[44812] in North American Network Operators' Group
Re: "Cisco Release Of Goner Worm Raises Eyebrows" (Newsbytes)
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Sat Dec 15 00:55:51 2001
Message-Id: <200112150554.fBF5se3Q026470@foo-bar-baz.cc.vt.edu>
To: Hermann Wecke <hermann@rodeios.com>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Sat, 15 Dec 2001 03:11:29 GMT."
<Pine.LNX.4.33.0112150301020.4614-100000@mail.hermann.com.br>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_1094605568P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Sat, 15 Dec 2001 00:54:40 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1094605568P
Content-Type: text/plain; charset=us-ascii
On Sat, 15 Dec 2001 03:11:29 GMT, Hermann Wecke <hermann@rodeios.com> said:
> isn't it easier to stick a procmail recipe into the NANOG mail system
> dropping double extension files and other highly dangerous extensions,
> such as .scr, .lnk, .com, .dll, .pif and others???
Well.. that's closer than trying to restrict it based on size.
It's still wrong though, because the filtering *should* be done based on
the MIME type. Of course, the whole *problem* here is that malware is
able to wave its little digital arms, hop up and down, and say:
"I'm a text/plain called whoops.exe - of course it's safe to run me,
who ever heard of a malicious text/plain?!"
Personally, I'd recommend a controlled burn, except that we've been having one
every 2 weeks already.
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_1094605568P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.5 07/13/2001
iQA/AwUBPBrloHAt5Vm009ewEQJMzwCg5F4IYq4VByV0IB2u5tWPpOH8Ui0AoIHW
GuEkcAj2Bu29l7+Jwf3Sksfi
=Ji7S
-----END PGP SIGNATURE-----
--==_Exmh_1094605568P--
