March 24th, 2004


beating back the demons

I've noticed a significant increase in worm related email traffic over the last couple of days, apparently related to the "netsky" variant this time (though it's getting harder to tell all the different variants apart). Overnight last night I received nearly 400 new worm-related email messages, all of which successfully passed through qgreylist, spamassassin, and some custom filters that worked for mydoom.

In looking at the incoming messages, I noticed something odd about the HELO command that was used. Normally in an SMTP transaction, the first command that the sending mail server sends to the receiver is something like "HELO", which means the sender is responsible for sending messages from This HELO name isn't actually used during the delivery of the messages, but is just sort of a polite introduction.

What I noticed was that in most of these worm messages, the sender was using the command "HELO". This is backwards, it should be using the domain name of the sender, not the recipient. So I can be sure that if the sender uses my domain name in HELO, then it is not a legitimate message. By using the following procmail rule:

* ^Received:.*(HELO

a huge number of worm messages have been caught. In just the last 2.5 hours, 181 messages have been blocked and 33 got through. Of those that got through, virtually all of them are bounce messages from other mail servers, where a message to with my name forged in the From field, was returned to me as undeliverable. These types of messages, since they are sent by legitimate functional mail servers, have correct HELO commands and are not recognized by this filter.

Unfortunately, the latest variants of these email worms no longer seem to have automatic built-in expiration dates (as reported by mcafee or symantec), like the sobig family did. We can therefore expect to be plagued by these for some time to come.

Finally, this would be a good time to remind everybody who is responsible for any email operations to adopt Sender Policy Framework and publish SPF records. Doing so will help reduce the ability for worms to forge email addresses from your domain, and using SPF filtering against incoming messages will help you reject messages with forged From addresses.


meta blogging issues

Since I started this journal I've written about many different things. There are posts about flying, vacations, spam, geocaching, photography, weather, esperanto, telescopes, girls, copyright, animals, software, and more. There are a bunch of different people who read this journal (at least I've led myself to believe that is true :), not all of whom will necessarily be interested in everything I happen to write about.

So, I feel the need to segregate, categorize, organize. Split up this journal into technical stuff and recreational stuff and creative stuff and personal stuff and whatever other buckets of stuff happen to fit. Let people choose which sub-journals they want to read, and then I don't have to worry about issues like alienating most of the readers of this journal by say, posting stuff in Esperanto (which I've only done a couple of times with mixed success).

Thankfully, after I thought about this for a moment and noticed that livejournal does not actually offer any kind of facilities for sub-journals, I came to my senses and realized this was a dumb idea.

The human brain has an exceptional ability to filter information. If there is anybody reading my journal who doesn't care to read about my inbox filling up with thousands of email worms, they can easily identify such a post within the first few words and choose not to read it. I know I mentally filter posts frequently when reading my friends page. Some posts I don't actually read at all, some I skim over, some I read more carefully and perhaps follow any links to other sites, some I open up in another browser window to remind myself to check for any replies later, and some I jump in and write a followup comment myself. It sure doesn't take me very long to come to a decision about how to treat any individual post.

This is a journal. It is a sequential record of whatever I happen to be doing or thinking about that I think somebody else might be interested in too. It's not quite a simple brain dump of whatever happens to be on my mind from moment to moment (I've seen journals like that), as I try to put some effort into composing well-written entries. This represents a slice of my life, packaged up into new bite-sized chunks every few days.

So, having said all that, I'm going to continue to write new entries in my journal without worrying about whether readers may or may not be interested in the subject. Presumably you are reading this journal because at least some of what I have to say is of interest to you. It would be unreasonable for me to expect that everything I have to say is of interest to you.