From: Daniel Chemko <dchemko@smgtec.com>
To: Ray Leach <raymondl@knowledgefactory.co.za>
Cc: Netfilter Mailing List <netfilter@lists.netfilter.org>
Subject: Re: Classifying W32/MyDoom.A
Date: Thu, 29 Jan 2004 21:41:01 -0800 [thread overview]
Message-ID: <4019EE6D.2020306@smgtec.com> (raw)
In-Reply-To: <1075441566.1999.114.camel@raylinux.internal>
[-- Attachment #1: Type: text/plain, Size: 1006 bytes --]
Netfilter is not an application layer Firewall.
Try something like sendmail/Mailscanner and pick up clamav. I was
blocking before I even knew about the virus!
Ray Leach wrote:
>On Thu, 2004-01-29 at 20:06, Eliot, GLI wireless tech support wrote:
>
>
>>Has anyone come up with a ruleset for classifying a random TCP or
>>specific SMTP connection as being the W32/MyDoom.A virus?
>>
>>
>
><<snip>>
>
>
>
>>Anyone have any ideas how to do this without too many false positives?
>>(IE a document on the web that describes the characteristics of
>>MyDoom.A).
>>
>>
>
>Since it spreads via SMTP from clients and not servers, why not just
>block all smtp traffic outbound to the internet from your client
>machines, and only allow your mail server to send smtp mail?
>
>Of course you would need a decent anti-virus program on the mail server.
>
>The other way you could possibly do this is by using a string match to
>look inside any smtp packets for matches of the attachment names(?).
>
>
>
[-- Attachment #2: Type: text/plain, Size: 932 bytes --]
Netfilter is not an application layer Firewall.
Try something like sendmail/Mailscanner and pick up clamav. I was blocking before I even knew about the virus!
Ray Leach wrote:
On Thu, 2004-01-29 at 20:06, Eliot, GLI wireless tech support wrote:
Has anyone come up with a ruleset for classifying a random TCP or specific SMTP connection as being the W32/MyDoom.A virus?
<<snip>>
Anyone have any ideas how to do this without too many false positives? (IE a document on the web that describes the characteristics of MyDoom.A).
Since it spreads via SMTP from clients and not servers, why not just block all smtp traffic outbound to the internet from your client machines, and only allow your mail server to send smtp mail? Of course you would need a decent anti-virus program on the mail server. The other way you could possibly do this is by using a string match to look inside any smtp packets for matches of the attachment names(?).
prev parent reply other threads:[~2004-01-30 5:41 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-29 18:06 Classifying W32/MyDoom.A Eliot, GLI wireless tech support
2004-01-30 5:46 ` Ray Leach
2004-01-30 5:41 ` Daniel Chemko [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4019EE6D.2020306@smgtec.com \
--to=dchemko@smgtec.com \
--cc=netfilter@lists.netfilter.org \
--cc=raymondl@knowledgefactory.co.za \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.