[Samba] [OT] SPAM

Erik Soderquist esoderquist at mcstamp.com
Wed Oct 15 16:18:51 GMT 2003

I've been watching this thread with amusement. On one side, I see people
with calm collected reasoning explaining how email works, how lists
work, etc. and on the other side, I see rash, overzealous people who A.)
don't want to admit that they have been doing something that most
intelligent users know they shouldn't (use a critical email address for
list subscriptions) regardless of past success of failure (Russian
roulette is a fun game, until you win . . .), and B.) seem to want to
yell at someone other than themselves to vent their frustration at
winning the roulette game. I also run my own mail server with antiviral
filtering on it, and can look up the daily virus volume if anyone is
interested. I have a strong understanding of how these email worms
(technically, these are worms, not viruses) work and can pretty much
guarantee that the Swen worm (the one currently blasting email
addresses) does NOT read newsgroups looking for email addresses.
Outlook, however, will add email addresses from newsgroup postings to
the address book (depending on configuration). The worm will then post
itself to any news servers configured on the infected computer, email
itself to every email address it finds in the address book and inbox
(and probably other email folders) on the computer, and send itself to
any IRC contacts stored on the computer. If the worm finds Kazaa
installed, it will send itself out through Kazaa as well. It will also
search all mapped network drives for Windows Startup folders and drops a
copy of itself in any startup folders it finds. It will also try to
trick the user into supplying login information for the user's email
account. If it succeeds, it will scan the inbox for additional email
addresses and delete any copies of itself that it sent. This information
is not needed for propagation since the worm has its own SMTP engine
(mail server, for those who don't recognize the correct terms) and will
have already sent out at least one copy of itself to every email address
it found. Changes to the way this list is handled would reduce the
usability of this list. I, for one, would rather delete 
1000+ copies of a virus a day for a few months (the average life cycle
of these worms) than reduce the usability of such a useful list
(usefulness is subjective, if you consider the price too high, don't use
it) by any degree. Also, I have examined the headers of several of the
copies of the Swen worm and not one of them has originated from the IP's
of the samba.org servers. This, admittedly, is not a perfect test as
there have been far more copies than I have actually looked at, though
so far, all of the copies I have examined have come from dynamic IP
ranges (generally, dialup or home broadband), not through regular
servers. It would seem then, that the list itself is safe, and only by
damaging usability could we reduce (reduce, mind, not eliminate) this
temporary inconvenience. Sounds rather like cutting off my nose to spite
my face, not a course of action I would recommend. :) 

  Just my (rather stretched) two cents.
  Erik Soderquist


More information about the samba mailing list