May 18, 2003

So who the heck do you tell?

I'm in what seems to be an odd situation. Well, odd for me at least.

I'm getting peppered with virus mail. Now, this isn't at all unusual--I get a lot of virus generated mail. Goes in waves, of course, but it's not too unusual for me to get 30-40 a day, with a normal day being more like 10-20. SpamAssassin catches almost all of them, so they just sit in my SPAM folder on the server waiting for me to pop over and clean 'em out along with all the other dreck that gets pounded my way.

SpamAssassin, along with Vipul's Razor, seems pretty darned good at catching these things, so I generally don't pay them any mind. (I'm also running Eudora on OS X, so it's not like I'm vulnerable to these damn things anyway) Today, though, three got through in relatively rapid succession, all with a spoofed "from" of "", and all from the Netherlands (according to the headers). That was unusual enough that I decided to pop over to both MessageLabs and Symantec's website and see which one it is. As far as I can tell, no joy. Nothing matches the characteristics of this thing.

The sensible thing to do, once a check of the search databases and a strings on the decoded attachment turns up nothing, is to report it to the AV folks, right? I mean, my e-mail address has been plastered all over everywhere for more than a decade (yes, dan at sidhe dot org has been active since April 1993), I haven't made any real attempts to spoof my address anywhere, and I generate far too much e-mail, so it doesn't seem too arrogant to assume that on occasion I'll be one of the first people pinged by a new virus. I wouldn't expect it to be a common thing, but neither does it seem unlikely enough to discount.

Given that, I go searching for an e-mail address to submit the message to. A quick pine bounce should send it on, headers and payload intact. Or it would, if I could find where to send the damn thing. A search of the MessageLabs website turns up nothing. (Matt Sergeant, who's active in the perl community, works there, so I figured I'd try them first) A search of the Symantec website also turns up nothing. I could ping some people I know directly, but... I don't think so. Seems an inappropriate use of personal e-mail addresses, and besides, by the time they get it and deal with it likely they'll know by some other mechanism.

Still, it'd be nice to have some way to know. Know that it is, in fact, a known virus, or is something new, and if it's new know that someone'll deal with the damn thing. The sooner the better since, while I'm not vulnerable, I still have to deal with the fallout of a zillion virus messages. Bleah.

Update: On the off-chance someone actually wants a copy, I did a save to a new mailbox in pine and put the results here. Complete with internal folder bits, but chop those off and it's there, in all its glory. SpamAssassin has processed it, hence its headers. I don't have a fully unprocessed version.

Update 2: Well, it turns out not to matter. Whatever this thing is, it's wide-spread. As of 7:30AM EST today, I've gotten 131 of the damn things, and more to come I expect. Notifying anyone wouldn't have stopped that. And yes, I do now have a procmail recipe in to trash these on receipt

Update 3: Turns out to be the Palyh virus. Some day I'm going to sit down and figure out how much data got slung across my wires here just transporting virus traffic...

Posted by Dan at May 18, 2003 06:14 PM | TrackBack (0)

It turns out that paying close attention to the SMTP protocol catches this particular virus for free. You can reject it before even getting to the DATA stage, which means no more than a couple of dozen bytes are sent. Simply reject mail from servers that announce themselves with garbage HELO strings. It catches this virus. I didn't have to accept the message in order to discard it afterwards.

I was first aware of it when I noticed all the rejections piling up from, from different client addresses. Sure, the next virus will probably get this right, but until then, it also catches a pile of spam as well. Catching stuff at the border is good. Discarding it afterwards, less so.

Posted by: David Landgren at June 3, 2003 01:29 PM