[mime_]header_checks and sobig
Ben Rosengart
mime_header_checks can be used to stop sobig.f? There's a list at
http://securityresponse.symantec.com/avcenter/venc/data/w32.s...@mm.html#technicaldetails
of the names that sobig.f uses for attachments, so it seems that
blocking it should be pretty easy. But I haven't been able to find
examples in mailing list archives of attachment blocking with Postfix.
--
Ben Rosengart (212) 741-4400 x215
To accuse others for one's own misfortunes is a sign of want of education.
To accuse oneself shows that one's education has begun. To accuse neither
oneself nor others shows that one's education is complete. -- Epictetus
Vivek Khera
BR> Can someone show me an example of how header_checks or
BR> mime_header_checks can be used to stop sobig.f? There's a list at
BR> http://securityresponse.symantec.com/avcenter/venc/data/w32.s...@mm.html#technicaldetails
Well, quick and ditry hack is to reject based on those subject lines
until your antivirus catches up.... vexira has been catching them for
me all day long, and believe me, my address is very popular for this
bugger...
Here are some header checks I put on a system that doesn't normally
need antivirus since it has no pee-cee clients, but the trouble ticket
system was getting clogged with it:
# temporary -- remove once sobig.f dies away.
/^subject: Re: (details|approved|(re: )?my details|thank you!|that movie|your application|wicked screensaver|)$/ REJECT Sobig.F virus detected
/^subject: Re: (Thank you!|Your details)$/ REJECT Sobig.F virus probable.
these are PCRE header_checks entries based on the subject lines from
the above web page.
Noel Jones
>Can someone show me an example of how header_checks or
>
this works well for blocking by extension. Adjust the extension list as
required.
NOTE: PCRE only, not for regexp.
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(
ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|
ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|
vb[esx]?|vxd|wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x
REJECT Attachment name "$2" may not end with ".$3"
To block only the Sobig.f extensions, try (untested)
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(
your_document\.pif|
document_all\.pif|
thank_you\.pif|
your_details\.pif|
details\.pif|
document_9446\.pif|
application\.pif|
wicked_scr\.scr|
movie0045\.pif|
)(\?=)?"?\s*(;|$)/x
REJECT Attachment name "$2" not allowed.
To convert to plain regexp, fold this all into one line, change the "/x" at
the end to just "/", and change all the "\s" to "[[:space:]]"
--
Noel Jones
-
To unsubscribe from the postfix-users list, click the link below:
<mailto:majo...@postfix.org?body=unsubscribe%20postfix-users>
fasty
--head_checks
/^Content-Disposition: attachment;
*filename=.*\.(ade|adp|bas|chm|cpl|crt|hlp|hta|inf|ins|isp|js|jse|mdb|mde|msc|msi|msp|mst|pcd|sct|shs|shb|vb|vbe|vbs|wsc|wsf|wsh|scr|pif|exe|com|bat|ini|cmd|reg|lnk)/
REJECT Microsoft attachments not accepted here. Please remove them and resend.
--eof
Jorge Godoy
> Naturally, I typo'd the header checks. Here are the corrected PCRE
> header_checks lines:
>
> # temporary -- remove once sobig.f dies away.
> /^subject: re: (details|approved|re: my details|thank you!|that movie|your application|wicked screensaver)$/ REJECT Sobig.F virus probable. Try different subject line.
> /^subject: (thank you!|your details)$/ REJECT Sobig.F virus probable. Try different subject line.
I tried modifying these to:
# temporary -- remove once sobig.f dies away.
if /^subject:/
/re: (details|approved|re: my details|thank you!|that movie|your application|wicked screensaver)$/ REJECT Sobig.F virus probable. Try different subject line.
/(thank you!|your details)$/ REJECT Sobig.F virus probable. Try different subject line.
endif
but postmap gives me the following error:
[root@wintermute postfix]# postmap header_checks
postmap: warning: header_checks, line 11: expected format: key whitespace value
[root@wintermute postfix]#
Line 11 is the 'endif ' line (yes, there is a blank space after
it). If I switch it to 'endif //', postmap succeeds but the logs
register the following:
Aug 20 12:14:59 wintermute postfix/cleanup[29489]: warning: pcre map /etc/postfix/header_checks, line 10: ignoring extra text after IF
Another 'interesting' thing is that if I just add the above lines, I
get the following error:
[root@wintermute postfix]# postmap header_checks
postmap: warning: header_checks, line 8: record is in "key: value" format; is this an alias file?
postmap: warning: header_checks, line 9: record is in "key: value" format; is this an alias file?
postmap: warning: header_checks.db: duplicate entry: "/^subject:"
[root@wintermute postfix]#
There's somehing wrong here. Any hints on where I can start looking
at? This is Postfix 2.0.13.
