Eircom.net and SPAM...................!

Dinarius

The virus attachments, so called "Microsoft Security Updates" or "Microsoft Security Patches" or any other of the dozen or so guises that they come in, have now reached epidemic proportions.

A couple of months ago, I was receiving about three or four of these a day. I have just downloaded 120 emails (119 SPAM!) of which 27 were these MSF viruses!

I normally use a wireless broadband connection (in Brussels), but, here in Dublin, I only have a 56k (actually, about 38k and slowing!) dial-up connection.

With these "patches" or "updates" varying in size from 117kb to 159kb, in my experience, they massively increase the download time of email on a 56k connection.

Every six year old child, with a day's experience on the internet, knows that Microsoft NEVER! send anything via email. If they do email you, it will only be to direct you to their website.

It would be the simplest thing in the world for Eircom to set up a message rule which blocks any message with Microsoft in the subject or from lines AND including an attachment. This would kill this plague of SPAM while allowing through genuine MSFT correspondence.

Eircom are now the only major ISP in these islands who still haven't installed anti-spam software.

Dire!

Dinarius

Just found a solution.

I'm using Outlook 2002.

Tools/Send Receive Settings/...........Define Send Receive Groups/Edit

Then check the box which says, "Download only item description for items larger than.."

I've set it at 20Kb. Plenty for the average email.

Not sure if this can be done with earlier versions or with Outlook Express, but it probably can.

D.

jd

Originally posted by Dinarius


It would be the simplest thing in the world for Eircom to set up a message rule which blocks any message with Microsoft in the subject or from lines AND including an attachment. This would kill this plague of SPAM while allowing through genuine MSFT correspondence.

devil is in the detail..:)
what if someone in microsoft sends an eircomnet customer an atachment?..
actually a high proportion of this particular spam gets filtered..problem is any kind of mail filtering does mean the mail relays take a performance hit..

Dinarius

Read my post. ;-)

Micorsoft never send attachments with emails. They only direct you to their site.

If, say, someone in Microsoft in Sandyford sent you an email with an attachment (a private correspondence, for example) then it would have a genuine Microsoft email address. None of the spam viruses do.

I can't see any reason why this couldn't be set up.

D.

Nuphor

Dinarius is totally correct. Microsoft never EVER send attachments with emails. Even if it's something small, they upload it to their site instead.

jd

Originally posted by Nuphor
Dinarius is totally correct. Microsoft never EVER send attachments with emails. Even if it's something small, they upload it to their site instead.

actaully i did get doc attachments from someone in ms (twas a few years ago though) ..
you have to be very careful re false positives in situation like this.

Dinarius

jd,

Again, read my (last) post. ;-)

Any Eircom anit-virus message rule could simply allow through messages from genuine Microsofts addresses.

All the rest, the viruses, could be deleted.

D.

jesus_thats_gre

They do on occassion. What if an employee send you a personal email with an attachment for example?

Dinarius

Holy s***!!!

Do you people ever read before you post????!!!!!!

D.

;-)

dahamsta

Procmail rule for Gibe:

:0 HB:
* .*[url]http://www.microsoft.com/info/cpyright.htm.*[/url]
/path/to/quarantine

("Copyright" is spelt wrong in the footer. If you want to be sure, to be sure, you should probably add rules for size and possibly even a string in the executable, but this is catching everything for me. No false positives so far.)

jd

Originally posted by Dinarius
jd,

Again, read my (last) post. ;-)

Any Eircom anit-virus message rule could simply allow through messages from genuine Microsofts addresses.

All the rest, the viruses, could be deleted.

D.

How do you verify with 100% accuracy?
as I said a lot of these cviruses are caught..but it is non-trivial...

seamus

I think Dinarius, the point is that no matter what you filter out, you run the risk of deleting genuine email.

What if, not being able to locate a patch or update, someone gets their friend in Microsoft to email them the necessary patch?

Or even a non-Microsoft friend to email the patch with the subject line "Critical update patch from Microsoft"?

It's a rare one, but it's a possibility. The goal, when using filter software, is to filter out all the viruses, and deliver all the genuine mail.

Best would be (if possible) to filter messages by the source IP until the machine owner can verify they're virus-free. But that's a labour-intensive solution.

Frank Grimes

How would Eircom's mail server know if the email address is genuine?

Dinarius

Frank,

In the last week, I have received 11 emails from various parts of the Microsoft behemoth.

I have just opened them all, and the addresses ALL end in microsoft.com.

Eircom could set up this mail filter in a matter of minutes.

D.

Frank Grimes

As other people said, that could block legitimate emails too.

Dinarius

"What if, not being able to locate a patch or update, someone gets their friend in Microsoft to email them the necessary patch?"

If anything with an address ending in microsoft.com is allowed through, then any email containing an attachment would get through too.

Right?

All those MSFT spam patches and updates come from other addresses.

I really don't see this as a problem, but the alarming increase in those virus spams certainly is.

D.

seamus

If anything with an address ending in microsoft.com is allowed through, then any email containing an attachment would get through too.

Right?

All those MSFT spam patches and updates come from other addresses.

What about my other example?

