[OPLINTECH] Another virus related spam issue, but a new solution

Thu May 7 09:23:26 EDT 2009

Using Wireshark to find a problem computer (and for other purposes) 
might be a good tech workshop for regionals and other organizations to 
present (I don't think it's already been done around here but I could be 
wrong).

Phil

Karl Jendretzky wrote:
> As far as I know the library from two weeks ago still hasn't found the 
> infected machine. I just see it poking at me every couple days, checking 
> to see if I'm willing to play again.
> 
> The machine from today is the only one on the offending ip address, but 
> the box isn't managed by the site, so we won't know whats actually on 
> there until the outside management gets back to us.
> 
> Once I know specifically whats hitting them, I'll try to give you 
> something special to look for. If you're already up to date on your 
> patches/definitions, and you've got measures in place to either restrict 
> user actions, or wipe out user changes on a regular basis, then the only 
> thing I would recommend is that you have some plan for finding a 
> misbehaving machine on the network. Even if its just having a spanning 
> port setup and making yourself familiar with a app like Wireshark, not 
> having to scramble to learn the stuff when something is on fire will 
> save you some frustration. Even unsinkable ships need lifeboats. :)
> 
> Thanks,
>     Karl Jendretzky
>     Technology Project Manager
>     Ohio Public Library Information Network
>     jendreka at oplin.org
>     (614) 728-1515
> 
> 
> 
> Chad Neeper wrote:
>> Aside from perhaps selective egress blocking at the network perimeter 
>> firewall and keeping current on the virus definitions, is there 
>> anything else you'd like us to be doing at individual libraries to 
>> mitigate these problems?
>>
>> Chad
>>
>>
>> -----------------------
>> Chad Neeper
>> Senior Systems Engineer
>>
>> Level 9 Networks
>> 740-548-8070 (voice)
>> 866-214-6607 (fax)
>>
>> --   Full LAN/WAN consulting services   --
>> -- Specialized in libraries and schools --
>>
>>
>>
>> Karl Jendretzky wrote:
>>> All,
>>>     I was greeted this morning with yet another infected library 
>>> machine using the OPLIN mail server as a spam cannon. I've already 
>>> spoken to the library, and if any details come up that could be 
>>> useful to the group, we'll let you know.
>>>
>>> With increased virus activity out in the libraries, I'm trying to 
>>> find the best way to lock down our services, while still providing 
>>> access for library staff. At this point I think the best way for me 
>>> to prevent exploits like this, while still allowing libraries to use 
>>> our server as a relay for their ILS notices, is by allowing relaying 
>>> based partly off of the "from" address.
>>>
>>> If you are using the OPLIN mail server as a relay, and the mail is 
>>> coming from an email address that isn't @oplin.org, I need you to 
>>> shoot either myself, or OPLIN support an email letting us know what 
>>> address, or at least domain the emails are coming from. My thought is 
>>> that going this direction, I can stop the phishing emails, while not 
>>> requiring anyone in the network to reconfigure their ILS setup.
>>>
>>> If you have any questions, feel free to contact me.
>>>
>>>   
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> OPLINTECH mailing list
>> OPLINTECH at oplin.org
>> http://mail.oplin.org/mailman/listinfo/oplintech
>> Search: http://oplin.org/techsearch
>>   
> _______________________________________________
> OPLINTECH mailing list
> OPLINTECH at oplin.org
> http://mail.oplin.org/mailman/listinfo/oplintech
> Search: http://oplin.org/techsearch
> 

-- 

Phil Shirley
Technology Services Coordinator
Cuyahoga Falls Library
Cuyahoga Falls, Ohio
330-928-2117, ext. 109
pshirley at CuyahogaFallsLibrary dot org

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.