[root@wintermute postfix]# postconf -m
static
pcre
nis
regexp
environ
proxy
ldap
btree
unix
hash
[root@wintermute postfix]# postconf -v mail_version
mail_version = 2.0.13
[root@wintermute postfix]#
TIA,
--
Godoy. <go...@ieee.org>
Ralf Hildebrandt
> but postmap gives me the following error:
You cannot postmap regexp: & pcre: maps
--
Ralf Hildebrandt Ralf.Hil...@charite.de
my current spamtrap spam...@charite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
bringing you boring signatures for 17 years
Noel Jones
>I tried modifying these to:
>
># temporary -- remove once sobig.f dies away.
>if /^subject:/
> /re: (details|approved|re: my details|thank you!|that movie|your
> application|wicked screensaver)$/ REJECT Sobig.F virus probable. Try
> different subject line.
> /(thank you!|your details)$/ REJECT Sobig.F virus probable. Try
> different subject line.
>endif
>
>
>postmap: warning: header_checks, line 11: expected format: key whitespace
>value
>[root@wintermute postfix]#
two problems.
First, don't postmap regexp or pcre files. (although you can use postmap
to test them, see the postmap man page).
Secondly, the rules between IF .. ENDIF should not have leading
whitespace. If you indent them postfix will think they are a continuation
of the previous line, which they aren't.
IF /^Subject/
/re:... / REJECT reason
/(thank... / REJECT reason
ENDIF
Palomäki Kai
> >
> obi...@mm.html#technicaldetails
>=20
>=20
> this works well for blocking by extension. Adjust the=20
> extension list as=20
> required.
> NOTE: PCRE only, not for regexp.
> /^\s*Content-(Disposition|Type).*name\s*=3D\s*"?(.*\.(
> ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
> inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|
> ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|
> REJECT Attachment name "$2" may not end with ".$3"
>=20
> To block only the Sobig.f extensions, try (untested)
> /^\s*Content-(Disposition|Type).*name\s*=3D\s*"?(
> your_document\.pif|
> document_all\.pif|
> thank_you\.pif|
> your_details\.pif|
> details\.pif|
> document_9446\.pif|
> application\.pif|
> wicked_scr\.scr|
> movie0045\.pif|
> REJECT Attachment name "$2" not allowed.
> To convert to plain regexp, fold this all into one line,=20
> change the "/x" at=20
> the end to just "/", and change all the "\s" to "[[:space:]]"
>=20
> --=20
> Noel Jones
>=20
> -
> To unsubscribe from the postfix-users list, click the link below:
What if "*name" string is after "Content-(Disposition|Type).*) on =
following
line like this:
Content-Type: application/octet-stream;
name=3D"details.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=3D"details.pif"
Noel Jones
>What if "*name" string is after "Content-(Disposition|Type).*) on follow=
ing
>line like this:
>
>Content-Type: application/octet-stream;
> name=3D"details.pif"
>Content-Transfer-Encoding: base64
>Content-Disposition: attachment;
> filename=3D"details.pif"
The whole Content* line is considered a single logical mime header=20
line. Postfix folds each logical header line during processing, the same=
=20
way a long To: or Received: header is folded for processing.
So, postfix 2.x processes the above correctly with mime_header_checks and=
=20
will reject the attachment.
Postfix 1.x, using body_checks, may miss it, since body_checks will only=20
process a single line at a time.
While postfix 2.x mime processing is great at catching unwanted attachmen=
ts=20
and a big improvement over postfix 1.x, it is still possible for a=20
malformed mime entry to slip by.
Don't consider this a rock-solid defense, a virus scanner is always=20
recommended.
--=20
Noel Jones
-
To unsubscribe from the postfix-users list, click the link below:
<mailto:majo...@postfix.org?body=3Dunsubscribe%20postfix-users>=20
Robin Lynn Frank
--Boundary-02=_wGiR/LVBvPykQV6
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline
On Friday 22 August 2003 02:38 am, LuKreme (List User Kreme) wrote:
> On Tuesday, Aug 19, 2003, at 13:55 Canada/Mountain, Noel Jones wrote:
> > this works well for blocking by extension. Adjust the extension list
> > as required.
