[SpamCop.net - protecting the internet through technology]

[SpamCop-List] Re: Worms reported as SPAM

John Malmberg a at all.addresses.on.cdrom.are.invalid.aaa
Sun Mar 7 11:41:42 EST 2004 

Duncan Murdoch wrote:
> On Sun, 7 Mar 2004 12:51:43 +0800, "Super.Net.SG Postmaster"
> <postmaster at super.net.sg> wrote:
> 
>>I'm starting to see more and more worms (e.g. Netsky) being reported as
>>SPAM. Anyone else getting this problem also?

I first saw one the latest virus after something had stripped off the 
attachment and left only a notice that looked like a porn advertisement.

I can not tell the worms apart except for what reports I see of them on 
usenet.  But I generally assume that any spam that contains a script or 
an executable is a virus.

> A friend of mine is an admin at University of Copenhagen.  They were
> recently blacklisted because of such a report, which, according to a
> deputy, went to a spamtrap.

That sounds like a mis-configured virus scanner sent a report to a 
spamtrap.  Last month there were a few people complaining on the web 
forum because the worms harvested some spamtrap address as spoofed from 
address, and the virus scanner in the mail server sent out a notification.

Those mail server operators have now decided that sending virus reports 
to the e-mail addresses they appeared to come from

> Once the worms start targetting spamtraps, the spamtraps will be
> pretty much useless.

Not really.

Almost no one will notice a direct to MX worm that hit a spamtrap if it 
is not a mail server that is infected.

If the worm is relayed through the ISP's mail server, the spamcop.net 
parser will attempt to list the infected machine, not the server, as 
long as the server is properly identifying where it got the worm from.


And ISP can best defend it self against exploits of direct to MX viruses 
and from open proxies in the same way.  Only allow registered mail 
servers to send mail external to the ISP.

If someone needs to send e-mail directly through a mail server that is 
not in their ISP, their is an alternate port that they can use.

Many ISP's have taken these steps, and it reduces both the amount of 
work for the ISP, and the amount of exploits.

If a worm escapes from an ISP'S network, it is still the ISP's 
responsibility to fix it as soon as possible after they are notified.

I would think that a responsible ISP's would welcome and encourage 
spamcop.net to allow reporting of viruses as it would allow them to get 
the reports in a uniform method for automatic parsing.

The treatment for a virus infected machine or a trojan's spam source is 
the same.  Prevent it from sending more e-mail as a first priority, but 
if possible allow it to get web fixes.

-John
wb8tyw at qsl.network
Personal Opinion Only

More information about the SpamCop-List mailing list