Slashdot Mirror

← Back to Stories (view on slashdot.org)

Klez, The Virus that Keeps on Giving

Posted by CmdrTaco on from the isnt-that-special dept.

kylus writes "Wired is running a story about the continued escapades of the Klez virus, and the damage--both to finances and reputations--that it is leaving behind. Between emails from a dead friend and porno spam appearing to be sent from a priest, I think "Don't Believe the 'From' Line" is the correct lesson." God bless microsoft email viruses. I'm on a modem for a few weeks and downloading countless megs of mail viruses is extremely frusterating. Course I'm still getting sircams.

3 of 683 comments (clear)

  1. Save your bandwidth by shepd · · Score: 5, Informative

    telnet mail.xyz.com 110

    user (username)
    pass (password)
    list
    top (number of message to check) (kb to read)
    dele (message to delete)
    retr (number of message to read entirely)
    quit

    Quicker, cheaper, easier. This was one of the best tips I got from a friendly sysadmin. :)

    Of course, I would ask why CmdrTaco didn't check the RFC, but hey, who am I to question slashdot's leader? ;)

    --
    If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
  2. Virii? What Virii? by kindbud · · Score: 5, Informative

    Ever since we stopped allowing people to receive executable attachments (thanks to MIMEdefang!), the virii have all but disappeared. There is no need to scan for virii on a mail server. Just get rid of executable attachments (there's a big list of them in MIMEdefang's example configuration). All these trojans use stupid Outlook auto-execute tricks/bugs/features to propagate. Executables shouldn't be sent as a direct attachment anyway. Either wrap it up in a zip file (the recipient has no excuse when he infects himself) or put it up on the ftp site and send a URL. This has got to be one of the basic elements of securing a network where Outlook users lurk - no executable attachments (picture Joan Crawford on a rampage).

    MIMEdefang also gives us the ability to call Mail::Spamassassin from a sendmail Milter, something Spamassassin itself does not yet support. The latest version also supports the File::Scan module for writing virus scanners in perl.

    --
    Edith Keeler Must Die
  3. Re:My OSS plug... (Not off-topic though) by JoshuaDFranklin · · Score: 5, Informative

    Dude... just use Procmail's built-in capabilities.
    No need to put an interpreted script in between
    your MTA and MDA. Out of the goodness of my heart,
    here's some actual working stuff to put in your /etc/procmailrc that dumps all email with
    executable attachments in /var/virusdump/:
    #/etc/procmailrc
    VIRUSLOG=/var/ virusdump/viruslog

    :0 # Use procmail match feature
    * ^To:\/.*
    {
    HTO = "$MATCH"
    }

    :0 # Use procmail match feature
    * ^From:\/.*
    {
    HFR = "$MATCH"
    }

    NL="
    "

    :0
    *.for virususer;.*
    /var/virusdump/virususer

    :0
    *^Content-type:.*
    {
    :0 HB
    *name=".*\.(vbs|wsf|vbe|wsh|hta|scr|pif|exe|bat|js )"
    {
    :0c
    ! virususer

    :0 fhw
    | (/usr/bin/formail -r; \
    echo -e "This is an auto-generated message on behalf of${HTO}:\n\
    \n\
    The email referenced above, which was sent from your address, \n\
    had a virus-vulnerable attachement (such as .EXE, .VBS, .PIF, etc).\n\n\
    This mail server no longer accepts mail with virus-vulnerable \n\
    attachments and the email has been quarantined.\n\
    Please try resending your attachment in a safe format such as ZIP. \n\
    Contact support@iocc.com if you have any questions")\
    | mail -s "Possible virus deleted" "${HFR}"

    :0
    | echo "VIRUS From:${HFR} To:${HTO}" >> $VIRUSLOG

    :0
    /dev/null
    }
    }