[OPLINTECH] Another virus related spam issue, but a new solution

Mary Leffler dirserls at oplin.org
Fri May 8 11:19:42 EDT 2009 

I agree with Chad that starter/refresher courses on network protocols would be a great place to start before taking a Wireshark course.  WebJunction Ohio has self-paced courses available in the following networking areas (and many other topics) that would be good preparation.  Thanks to the State Library of Ohio, you can take a lot of these courses at no charge.  Here are the general networking courses listed:

Designing and Maintaining LDAP Directory Services

IP Addressing and Subnetting

Implementing Quality of Service

Introduction to Signals and Signal Transmission

AN Technologies
  
Managing and Troubleshooting Network Protocols and Operating System Performance
  
Network Troubleshooting

The Fundamentals of Networking
  
WANs and Remote Connectivity


To get started, you need to create a WebJunction account.  Your account request will be reviewed, and your affiliation as an Ohio Library will be assessed, and when your Ohio library connection is confirmed you will be authorized to take the courses.  If you have any questions regarding WebJunction, feel free to contact me at dirserls at oplin.org (Phone 800-759-1537 x5) or contact Marsha McDevitt-Stredney at the State Library at marshams at sloma.state.oh.us (Phone 614-644-6875).


Mary K. Leffler
Executive Director 
Southeast Regional Library System (SERLS)
252 W. 13th St.
Wellston, OH 45692 
dirserls at oplin.org
http://www.serls.org/ 
tel: 
fax: 
(740) 384-2103 x5
(740) 384-2106 






From: oplintech-bounces at oplin.org [mailto:oplintech-bounces at oplin.org] On Behalf Of Chad Neeper (list)
Sent: Thursday, May 07, 2009 2:39 PM
To: oplintech at oplin.org
Subject: Re: [OPLINTECH] Another virus related spam issue, but a new solution

I don't know if classes on network security have been done at this level before, but since it's an advanced topic, I'd suggest that attendees for packet tracing (Wireshark) first have a working knowledge of  network protocols. Perhaps they could go hand-in-hand in the same class, but not for the faint at heart! You may have some difficulties trying to cram everything into a single 6-8 hr session!

The SANS Institute (http://www.sans.org) is a valuable resource and, to the best of my knowledge, is the #1 network security training organization. I believe they provide online and in-person training sessions throughout the country, occasionally even in Columbus or Dayton. Might be worth a look, for those interested.

Chad
-----------------------
Chad Neeper
Senior Systems Engineer

Level 9 Networks
740-548-8070 (voice)
866-214-6607 (fax)

--   Full LAN/WAN consulting services   --
-- Specialized in libraries and schools --


Mary Leffler wrote: 
I think a workshop is a great idea!  I will start looking into having a
workshop on this topic.  If any of you are interested in this topic, please
reply off-list and I will contact you when we have a workshop ready to
launch.

Mary Leffler
------------------------------------
Southeast Regional Library System (SERLS)
Executive Director
dirserls at oplin.org
252 W. 13th St.
Wellston, OH 45692
tel: (740) 384-2103 x5
fax: (740) 384-2106
http://www.serls.org/
------------------------------------


-----Original Message-----
From: oplintech-bounces at oplin.org [mailto:oplintech-bounces at oplin.org] On
Behalf Of Phil Shirley
Sent: Thursday, May 07, 2009 9:23 AM
To: oplintech at oplin.org
Subject: Re: [OPLINTECH] Another virus related spam issue, but a new
solution

Using Wireshark to find a problem computer (and for other purposes) 
might be a good tech workshop for regionals and other organizations to 
present (I don't think it's already been done around here but I could be 
wrong).

Phil

Karl Jendretzky wrote:
  
As far as I know the library from two weeks ago still hasn't found the 
infected machine. I just see it poking at me every couple days, checking 
to see if I'm willing to play again.

The machine from today is the only one on the offending ip address, but 
the box isn't managed by the site, so we won't know whats actually on 
there until the outside management gets back to us.

Once I know specifically whats hitting them, I'll try to give you 
something special to look for. If you're already up to date on your 
patches/definitions, and you've got measures in place to either restrict 
user actions, or wipe out user changes on a regular basis, then the only 
thing I would recommend is that you have some plan for finding a 
misbehaving machine on the network. Even if its just having a spanning 
port setup and making yourself familiar with a app like Wireshark, not 
having to scramble to learn the stuff when something is on fire will 
save you some frustration. Even unsinkable ships need lifeboats. :)

Thanks,
    Karl Jendretzky
    Technology Project Manager
    Ohio Public Library Information Network
    jendreka at oplin.org
    (614) 728-1515



Chad Neeper wrote:
    
Aside from perhaps selective egress blocking at the network perimeter 
firewall and keeping current on the virus definitions, is there 
anything else you'd like us to be doing at individual libraries to 
mitigate these problems?

Chad


-----------------------
Chad Neeper
Senior Systems Engineer

Level 9 Networks
740-548-8070 (voice)
866-214-6607 (fax)

--   Full LAN/WAN consulting services   --
-- Specialized in libraries and schools --



Karl Jendretzky wrote:
      
All,
    I was greeted this morning with yet another infected library 
machine using the OPLIN mail server as a spam cannon. I've already 
spoken to the library, and if any details come up that could be 
useful to the group, we'll let you know.

With increased virus activity out in the libraries, I'm trying to 
find the best way to lock down our services, while still providing 
access for library staff. At this point I think the best way for me 
to prevent exploits like this, while still allowing libraries to use 
our server as a relay for their ILS notices, is by allowing relaying 
based partly off of the "from" address.

If you are using the OPLIN mail server as a relay, and the mail is 
coming from an email address that isn't @oplin.org, I need you to 
shoot either myself, or OPLIN support an email letting us know what 
address, or at least domain the emails are coming from. My thought is 
that going this direction, I can stop the phishing emails, while not 
requiring anyone in the network to reconfigure their ILS setup.

If you have any questions, feel free to contact me.

  
        
------------------------------------------------------------------------

_______________________________________________
OPLINTECH mailing list
OPLINTECH at oplin.org
http://mail.oplin.org/mailman/listinfo/oplintech
Search: http://oplin.org/techsearch
  
      
_______________________________________________
OPLINTECH mailing list
OPLINTECH at oplin.org
http://mail.oplin.org/mailman/listinfo/oplintech
Search: http://oplin.org/techsearch

More information about the OPLINTECH mailing list