[SpamCop-List] Re: Worms reported as SPAM
a at all.addresses.on.cdrom.are.invalid.aaa
Sun Mar 7 11:41:42 EST 2004
Duncan Murdoch wrote:
> On Sun, 7 Mar 2004 12:51:43 +0800, "Super.Net.SG Postmaster"
> <postmaster at super.net.sg> wrote:
>>I'm starting to see more and more worms (e.g. Netsky) being reported as
>>SPAM. Anyone else getting this problem also?
I first saw one the latest virus after something had stripped off the
attachment and left only a notice that looked like a porn advertisement.
I can not tell the worms apart except for what reports I see of them on
usenet. But I generally assume that any spam that contains a script or
an executable is a virus.
> A friend of mine is an admin at University of Copenhagen. They were
> recently blacklisted because of such a report, which, according to a
> deputy, went to a spamtrap.
That sounds like a mis-configured virus scanner sent a report to a
spamtrap. Last month there were a few people complaining on the web
forum because the worms harvested some spamtrap address as spoofed from
address, and the virus scanner in the mail server sent out a notification.
Those mail server operators have now decided that sending virus reports
to the e-mail addresses they appeared to come from
> Once the worms start targetting spamtraps, the spamtraps will be
> pretty much useless.
Almost no one will notice a direct to MX worm that hit a spamtrap if it
is not a mail server that is infected.
If the worm is relayed through the ISP's mail server, the spamcop.net
parser will attempt to list the infected machine, not the server, as
long as the server is properly identifying where it got the worm from.
And ISP can best defend it self against exploits of direct to MX viruses
and from open proxies in the same way. Only allow registered mail
servers to send mail external to the ISP.
If someone needs to send e-mail directly through a mail server that is
not in their ISP, their is an alternate port that they can use.
Many ISP's have taken these steps, and it reduces both the amount of
work for the ISP, and the amount of exploits.
If a worm escapes from an ISP'S network, it is still the ISP's
responsibility to fix it as soon as possible after they are notified.
I would think that a responsible ISP's would welcome and encourage
spamcop.net to allow reporting of viruses as it would allow them to get
the reports in a uniform method for automatic parsing.
The treatment for a virus infected machine or a trojan's spam source is
the same. Prevent it from sending more e-mail as a first priority, but
if possible allow it to get web fixes.
wb8tyw at qsl.network
Personal Opinion Only
More information about the SpamCop-List