Is the answer to block everything from Micr*soft ?

  • Thread starter Thread starter chantal
  • Start date Start date
C

chantal

I know many people have had a problem with the Swen virus, and other email
spam that prompt users to download fake Microsft updates. What sort of
security measures can our IT provider put in place to prevent potential
disasters from these fake update emails? Our Exchange server and our PDC are
running on NT4.

The solution we have inplace is to use Antigen to block ALL email with the
text "Microsft". This stops our Entire company from corresponding with
Microsft partners, or Microsft themselves, and from receiving any email
relating to products/services that we use in our development.

I have an idea that this is not the only solution, and that others may have
adopted alternatives. Do you have any suggestions on alternative solutions
to overcoming this problem ?

Thanks in advance

Regards

Chantal

-----Original Message-----

From: IT PRovider

Sent: 09 October 2003 09:01

To:

Subject: RE: Micr*soft Tech-Ed 2003

Because of the Swen virus which is sent via email supposedly from microsft
telling people to download updates, which is in fact the virus so we were
forced to block "micr*soft" as we are prob receiving about 30-40 a day. Keep
an eye out for the mail, it will come from Antigen as a forwarded
attachment.

-----Original Message-----

To: IT PRovider

why is there a *micr*soft* filter on email? I promise its not a sleezy
email...
 
I know many people have had a problem with the Swen virus, and other
email spam that prompt users to download fake Microsft updates. What
sort of security measures can our IT provider put in place to prevent
potential disasters from these fake update emails? Our Exchange server
and our PDC are running on NT4.

The solution we have inplace is to use Antigen to block ALL email with
the text "Microsft". This stops our Entire company from corresponding
with Microsft partners, or Microsft themselves, and from receiving any
email relating to products/services that we use in our development.

I have an idea that this is not the only solution, and that others may
have adopted alternatives. Do you have any suggestions on alternative
solutions to overcoming this problem ?

Thanks in advance

Regards

Chantal
Click to expand...
-snipped-

What if you were to filter the "received" and "return
path" headers to allow valid MS email to pass through, and block the
other MS forged headers like you are currently doing?

Jeff
 
That's certainly not the solution I would take. Instead, these are more
typical solutions:

Use an antivirus scanner at the email gateway or email server and reject
infected emails [last I checked, Norton Antivirus provided free server
software to do these kinds of scans if you bought NAV Corporate Edition for
your workstations, and there are free Linux server solutions as well];
Block all .EXE and other dangerous file attachments [and the advantage here
is that you are also protected against future viruses, not just the
currently known virus];
Block emails based on words known to be contained in the subject line;
Block emails based on a longer, more precise search string than just
"Microsoft"
Contact Antigen for suggestions. I'm sure they must have a better solution.

More info on how to recognize swen is at www.trendmicro.com and also
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
 
I think the problem is that the email hasnt got a virus attached to it, but
a web address and a message that cons the user into visiting that address..

So the problem is that stupid users believe it is an update from Microsoft
and visit the website and download the virus themselves...


Karl Levinson [x y] mvp said:
That's certainly not the solution I would take. Instead, these are more
typical solutions:

Use an antivirus scanner at the email gateway or email server and reject
infected emails [last I checked, Norton Antivirus provided free server
software to do these kinds of scans if you bought NAV Corporate Edition for
your workstations, and there are free Linux server solutions as well];
Block all .EXE and other dangerous file attachments [and the advantage here
is that you are also protected against future viruses, not just the
currently known virus];
Block emails based on words known to be contained in the subject line;
Block emails based on a longer, more precise search string than just
"Microsoft"
Contact Antigen for suggestions. I'm sure they must have a better solution.

More info on how to recognize swen is at www.trendmicro.com and also
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]


chantal said:
I know many people have had a problem with the Swen virus, and other email
spam that prompt users to download fake Microsft updates. What sort of
security measures can our IT provider put in place to prevent potential
disasters from these fake update emails? Our Exchange server and our PDC are
running on NT4.

The solution we have inplace is to use Antigen to block ALL email with the
text "Microsft". This stops our Entire company from corresponding with
Microsft partners, or Microsft themselves, and from receiving any email
relating to products/services that we use in our development.

I have an idea that this is not the only solution, and that others may have
adopted alternatives. Do you have any suggestions on alternative solutions
to overcoming this problem ?

Thanks in advance

Regards

Chantal

-----Original Message-----

From: IT PRovider

Sent: 09 October 2003 09:01

To:

Subject: RE: Micr*soft Tech-Ed 2003

Because of the Swen virus which is sent via email supposedly from microsft
telling people to download updates, which is in fact the virus so we were
forced to block "micr*soft" as we are prob receiving about 30-40 a day. Keep
an eye out for the mail, it will come from Antigen as a forwarded
attachment.

-----Original Message-----

To: IT PRovider

why is there a *micr*soft* filter on email? I promise its not a sleezy
email...
Click to expand...
Click to expand...
 
That may be part of the problem, but I still think you'd need to
assume that users out there are going to make mistakes and get
infected and take additional steps to protect yourself when they do.
There is never ever ever going to be a shortage of new, inexperienced
computer users on the Internet or vulnerabilities in a certain OS or
software to exploit.
 
chantal wrote / skrev:
The solution we have inplace is to use Antigen to block ALL email with the
text "Microsft". This stops our Entire company from corresponding with
Microsft partners, or Microsft themselves, and from receiving any email
relating to products/services that we use in our development.

I have an idea that this is not the only solution, and that others may have
adopted alternatives. Do you have any suggestions on alternative solutions
to overcoming this problem ?
Click to expand...

As swen uses incorrect MIME-headers the answer is quite simple for this
one.

All you need to do is get rid of anything containing the following in
their MIME-headers (i.e. the raw message)
Content-Type: audio/x-wav; name=
Content-Type: audio/x-midi; name=
Content-Type: application/x-msdownload; name=

The former two will generally arrive within the first 25 lines of the
body, the third one will usually arrive within 300 lines.

- Veronica Loell
 
Back
Top