Just another good reason to use Linux. As a network administrator I have setup Cisco NetFlows on our core routers and check for anomalous traffic from time to time. I have found a couple customers with SMTP engine type viruses. I have set up ingress and egress filters on most of our routers, and filter a few ports used by specific worms. We also block ports 139 and 445 to all but a couple customers who insist on using windows sharing without a VPN {Yikes}. The most common worms use TCP ports 139 or 445 to locate Windows machines, then proceed to abuse them. Another side effect of SMTP engine worms is DNS load. Infected machine make tons of DNS MX queries while attempting to spew it's payload. Using awk, sort and uniq it is possible to discover the worms by analysing the DNS logs. On Sun, 2005-02-01 at 07:21 +0000, Robert Slade wrote: > Hiya, > > Someone using IP address 66.59.107.18 (emmdsl.static.pa.net) is sending > out the Worm.Mydoom.M: As I only use this address for the fedora list > there is a good change they are also a member. > > Rob > -- Guy Fraser Network Administrator The Internet Centre 1-888-450-6787 (780)450-6787