email attack

[Gerry Doris]

On 20 Sep 2003, burns wrote:

> On Sat, 2003-09-20 at 14:10, dep wrote:
> 
> > 
> > New Category 3 Worm/Virus: Swen.A (Yes, that's 'news' backwards)
> > http://www.sarc.com/avcenter/venc/data/w32.swen.a@mm.html
> 
> Yup. Also:
> http://www.cert.org/current/current_activity.html#swena
> Looks like it could be a nasty precursor to other attacks... it attempts
> to disable all security products on the infected host.

I've had several dozen of these show up in the last couple of days on my 
home system.  They just keep pouring in!  This is in addition to the 
blantant sendmail attacks from some damn public school in China.

I bitched awhile ago to the syadmin for the school and that really got 
them going.  I guess the sysadmin is the one running the attacks!  They're 
not getting far as I've blocked most of the Far East at my firewall.

By the way, for those running sendmail here's a couple of rules that are 
working really well...these also stop the Verisign nonsense.  Put the 
following in your sendmail.mc file and then run the m4 macro and restart 
sendmail.

The gaps after the Left Hand Side entries MUST be tabs.  Make sure to put 
the rest of the verbage all on one line (the \'s just indicate the line 
wrapped).

LOCAL_RULESETS
SLocal_check_relay
R$*     $: $&{client_resolve}

RTEMP   $#error $@ 5.7.1 $: "550 Access Denied ; Incomplete DNS. Cannot \
resolve PTR record for " $&{client_addr}" Please have your system \
administrator correct the zone entries."

RFORGED $#error $@ 5.7.1 $: "550 Access Denied ; Incomplete DNS. IP \
name possibly forged " $&{client_name}" Please have your system \
administrator correct the zone entries."

RFAIL   $#error $@ 5.7.1 $: "550 Access Denied ; Incomplete DNS. \
Hostname lookup failed for " $&{client_name}" please have your system \
administrator correct the zone entries."


-- 
Gerry

"The lyfe so short, the craft so long to learne"  Chaucer