> > NOTE: PCRE only, not for regexp.
> >
> > /^\s*Content-(Disposition|Type).*name\s*=3D\s*"?(.*\.(
> > ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
> > inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|
> > ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|
> > vb[esx]?|vxd|wsc|wsf|wsh))(\?=3D)?"?\s*(;|$)/x
> > REJECT Attachment name "$2" may not end with ".$3"
>
> Aha! Thank you! This is PERFECT.
>
> Now, if only I knew what all those stupid MSFT extensions where. Heh.
>
> Wasn't there a virus that ran out of .wav files? Or was it just the
> content-type was x-audio/wave?
The latter IIRC.
=2D-=20
Robin Lynn Frank | Director of Operations | Paradigm-Omega, LLC
Email acceptance policy: http://paradigm-omega.com/email_policy.html
Our current s$p%a&m-t*r#a^p: twi...@paradigm-omega.dnsalias.net
--Boundary-02=_wGiR/LVBvPykQV6
Content-Type: application/pgp-signature
Content-Description: signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQA/RiGwzXwq4t8X1KoRAuQfAJ45vl7H0lV4YUEmMMxiopbXrS14NwCfSUSN
5v596AsGM5FwwW0cmH/lyOQ=
=w04M
-----END PGP SIGNATURE-----
--Boundary-02=_wGiR/LVBvPykQV6--
Noel Jones
>Now, if only I knew what all those stupid MSFT extensions where. Heh.
See
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
and
http://www.cknow.com/vtutor/vtextensions.htm
Blocking by extension is a good place to start and certainly better than
nothing, but is no substitute for a good virus scanner.
A good virus scanner is no guarantee that a new virus will be detected.
--
Noel Jones
Derrick 'dman' Hudson
--DKU6Jbt7q3WqK7+M
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Aug 22, 2003 at 11:19:34AM -0600, LuKreme wrote:
| One thing I have noticed is that I can do a helo check. All the pif or=
=20
| src files today have been saying helo with either
|=20
| "<BIGTEX>" or "<ICSBACK_2>" and the only mail I see with those helo's=20
| is spoofed spam or viruses.
This is already taken care of with :
reject_invalid_hostname
reject_non_fqdn_hostname
I have a suspicion (but haven't verified it) that SoBig.F uses the
(netbios?) name of the machine it is running on in the HELO. Thus the
helo name is often invalid or not fully-qualified.
-D
--=20
Even youths grow tired and weary,
and young men stumble and fall;
but those who hope in the Lord
will renew their strength.
They will soar on wings like eagles;
they will run and not grow weary,
they will walk and not be faint.
=20
Isaiah 40:31
=20
http://dman13.dyndns.org/~dman/
--DKU6Jbt7q3WqK7+M
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/RltbiB6vp1xAVUARAmsgAJ47kVpkVjD4x08GW1CfM8m4QiIjRwCgoD+G
pVqU1f3J+4mOKaqNoX6CsC8=
=WkBV
-----END PGP SIGNATURE-----
--DKU6Jbt7q3WqK7+M--
Wietse Venema
Checking application/pgp-signature: FAILURE
-- Start of PGP signed section.
> On Fri, Aug 22, 2003 at 11:19:34AM -0600, LuKreme wrote:
>
> | One thing I have noticed is that I can do a helo check. All the pif or
> | src files today have been saying helo with either
> |
> | "<BIGTEX>" or "<ICSBACK_2>" and the only mail I see with those helo's
> | is spoofed spam or viruses.
>
> This is already taken care of with :
> reject_invalid_hostname
> reject_non_fqdn_hostname
>
> I have a suspicion (but haven't verified it) that SoBig.F uses the
> (netbios?) name of the machine it is running on in the HELO. Thus the
> helo name is often invalid or not fully-qualified.
I see a fair number of viruses coming from "real" mail systems.
Presumably these are relayed via some intermediate system.
Therefore it is better to DISCARD the mail so that hte intermediate
MTA does not send bounces to the forged sender address.
Wietse
Jim Seymour
>
> At 03:38 AM 8/22/03 -0600, List User Kreme wrote:
>
> >Now, if only I knew what all those stupid MSFT extensions where. Heh.
>
> See
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
> and
> http://www.cknow.com/vtutor/vtextensions.htm
*ack*! I'm probably up to over 100 different extensions now, with the
new ones added from that second URL :/. Pretty soon I'll have to
replace it all with a whitelist of the ones I *will* accept, followed
by a default deny of everything else.
