LISTSERV at the University of Georgia
Menubar Imagemap
Home Browse Manage Request Manuals Register
Previous messageNext messagePrevious in topicNext in topicPrevious by same authorNext by same authorPrevious page (September 2003, week 4)Back to main SAS-L pageJoin or leave SAS-L (or change settings)ReplyPost a new messageSearchProportional fontNon-proportional font
Date:         Tue, 23 Sep 2003 03:10:26 +0100
Reply-To:     Real SAS User <sasuser@GUILDENSTERN.DYNDNS.ORG>
Sender:       "SAS(r) Discussion" <SAS-L@LISTSERV.UGA.EDU>
From:         Real SAS User <sasuser@GUILDENSTERN.DYNDNS.ORG>
Subject:      OT:  (Swen) If your site is running a virus autoresponder,
              disable it
Content-Type: text/plain; charset=us-ascii

I've received some 3200 Swen viruses on a personal account to date.
Reports from associates range from hundreds to tens or hundreds of
thousands.  Estimates of infected hosts range from 200,000 to 1.5
million.  I suspect higher.


The return address of the mail differs from the SoBig.F mail which
pulled sender from addresses on the infected host's system.  Instead,
Swen generates a sender address from a list of strings.  Most of these
resolve to Microsoft or undeliverable domains.  About 5% resolve to
"ms.com".  This isn't Microsoft, but Morgan Stanley Dean Whitter & Co.


If the amount of Swen mail flying around is what I suspect it is, there
are hundreds of millions, if not billions of messages sent, and millions
or tens of millions of these point back to Morgan Stanley.  I'm sure the
technical team at Morgan Stanley has some choice words for every author,
vendor, and user of such systems right now.


If your organization's virus, spam, vacation, or email nondelivery
notification system replies to the "From:" header of the mail, you are
contributing to a massive denial-of-service attack on Morgan Stanley.
Note that you're also attacking Microsoft and Verisign, with
approximately 20--fold greater frequency.  I consider this as excusable
as it is Microsoft's poor security design which has contriubted directly
to this problem, and Verisign has voluntarially eelcted to resolve and
accept mail for any nondeliverable domain in the .com and .net TLDs.
Both organizations have the power to stop such attacks by changing their
behavior.


Morgan Stanley does not.






If any single incident can highlight the inherent harm in unvalidated
spam, virus, vacation, and mailserver response messages, this is it.
Please forward this message to your organization's IT department.


Of course, should Morgan Stanley seek remedy for damages inflicted by
your organization, they are fully justified in doing so.


--
Charming man. I wish I had a daughter so I could forbid her to marry one...
Back to: Top of message | Previous page | Main SAS-L page
listserv.uga.edu
Enterprise Information Technology Services
The University of Georgia
listhelp@uga.edu