Ahh ... But the beauty of it, is that you can reference the IP address against DHCP logs or radius logs or a list of static IP addresses and find the person really infected. I think as virus writers get more creative, the IP address will help more and more. I guess it really depends on how you're handling it from an administrative point.
Been there, done that. I went through messages in the quarantine directory and piced out IP addresses and stopped quite a few Klez infections that way. It has merit. I would venture to say that one could write a script that parsed the date/time/ip out and cross-referenced that against dhcp leases/radius logs/?? to determine who the real sending user was and email them direct that way. Obviously you don't know when to do it and when not to so it's a feature that's either on or off. Maybe that could be an option in QS. A way to lookup the notify email externally and expose some data either via arguments or environment variables. Then, an external program could do the lookup. I could see how it would be beneficial. Currently all my vpopmail and radius users are stored in postgresql. SQL logging was having some problems so I'm logging to detail files right now. But once I switch over to SQL Logging, I could easily run a script to see what user is currently logged into a particular IP address or last logged into that address and use them as the one to reply to. I don't think DHCP supports SQL logging, but wouldn't be terribly difficulty to write a similar script that went through the dhcpd.leases file and pulled the "client-hostname" and did a lookup on that. Of course assuming that you force "valid" client hostnames and not just let users pick. I think on Monday and Tuesday, I stopped over 1000 W32/Klez mails! The IP address helps. I didn't go after every user, but did lookup a few who called plus one company user (an old machine that hadn't got the new Norton Corporate on it yet). Needless to say, I turned off sender notification due to political pressure from the bosses. I say let it notify falsely. If nothing else, it makes the user aware that a new virus is floating around and makes them think and hopefully update their antivirus software. Unfortunately, it does generate support calls from grandma/grandpa and users who just don't understand the message. Just some thoughts. Charles -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jason Haar Sent: Thursday, May 02, 2002 2:12 PM To: [EMAIL PROTECTED] Subject: Re: [Qmail-scanner-general]Klez On Thu, May 02, 2002 at 11:22:59AM -0700, Surly Zek wrote: > adding the source > ip for people to use when troubleshooting has been > saving many people many headaches. How? I'm glad you have found your own solution, however it really only deals with Klez. There is no one "right" way of dealing with this. At the end of the day, the virus writer can do absolutely anything they want with the Email they generate - any scanning system (like Q-S) can only act on what it is presented with. -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
