Mailing List SIMS@mail.stalker.com Message #13399
From: Bill Cole <listbill@scconsult.com>
Subject: Re: [OT?] Reporting instances of Blaster worm
Date: Thu, 21 Aug 2003 19:14:10 -0400
To: SIMS Discussions <SIMS@mail.stalker.com>
At 3:05 PM -0500 8/21/03, NetHead  imposed structure on a stream of electrons, yielding:
I apologize if this is off-topic for the SIMS list, but I'd like to get
the opinion of other mail admins out there.

I, like many of you, have been inundated with infected e-mails as a
result of the Blaster worm.

That's actually quite astounding, since it is Sobig, not Blaster, which sends mail and is currently pounding me hard.

(okay, so I'm being pedantic... it's hardly fair to expect people using Macs to keep up with the arcana of whioch Microsoft worm is which...)

I know enough to realize that replying to the
"sender" would do no good as it's most likely not the e-mail address of
the infected user. But I CAN see the IP that passed it to my SIMS box
and, using WHOIS, I can see who owns that IP. In several cases I have
gone ahead and blacklisted those IP's because they are mostly likely a
source of spam anyway (owned by Taiwanese or Korean ISP's and such). But
others have turned out to be IP's owned by networks such as Roadrunner
and Earthlink, with whom I cannot afford to cut off communication.

Well, maybe you should think again...

Even if you cannot afford to shun all legitimate ELNK or RR mail, you probably CAN shun any IP address from which wormware has come, and probably even the entire registered block around it. Any machine you get wormware from is some Windows machine where a clueless user is running Outlook or Outlook express. That is NOT a mail server. That same bozo sends his intentional mail through one of his ISP's mail servers, not straight to your SIMS box, and the same is true of all his network neighbors.

I will point to my own local blacklist as an example, at least for RR. Go to http://www.scconsult.com/blacklist.shtml and count up the occurrences of 'RoadRunner' and 'RR' and 'beep beep' comments. Despite my shunning of essentially all of RR's end user IP space, I am still able to receive mail from their mail servers.

Would reporting these incidents, along with a copy of the full headers
from the e-mail, be of any use to their network admins? Would this alert
them to possible open relays or infected customers? Or would it just be
one more annoyance clogging up their day?

In an ideal world, reporting these to the abuse desks of the ISP that owns the network range would be deemed an appropriate complaint and they would act swiftly to cut off the infected machine and notify the owner. I would not hold out a lot of hope for such action in most cases, but it is reasonable to act as if they will manage to do the right thing despite the testimony of history: send the reports.


--
Bill Cole
bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster