Re: Tracking SirCam

[woods () weird com (Greg A. Woods)]

[ On Wednesday, July 25, 2001 at 10:49:05 (-0600), Peter Krawczyk wrote: ]
> Subject: Tracking SirCam
>
> This may help those of you who want to filter on headers and not on
> message body.

  From an SMTP point of view the headers are part of the body.  The
savings over filtering just the headers, vs. filtering up to at least
the the second MIME part in this case, is virtually nonexistant on any
kind of modern hardware.

(BTW, I seriously doubt any of the so-called experts who have been
commenting on the relative impact this worm compared to others before it
-- so far it's by and far the worst I've ever seen, either in my own
inbox, or in the way it's affected mail servers, particularly at ISPs.
I personally know of at least several hundred or so infected machines,
and yet one of the comments I read on CNet suggested only 7,100 total
had been reported so far.  Obviously not many of the infected hosts are
being reported yet.  I think it's impact has partly to do with the
average size of the attached file (>150KB it seems), and partly to do
with the social engineering aspect.  It seems very successful at getting
people to open it, and once going it often sends multiple random files
over and over again.)

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>     <woods () robohack ca>
Planix, Inc. <woods () planix com>;   Secrets of the Weird <woods () weird com>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com