I've unofficially "published" my anti-virus/worm/trojan header and body
checks at:
http://jimsun.linxnet.com/misc/header_checks.txt
http://jimsun.linxnet.com/misc/body_checks.txt
Dammit, this is too much like work for a Sunday :(. I don't even use
M$'s damn malware, and here I am screwing around with email gateway
protection for the damn stuff--on one of my alleged "days off."
God how I detest M$-Windoze!
Btw: Thanks for the URLs, Noel :)
>
> Blocking by extension is a good place to start and certainly better than
> nothing, but is no substitute for a good virus scanner.
Personally, I regard AV software as my *last* line of defense.
>
> A good virus scanner is no guarantee that a new virus will be detected.
AV software is always playing a catch up game. Even if all the
desktops are keeping updated (an unlikely proposition, IME).
As I recently wrote in news.admin.net-abuse.email:
The primary failing with anti-virus "protection" is that it
*mostly* can protect you only from that which it knows. This is
why I regard AV protection on our corporate desktops as the
*last* line of defense. And a weak one at that! First lines of
defense are: 1) Try to stop that crap at the border. My email
gateways reject anything with any one of some 90+ attachment
types. That includes .pif. Also anything with an executable
signature in it. We don't allow ActiveTrojan through the
firewall. The firewalls are configured for "that which is not
explicitly allowed, is denied." 2) De-fanged desktops.
MS-Exploiter has all the ActiveTrojan stuff turned off. (We are
beginning to look at replacing it with Mozilla.) MS-LookOut! is
verboten. 3) The users themselves. Yes, believe it or not, I
rely on user education and them doing the right thing as a more
important defense measure than AV software.
This mostly works. Out of approximately 150 seats in four
different locations: We've had few virus/worm/trojan incidents in
many, many years. And those we have had, have not gotten very
far at all. (IIRC, we've had a max of maybe six machines
infected in any one incident.) From what we could tell: They all
arrived via infected floppies, CD-ROMs, or otherwise transferred
in.
Btw: When AV software *does* detect something, more times than
not it's detected by the AV software running on the fileservers,
not what's running on the PCs. This is because it's *always*
scanning the fileservers and *I* make sure the fileservers are
up-to-date.
--
Jim Seymour | PGP Public Key available at:
jsey...@LinxNet.com | http://www.uk.pgp.net/pgpnet/pks-commands.html
http://jimsun.LinxNet.com |
Renee Teunissen (ml-postfix)
Ehh... should be: > http://reneeteunissen.nl/abuse/header_checks.txt
Sorry,
Renee.
----- Original Message -----
From: "Renee Teunissen (ml-postfix)" <ml-po...@mlists.zevenaar.org>
To: <postfi...@postfix.org>
Sent: Sunday, August 24, 2003 5:40 PM
Subject: Re: [mime_]header_checks and sobig
> Here are mine - they might be a bit too blund for most of us ;)
>
> http://reneeteunissen.nl/abuse/body_checks.txt
> http://reneeteunissen.nl/abuse/headers_checks.txt
>
> Comments are welcome.
>
> Gr,
> Renee.
> ----- Original Message -----
> From: "Jim Seymour" <jsey...@LinxNet.com>
> To: <postfi...@postfix.org>
> Sent: Sunday, August 24, 2003 5:18 PM
> Subject: Re: [mime_]header_checks and sobig
>
>
> >
> > jsey...@LinxNet.com (Jim Seymour) wrote:
> > >
> > [snip]
> > >
> > > I've unofficially "published" my anti-virus/worm/trojan header and
body
> > > checks at:
> > >
> > > http://jimsun.linxnet.com/misc/header_checks.txt
> > > http://jimsun.linxnet.com/misc/body_checks.txt
> > >
> > [snip]
> >
> > Btw: Comments and suggestions are, of course, welcome :)
LuKreme (List User Kreme)
> Noel Jones <njo...@megan.vbhcs.org> wrote:
>>
>> At 03:38 AM 8/22/03 -0600, List User Kreme wrote:
>>
>>> Now, if only I knew what all those stupid MSFT extensions where.
>>> Heh.
