[OPLINTECH] Another virus related spam issue, but a new solution

Chad Neeper (list) cneeper at level9networks.com
Thu May 7 14:38:32 EDT 2009


I don't know if classes on network security have been done at this level 
before, but since it's an advanced topic, I'd suggest that attendees for 
packet tracing (Wireshark) first have a working knowledge of  network 
protocols. Perhaps they could go hand-in-hand in the same class, but not 
for the faint at heart! You may have some difficulties trying to cram 
everything into a single 6-8 hr session!

The SANS Institute (http://www.sans.org <www.sans.org>) is a valuable 
resource and, to the best of my knowledge, is the #1 network security 
training organization. I believe they provide online and in-person 
training sessions throughout the country, occasionally even in Columbus 
or Dayton. Might be worth a look, for those interested.

Chad

-----------------------
Chad Neeper
Senior Systems Engineer

Level 9 Networks
740-548-8070 (voice)
866-214-6607 (fax)

--   Full LAN/WAN consulting services   --
-- Specialized in libraries and schools --



Mary Leffler wrote:
> I think a workshop is a great idea!  I will start looking into having a
> workshop on this topic.  If any of you are interested in this topic, please
> reply off-list and I will contact you when we have a workshop ready to
> launch.
>
> Mary Leffler
> ------------------------------------
> Southeast Regional Library System (SERLS)
> Executive Director
> dirserls at oplin.org
> 252 W. 13th St.
> Wellston, OH 45692
> tel: (740) 384-2103 x5
> fax: (740) 384-2106
> http://www.serls.org/
> ------------------------------------
>
>
> -----Original Message-----
> From: oplintech-bounces at oplin.org [mailto:oplintech-bounces at oplin.org] On
> Behalf Of Phil Shirley
> Sent: Thursday, May 07, 2009 9:23 AM
> To: oplintech at oplin.org
> Subject: Re: [OPLINTECH] Another virus related spam issue, but a new
> solution
>
> Using Wireshark to find a problem computer (and for other purposes) 
> might be a good tech workshop for regionals and other organizations to 
> present (I don't think it's already been done around here but I could be 
> wrong).
>
> Phil
>
> Karl Jendretzky wrote:
>   
>> As far as I know the library from two weeks ago still hasn't found the 
>> infected machine. I just see it poking at me every couple days, checking 
>> to see if I'm willing to play again.
>>
>> The machine from today is the only one on the offending ip address, but 
>> the box isn't managed by the site, so we won't know whats actually on 
>> there until the outside management gets back to us.
>>
>> Once I know specifically whats hitting them, I'll try to give you 
>> something special to look for. If you're already up to date on your 
>> patches/definitions, and you've got measures in place to either restrict 
>> user actions, or wipe out user changes on a regular basis, then the only 
>> thing I would recommend is that you have some plan for finding a 
>> misbehaving machine on the network. Even if its just having a spanning 
>> port setup and making yourself familiar with a app like Wireshark, not 
>> having to scramble to learn the stuff when something is on fire will 
>> save you some frustration. Even unsinkable ships need lifeboats. :)
>>
>> Thanks,
>>     Karl Jendretzky
>>     Technology Project Manager
>>     Ohio Public Library Information Network
>>     jendreka at oplin.org
>>     (614) 728-1515
>>
>>
>>
>> Chad Neeper wrote:
>>     
>>> Aside from perhaps selective egress blocking at the network perimeter 
>>> firewall and keeping current on the virus definitions, is there 
>>> anything else you'd like us to be doing at individual libraries to 
>>> mitigate these problems?
>>>
>>> Chad
>>>
>>>
>>> -----------------------
>>> Chad Neeper
>>> Senior Systems Engineer
>>>
>>> Level 9 Networks
>>> 740-548-8070 (voice)
>>> 866-214-6607 (fax)
>>>
>>> --   Full LAN/WAN consulting services   --
>>> -- Specialized in libraries and schools --
>>>
>>>
>>>
>>> Karl Jendretzky wrote:
>>>       
>>>> All,
>>>>     I was greeted this morning with yet another infected library 
>>>> machine using the OPLIN mail server as a spam cannon. I've already 
>>>> spoken to the library, and if any details come up that could be 
>>>> useful to the group, we'll let you know.
>>>>
>>>> With increased virus activity out in the libraries, I'm trying to 
>>>> find the best way to lock down our services, while still providing 
>>>> access for library staff. At this point I think the best way for me 
>>>> to prevent exploits like this, while still allowing libraries to use 
>>>> our server as a relay for their ILS notices, is by allowing relaying 
>>>> based partly off of the "from" address.
>>>>
>>>> If you are using the OPLIN mail server as a relay, and the mail is 
>>>> coming from an email address that isn't @oplin.org, I need you to 
>>>> shoot either myself, or OPLIN support an email letting us know what 
>>>> address, or at least domain the emails are coming from. My thought is 
>>>> that going this direction, I can stop the phishing emails, while not 
>>>> requiring anyone in the network to reconfigure their ILS setup.
>>>>
>>>> If you have any questions, feel free to contact me.
>>>>
>>>>   
>>>>         
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> OPLINTECH mailing list
>>> OPLINTECH at oplin.org
>>> http://mail.oplin.org/mailman/listinfo/oplintech
>>> Search: http://oplin.org/techsearch
>>>   
>>>       
>> _______________________________________________
>> OPLINTECH mailing list
>> OPLINTECH at oplin.org
>> http://mail.oplin.org/mailman/listinfo/oplintech
>> Search: http://oplin.org/techsearch
>>
>>     
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.oplin.org/pipermail/oplintech/attachments/20090507/ae348623/attachment.html


More information about the OPLINTECH mailing list