[Coco] Re: Spam and e-mails
John E. Malmberg
wb8tyw at qsl.net
Mon Feb 28 00:01:24 EST 2005
John E. Malmberg wrote:
Following up to my own post:
> Some of viruses now put a web server on the infected computer, and try
> to get you to visit it by opening a document or running an attachment.
This technique will get past most virus scanners, but requires a human
to visit with a vulnerable browser.
> There is an exploit where opening a zip file will trigger an HTML
> document to be parsed on some platforms.
This may or may not get detected by a virus scanner. As I do not run a
virus scanner on the computer that I get e-mail on, I do not know if it
would have detected this exploit if it was trying to load the virus from
a remote location instead of a self contained one.
> The headers of the message will reveal the I.P. address of the computer
> that is infected.
If your mail server is using the xbl.spamhaus.org or a good DHCP list
like dul.dnsbl.sorbs.net, it is unlikely that you will see much of this
virus or most others.
Most viruses are direct to MX because the virus writers are assuming
that a mail administrator will do something to either detect the virus
or throttle the sending rate, or otherwise take quick action.
And most viruses manage to find a cbl.abuseat.org spamtrap in the first
few seconds of their infection. The cbl.abuseat.org is a component of
the xbl.spamhaus.org. I have not heard yet of an erroneous listing in
that list where an uninfected machine was blocked.
-John
wb8tyw(at)qsl.net
Personal Opinion Only
More information about the Coco
mailing list