[SATLUG] anti-spam effort

[Robert Pearson]

On 12/5/06, Geoff <geoff at w5omr.shacknet.nu> wrote:
> Robert Pearson wrote:
>
>
> I didn't mean to send that last one - sorry.
>
> > One of the mailing lists was most interesting in the way it happened.
> > I receive mail from the JavaMUG.org mailing list. I hardly ever reply
> > to these because they are mostly Java job postings.
> > There was a flurry of emails from some guy promoting himself, some
> > headhunter service or some Java tools. It looked OK, like a normal job
> > posting. Normally I delete these unopened due to lack of interest. I
> > opened this one.
> > I started having problems with that mailing list, and another totally
> > different one, shortly after opening that email.
> >
> > This just started in the last couple of months.
>
> What platform/OS?

PC "white box" AMD clone running SUSE 10.1 and Firefox 2.0 from my
home directory. SUSE 10.1 Firefox 2.0 is not released yet.

I have had some success by keeping the "$HOME/.java (that's
[dot]java)" directory deleted and the file
"$HOME/.mozilla/firefox/'some_character_string'.default/blocklist.xml"
removed.

"blocklist.xml" is a legitimate Firefox file name but from the
behavior I have observed in my case, it looks to be a "spoof" to some
place other than the URL listed inside it.

In the two exploits, or attempted exploits, of my Linux systems the
Malware was placed in the "$HOME/.java (that's [dot]java)" directory.
I now run clamav irregularly. Two of my systems are dual boot SUSE
10.1 and Windows 2000.
I found these exploits, or attempted exploits, while running Grisoft
AVG from Windows 2000 on those machines.

I ran "rootkit" checking for a while. I stopped because that is very
powerful, for evil, software. Being the Security novice I am, I have
no way of knowing if the "rootkit" checking I install is not "spyware"
itself.