Best of the ISP-Lists

Managed Security Services

A Spamming Trojan

Members of the ISP-Tech list discuss spam filters and anti-virus programs. Whatever you do, trojans will continue to hit unsuspecting users through the back door.

[August 21, 2002]

On the ISP-Tech list in July, TC asked,

"There are viruses that send out spam, right? I have a customer with one that was sending Russian Lolita stuff. I assume there is a elementary way to combat this. Don't we have to allow 'From' addresses different from our domain for customers who dial up through us but send mail from a domain hosted elsewhere, or should we just reject any 'From' address that isn't one of our domains?"

LC considered one obvious culprit:

"Are we talking about Klez?"

TC noted that the answer wasn't that simple:

"The Klez viruses I've seen just have nonsense subjects and messages: the spam coming from this customer's virus is 'real' spam, as in:

Subject: Aarandaleon! Your private *UNDERAGE* lolitas and boys!

The message then contains the following:

This sites are legal in Indonesia, but may be ILLEGAL in your country! Be careful! Please do not forward this message to any other recepients! P.S. This is not spam!

The customer has Norton, and he says he updates it every two weeks. I know: not often enough."

LC offered a solution:

"In your mail gateway, filter/reject on

/^Subject:.*Aarandaleon/ REJECT
/^Subject:.*your private/ REJECT
/^Subject:.*underage/ REJECT
/^Subject:.*lolitas/ REJECT

and reject messages with dangerous attachments. Then your SMTP anti-virus scanner should also pickup any attachments that sneak through the SMTP gateway."

JL added that there's nothing wrong with rejecting unknown 'From' addresses:

"We have never permitted outgoing mail to be sent from our mail servers which doesn't contain a 'From' address matching a valid e-mail account on our system. There are two simple solutions for your subscribers for whom this is an issue. Tell your subscriber to send his outgoing mail through the mail server provided by his other domain. If that host doesn't provide e-mail services, suggest that your subscriber consider hosting his site at your facility. Alternatively, tell your subscriber to use an e-mail address matching a valid mailbox hosted on your system as their 'From' address, then to place the address to which they'd like replies to be sent in the 'Reply To' box. Their correspondents will never notice. If you permit folks to send outgoing mail through your servers using a bogus 'From' address, you're asking for trouble."

Others recommended some anti-virus solutions to consider:

[BK suggested] "You can try to block, prevent, and do everything in your power to try to stop the spread of viruses at the ISP end, but some will still get through. The best solution is two lines of defense: an ISP that actively works to prevent such, and customers who have anti-virus programs running on their systems, such as Panda, Norton, or McAfee, and who keep them updated. I prefer Panda Software, myself: it uses low resources, scans the virus when it is coming in and not part of the e-mail file, and it has daily updates that are downloaded automatically."

[RG added] "Computer Associates also has a great program called EZ Armor, formerly InoculateIT. It's very good, very fast, and it's updated as needed-usually several times a week."

In the end, TC finally cracked the case:

"This was the Backdoor.Autoupder virus: it got past my customer's Norton AntiVirus. Thanks for the suggestions!"

—End