > > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster >
On Thu, 11 Sep 2003, Dennis Gearon wrote: > Some of these image generating apps are even using a background similar > to the color blindness tests. I think even an image recognition program > would have a hard time with those. Well that's us colour blind readers flumoxed when trying to reply. :) -- Nigel Andrews
Hmmm, speaking of blindness... that's the objection to doing it that way: blind users using speech synthesis software couldn't see the return addresses... Dennis Gearon wrote: > > Some of these image generating apps are even using a background similar > to the color blindness tests. I think even an image recognition program > would have a hard time with those. > > Keith G. Murphy wrote: > >> Bruno Wolff III wrote: >> >>> On Wed, Sep 10, 2003 at 14:12:43 +0200, >>> Francois Suter <dba@paragraf.ch> wrote: >>> >>>> I am not sure this is really going to help, because the e-mail >>>> addresses are also harvested from the web-based archives. Still >>>> doesn't such a reknowned ML tool as Majordomo have a feature that >>>> can hide e-mail addresses (like automatically write them as someone >>>> AT any DOT com) in the web archives? >>> >>> >>> >>> >>> That isn't a real solution. Any standard way of munging addresses in a >>> reversable way will result in spammers writing a tool to extract the >>> addresses. So if you don't spammers to get addresses off the web >>> archives, >>> then you don't want addresses there. >>> >> Check this out: >> >> http://nlug.org/listserv.php >> >> They only show graphical images of the return addresses. You'd have >> to use text recognition software to harvest them. >> >> Don't know what software they use, though; might be homegrown for all >> I know. >>