As with many of our functions I get a call about a possible worm. Luckily the user was finally trained(translation: threatened with physical violence about opening unknown attachements ;) ) to call us. I wandered down and whom did I see as the sender?

merlyn@stonehenge.com

The header was most likely forged but it did make me laugh.

Unless of course Merlyn has to confess something ;)

Replies are listed 'Best First'.
•Re: OT: Well now a worm spreader!
by merlyn (Sage) on Feb 25, 2004 at 20:26 UTC
    It doesn't come from my system. I don't run windows. But the worm is picking email sender names from cached text files of infected systems. And guess what? My email appears on a lot of pages.

    This has been really annoying to me, maybe more than most. I'm dealing with 1500 to 3000 misdirected messages an hour whenever one of these get let loose.

    But I've seen a recent report that 10 million (yes million) machines on home broadband connections are infected, which is why each of these MyDoom and NetSky worms are so effective.

    Microsoft sucks. There. Had to say it.

    -- Randal L. Schwartz, Perl hacker
    Be sure to read my standard disclaimer if this is a reply.

[reply]

      I haven't seen many misdirected messages (I just got a brand new domain and my new addresses haven't had enough time to spread around yet), but I do see a few well-meaning (read: dumb) admins that have hooked in automatic replies to their virus checker. I highly doubt my FreeBSD system is infected with MyDoom . . .

      ----
      : () { :|:& };:

      Note: All code is untested, unless otherwise stated

[reply]
[d/l]

        Can someone please tell me how to patch my Linux box? It is having trouble executing this virus attachments...

        More seriously -- Not only are "Automatic virus replies considered harmful..." they actually double the internet damage a worm can cause. I dred the day I see a worm-found auto-mailer challenge an Out-of-Office response bot to the death.

        Which brings me to "Out of Office response bots considered annoying"...

[reply]
Re: OT: Well now a worm spreader!
by theorbtwo (Prior) on Feb 25, 2004 at 21:28 UTC

    I, personaly, am looking forward to the day when a court finds Microsoft guilty of contributory negligance, possibly along wtih users who run it.

    Warning: Unless otherwise stated, code is untested. Do not use without understanding. Code is posted in the hopes it is useful, but without warranty. All copyrights are relinquished into the public domain unless otherwise stated. I am not an angel. I am capable of error, and err on a fairly regular basis. If I made a mistake, please let me know (such as by replying to this node).

[reply]
    A reply falls below the community's threshold of quality. You may see it by logging in.
Re: OT: Well now a worm spreader!
by John M. Dlugosz (Monsignor) on Feb 25, 2004 at 21:59 UTC
    From the number of bounced messages sent "back" to me, a bunch are going out with my From address also! Because of that, I started signing my email with PGP, at least until the outbreak is over.
[reply]
      A simple signature is almost always as valuable as a PGP signature. I instructed our employess not to open any attatchments that don't have a the real senders signature, (since most only to intercompany emails this is adequate). While not perfect it did stop this last virus in its tracks. Sadly not before it ate 4 computers :(

      ___________
      Eric Hodges
[reply]
Re: OT: Well now a worm spreader!
by zentara (Cardinal) on Feb 26, 2004 at 16:11 UTC
    theorbtwo wrote:

    I, personaly, am looking forward to the day when a court finds Microsoft guilty of contributory negligance, possibly along wtih users who run it.

    I agree. But you know how "the system" works....it will only happen after Microsoft goes bankrupt and can't pay the damages.(or no longer can afford "judge manipulation".)

    I'm not really a human, but I play one on earth. flash japh
[reply]
Re: OT: Well now a worm spreader!
by tilly (Archbishop) on Feb 28, 2004 at 23:37 UTC
    One of the big reasons to move to something like SPF is to make it a lot harder for worm forgeries to propagate. If merlyn used SPF (possible, I haven't checked) and you pay attention to SPF records if present (unlikely at present), then that worm would have been automatically blocked. Along with any spam that tries to claim to be from merlyn@stonehenge.com.

    Right now the benefit to taking that step (either for you or merlyn) is pretty small. But it is a cheap step to take, and hopefully the value proposition will improve rapidly.

[reply]
[reply]
[d/l]

Back to Meditations