Germ Warfare II - Revenge of the Nerds
Novell Cool Solutions: Feature
By Mark Russell
Digg This -
Posted: 15 Apr 2004
I've had a couple of messages from the School Cool Solutions community asking for ideas to help combat the recent spate of worms. At our institution, we've had some success in eliminating the source of some of them, and - er - "encouraging" other institutions to invest in some form of electronic prophylactic...! I thought I'd share some of our experiences with the forum, which is where this article comes from.
We've found in several cases that the majority of infectious transmissions originate from a minority of sources. I'm talking SoBig, MyDoom, Netsky etc.
Most of these worms use their own SMTP engine to e-mail themselves to every e-mail address stored on an infected user's PC. They'll also pretend to be from a random address contained in the same address list.
Others may fill in the technical details as to how the worms work, but at the end of the day, an address list is nothing more than a CSV delimited text file, and SMTP lends itself to exactly this form of address spoofing - after all, it's not called "Simple" Mail Transfer Protocol for nothing! I used to "hack" my university mailserver and send people e-mails which appeared to come from Santa Claus at Christmas (yes, yes, I know, I've slapped my own wrists thank you!); it's really not at all difficult.
Your everyday PC user will look no further than the To: and From: addresses and get awfully confused, but these worms can't disguise the IP address from the SMTP server from which they originated.
Check your e-mail logs for infected mail - assuming you're already employing some form of mail scanner then this process is relatively simple. In our case, we use Guinevere (and I'm still waiting for that endorsement!) which I have configured to forward all blocked e-mail to me, and in most cases, checking the SMTP headers will show that infected mail is being sent from the same IP addresses with alarming regularity.
Go to your GWIA properties in the GroupWise view of ConsoleOne, and in the Access Control List, you can block e-mail from those IP addresses (Edit your default class of service and add IP addresses to the "prevent mail from" field). This has the added advantage that infected mail is blocked at the daemon level, thus preventing it from entering your system in the first place.
A DNS lookup on that IP address will give you the domain name from which the e-mail originated. If this is a mailserver owned by another institution then it's a simple matter of finding their contact details and making a stern phone call to their IT department.
For home users, this is reasonably meaningless because public mailservers will be relaying mail for thousands of users - however as soon as a member of staff complains they're not receiving their weekly quota of jokes from their friends, then you know where the infected PC is located.
It's not much, and it's a fair amount of hassle, but it can prevent your system from getting clogged with infected mail - and we've made complaints to a number of other institutions that aren't as careful about prevention as we are. You might only catch one or two, but every wall is made up of lots of small bricks, and by stopping one source of infection, you might be preventing a thousand others.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com