Virus attack on Shallow-sky (Shallow Thoughts)

Virus attack on Shallow-sky

We had dinner with Tim and Pam last night (visiting for AstroCon) at "Skates on the Bay" in Berkeley -- excellent food. so I told Tim about the virus attack on Shallow-Sky a few days ago, perpetrated in his name.

Messages were sent to the list, ostensibly from his address, containing various attachments which were obviously Windows viruses. Unfortunately, I was out on a hike when the attack happened, so five of them slipped through before I found out about it and blocked his address in order to investigate further.

The virus turned out to be W32.Beagle.AG@mm (W32 is obvious, and f3ew tells me that "mm" stands for "mass mailing").

Pasc gave me a procmail rule to block this virus, to put in smartlist's rc.submit. It should have worked, but it didn't, so I ended up using a more general rule to block all base64 encoded attachments (that'll probably piss off some people who like to send images to one of our other lists, but Dave says he's asked them not to do that anyway and doesn't mind having the rule there).

Of course, the messages weren't really coming from Tim: he doesn't even use Windows (Mac and Sun, usually). It turns out they're coming from a Comcast address, which doesn't narrow things down much. There are nine @comcast.net addresses on the list, so I notified them privately, but it could easily be someone else or even someone off the list (though I suspect it's a list member, since it's someone who has Shallow in their addressbook).

I suppose I'll probably never know who it was. The "Tim" attacks have stopped (so I don't even know for sure that my filter works, though it worked for a test message I sent) but I've gotten two attempts spoofing Peter J (who is not currently on the list, so they bounced with "Not on accept list" before they could test the filter).

Grumble grumble Windows security grumble ...

Tags: linux, security
[ 15:13 Jul 24, 2004    More linux | permalink to this entry | ]