Keystroke logger being installed from a link in an email (Subject: Police Investigation )

Matt Kettler mkettler at EVI-INC.COM
Thu Feb 19 22:49:11 GMT 2004


At 05:27 PM 2/19/2004, Tristan Rhodes wrote:
>What is the best way to block an exploit like this?
>
>Create a custom Spamassassin rule?
>Feed it to Bayes a bunch of times as SPAM?
>Use MCP?

Quite frankly, all you can do at the email level is block this particular
version of the exploit. Bayes, custom rules, etc will be effective at
tagging this message as spam.

However, the only way to properly prevent this general class of problem is
to fix it on the workstation itself. After all, the email itself doesn't
contain an attack. It's the web site that contains the attack.

         Patch maintenance, workstation-resident virus scanner with regular
update, etc.

You can also use a firewall with extensive application layer inspection
tools like a netscreen to block some of these kinds of things at the
network layer. However, such things are hardly 100% comprehensive, but they
do inspect http transactions for some kinds of attacks etc.



More information about the MailScanner mailing list