[OPLINTECH] Another virus related spam issue, but a new solution

Karl Jendretzky jendreka at oplin.org
Mon May 4 13:17:57 EDT 2009 

As far as I know the library from two weeks ago still hasn't found the 
infected machine. I just see it poking at me every couple days, checking 
to see if I'm willing to play again.

The machine from today is the only one on the offending ip address, but 
the box isn't managed by the site, so we won't know whats actually on 
there until the outside management gets back to us.

Once I know specifically whats hitting them, I'll try to give you 
something special to look for. If you're already up to date on your 
patches/definitions, and you've got measures in place to either restrict 
user actions, or wipe out user changes on a regular basis, then the only 
thing I would recommend is that you have some plan for finding a 
misbehaving machine on the network. Even if its just having a spanning 
port setup and making yourself familiar with a app like Wireshark, not 
having to scramble to learn the stuff when something is on fire will 
save you some frustration. Even unsinkable ships need lifeboats. :)

Thanks,
    Karl Jendretzky
    Technology Project Manager
    Ohio Public Library Information Network
    jendreka at oplin.org
    (614) 728-1515



Chad Neeper wrote:
> Aside from perhaps selective egress blocking at the network perimeter 
> firewall and keeping current on the virus definitions, is there 
> anything else you'd like us to be doing at individual libraries to 
> mitigate these problems?
>
> Chad
>
>
> -----------------------
> Chad Neeper
> Senior Systems Engineer
>
> Level 9 Networks
> 740-548-8070 (voice)
> 866-214-6607 (fax)
>
> --   Full LAN/WAN consulting services   --
> -- Specialized in libraries and schools --
>
>
>
> Karl Jendretzky wrote:
>> All,
>>     I was greeted this morning with yet another infected library 
>> machine using the OPLIN mail server as a spam cannon. I've already 
>> spoken to the library, and if any details come up that could be 
>> useful to the group, we'll let you know.
>>
>> With increased virus activity out in the libraries, I'm trying to 
>> find the best way to lock down our services, while still providing 
>> access for library staff. At this point I think the best way for me 
>> to prevent exploits like this, while still allowing libraries to use 
>> our server as a relay for their ILS notices, is by allowing relaying 
>> based partly off of the "from" address.
>>
>> If you are using the OPLIN mail server as a relay, and the mail is 
>> coming from an email address that isn't @oplin.org, I need you to 
>> shoot either myself, or OPLIN support an email letting us know what 
>> address, or at least domain the emails are coming from. My thought is 
>> that going this direction, I can stop the phishing emails, while not 
>> requiring anyone in the network to reconfigure their ILS setup.
>>
>> If you have any questions, feel free to contact me.
>>
>>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at oplin.org
> http://mail.oplin.org/mailman/listinfo/oplintech
> Search: http://oplin.org/techsearch
>

More information about the OPLINTECH mailing list