Re: SPAM disguised as returned email, containing Virii: What to do
nobody at xyzzy.claranet.de
Mon Feb 9 01:01:42 EST 2004
Miss Betsy wrote:
> abuse desks, of course, investigate and deal with spam and
> viruses differently so they don't want viruses reported via
> spamcop which they expect to be spam.
That's not more "of course" but very 2002. SoBig and almost
all later worms install some kind of "remote administration
tool", and then infected systems can be abused as open proxy
to send spam, or for DDoS attacks against RBLs.
> They just must be reported outside of spamcop
The same error on SC's side. Bounces are a special case, but
worms are just step one of future abuse as open spam proxy etc.
> Often it is good to report viruses to security@ in addition
> to or instead of abuse@ because abuse desks don't always
> handle virus reports and just forward it on.
Or addresses like virus-abuse at online.no etc. But this special
handling of worms is a bad idea today. At the moment I have
632 mails (12 MB) in my junk folder. I'll simply delete this
crap addressed to anna@ / bob@ / dave@ / ... @xyyzy, because
it's too much work to scan it for reportable spam.
Only two weeks ago I could report my complete junk folder as
spam (minus some Sober.C worms identified by German subjects).
Before Dec 21 I could report all my junk without even looking
at it - and there were no false positives, I try to read all
lines starting with "error:" in the quick report results.
Now I'm pretty sure that about 200 of 632 mails in my junk
folder are reportable, but it's too much work to find this
SC could support virus reports, it already identifies (most)
worms, so using special addresses in these cases can't be too
difficult. The real problem is IMHO SC's server load, if we
all submit say 5 MB instead of 200 KB per day.
More information about the SpamCop-List