I could certainly see myself emailing microsoft patches to my parents or non-tech friends, cos it's simpler than trying to walk them through it.

There are all sorts of crazy algorithms that use code from the virus itself as markers, and all sorts of other crazy confusing theoretical things that can be used to filter email. As jd said though, load on the server becomes high.

Filtering based on simple strings and simple regular expressions is fine and acceptable for a personal account where you can check your filtered mail, but for a major ISP, it just wouldn't be on. It takes a little more work to get it right.

Dinarius

Frank,

You may have a point. I'm no expert.

D. ;-)

Our man in Havana

Originally posted by Dinarius
Frank,

In the last week, I have received 11 emails from various parts of the Microsoft behemoth.

I have just opened them all, and the addresses ALL end in microsoft.com.

Eircom could set up this mail filter in a matter of minutes.

D.

Have you checked the reply to address on them?

Its the Duma in Moscow!

xxxx@duma.gov.ru

mneylon

The supposed MS emails with the attached executables are a virus. It first emerged a few weeks ago. Most of the emails are HTML heavy with a 'Microsoft' logo and details of a patch - which is attached to the mail.
Needless to say the patch is a virus and running it will make a lovely mess of your PC.

Solution:
1. Block all executables being downloaded via email.
2. Switch email provider

Valentia

They could close all tinet accounts for a start. That'd get rid of 99% of my spam!

& don't ask - I did ask but typically they can't do it :mad:

Krouc

Spam and eircom go hand in hand.
They have been banned by many operators because they were/are relaying spam. While there is no real 100% fix they could do a lot more. I have seen cases where people couldnt send emails to people abroad because of bans placed on Eircom.net. While it didnt effect a lot of customers it was still a problem. Eircom dont filter mail at all so you will get pretty much everything. (If they do filter its only a very recent thingy)

One other thing is that *some* people bring it on themselves placing their email everywhere to be harvested. Care on both ends is needed.

Krouc

mneylon

Unfortunately a lot of people do not realise how easy it is to harvest emails. A client of ours accused us of giving out their email address, and said that they had never used their email anywhere public. A quick search discovered that they had signed a number of guestbooks which revealed their address in it's full form...

Dinarius

Valentia wrote,

"They could close all tinet accounts for a start. That'd get rid of 99% of my spam!"

Indeed they could.

Typically, in true Irish fashion, they totally screwed up on the switchover from tinet.ie to eircom.net.

When I ask them about this, they told me that approximately 20,000 PRIVATE customers (anyone with a business changed over immediately) out of a total of 300,000 (a couple of years ago.) had not changed their address. So, they just let them carry on. The result is that those 20k morons are holding probably the best part of 500k now to ransom.

The solution is simple. Take a leaf out of the European Central Bank's book. Email everyone - if someone has already changed they can simply ignore the email - and tell them that as of midnight on December 31 next, tinet.ie addresses will cease to operate.

Then, at that exact time SWITCH THEM OFF!!!

But, everything about Eircom.net is truly crass, so don't hold your breath.

D.

Dinarius

ps.........................

Just ran a quick search, in my Deleted Items folder, for tinet.ie in the Sent To option in Advanced Find.

My Deleted Items folder currently contains 4,306 items. Not all spam.

The search threw up 1,019 tinet.ie emails. All spam.

If that is a representative example, then almost 25% of my spam could be avoided if Eircom discontinued this address.

I rest my case.

D.

java

Name an isp of eircom.nets customer size that doesnt have a spam problem Krouc ?

And while your at it, please tell us how you stop amateur computer users setting up mail servers as open relays? or mail servers without anti virus software?

Dinarius

java,

It's not that they don't have a spam problem elsewhere.

It's that Eircom are doing NOTHING about it.

The current Microsoft Update virus plague, due to the not inconsiderable size of the attachments (about 117kb to 159kb) is rendering the slower dial-up accounts unusable.

I have written to Eircom (again!) about getting rid of the tinet.ie address. I have also CC'd the message to the Telecoms Regulator and to Karlin Lillington of the Irish Times.

I am not holding my breath! ;-)

D.

jd

Originally posted by Dinarius
java,

It's not that they don't have a spam problem elsewhere.

It's that Eircom are doing NOTHING about it.

The current Microsoft Update virus plague, due to the not inconsiderable size of the attachments (about 117kb to 159kb) is rendering the slower dial-up accounts unusable.


D.

Not quite true..
afaik a high proportion of these particular viruses are actually removed, but they are not catching them all..

bricks

Its not Eircom's job to filter email messages.
And even if they did filter email messages from Microsoft that had attachments, where does it all end, you're probably gonna want them to filter other suspect messages in the future.
And do they also need to filter out dodgy packets from getting to your machine?
Also do we really want Eircom deciding what emails should be blocked from our mailbox?

Our man in Havana

Its eircoms job to stop their servers from being used as spam relays.

Páid

I find this is great for filtering / deleting spam http://www.mailwasher.net

There is a free version that handles one email account (paid has unlimited).

You can turn on a feature that checks the origin of a suspect email against known blacklisted email servers which should catch most unwanted email.