>>
>> See
>> http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
>> and
>> http://www.cknow.com/vtutor/vtextensions.htm
>
> *ack*! I'm probably up to over 100 different extensions now, with the
> new ones added from that second URL :/. Pretty soon I'll have to
> replace it all with a whitelist of the ones I *will* accept, followed
> by a default deny of everything else.
that might not be a bad idea. there aren't many extension types I am
interested in receiving via email:
zip gz bz2 tgz txt jpg png gif mp3 rtf rar sit hqx uu
what am I forgetting?
Although, if I went that route I think I'd have postfix bounce the bad
ones (pif, exe, &c) and have procmail quarantine the non-OK list and
pass through a few extension types.
--
The older you get the more you need the people you knew when you were
young.
Dean Strik
> that might not be a bad idea. there aren't many extension types I am
> interested in receiving via email:
>
> zip gz bz2 tgz txt jpg png gif mp3 rtf rar sit hqx uu
>
> what am I forgetting?
Perhaps .diff and .patch.
--
Dean C. Strik Eindhoven University of Technology
de...@stack.nl | de...@ipnet6.org | http://www.ipnet6.org/
"This isn't right. This isn't even wrong." -- Wolfgang Pauli
LuKreme (List User Kreme)
> jsey...@LinxNet.com (Jim Seymour) wrote:
>>
> [snip]
>>
>> I've unofficially "published" my anti-virus/worm/trojan header and
>> body
>> checks at:
>>
>> http://jimsun.linxnet.com/misc/header_checks.txt
Noel's method checks for the name ENDING with the extension, and gives
a specific and clear error message:
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(
ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|
ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|
vb[esx]?|vxd|wsc|wsf|wsh))(\?=)?"?\s*(;|$)/x
REJECT Attachment name "$2" may not end with ".$3"
simply fill with your own list of extensions.
this means .com doesn't need to be treated differently, and it won't
block "sample application.exe.zip"
--
You are responsible for your Rose
Rule #5 Get Kirsten Dunst Wet
LuKreme (List User Kreme)
> http://reneeteunissen.nl/abuse/headers_checks.txt
"The requested URL /abuse/headers_checks.txt was not found on this
server"
--
Behind every great man there's a woman with a vibrator -- Hawkeye Pierce
Jim Seymour
>
[snip]
>
> Noel's method checks for the name ENDING with the extension,
In our experiments many moons ago, before Postfix did MIME headers, we
found instances of MIME attachments where the filename was not at the
end. Perhaps his "(\?=)?"?\s*(;|$)/x" at the end may address that. I
no longer recall the specifics. For me: I'll stick with what's been
working for me ;).
> and gives
> a specific and clear error message:
I've been meaning to address that...
>
[snip]
>
> this means .com doesn't need to be treated differently, and it won't
> block "sample application.exe.zip"
Um, ISTR that tacking-on an "extra" file extension was one way to fool
such filters? IOW: One *wants* to reject "filename.exe.zip," for
example?
Liviu Daia
> LuKreme wrote:
> > that might not be a bad idea. there aren't many extension types I am
> > interested in receiving via email:
> >
> > zip gz bz2 tgz txt jpg png gif mp3 rtf rar sit hqx uu
> >
> > what am I forgetting?
>
> Perhaps .diff and .patch.
Also: mod, s3m, wav, pdf, ps, eps, tiff, jpeg, pnm, pgm, sgml, dtd,
tex, dvi, texi, info, man, me, ms, [1-9], pl, pm, c, cc, cpp, cxx, h,
hpp, hxx, tcl, pem, crt, crl, key, p12, pgp --- and many, many others,
I'm sure. :-) My point being: it's probably equally hard to define a
reasonable list of "good" extensions than it is to find the "bad" ones.
Regards,
Liviu Daia
--
Dr. Liviu Daia e-mail: Liviu...@imar.ro
Institute of Mathematics web page: http://www.imar.ro/~daia
of the Romanian Academy PGP key: http://www.imar.ro/~daia/daia.asc
LuKreme (List User Kreme)
> Here's what I was referring to:
>
> http://www.theregister.co.uk/content/56/29137.html
I didn't know about that.
wow, might have to rethink then...
It astounds me that ANYONE, ANYWHERE, without having a gun pointed at
his testicles, is willing to use LookOut/LookOut Express for their
email.
--
The Piper's calling you to join him
Wietse Venema
Presumably, female persons would never do this.
Wietse
Jim Seymour
> On Sunday, August 24, 2003, at 8:52 , Jim Seymour wrote:
> > Here's what I was referring to:
> >
> > http://www.theregister.co.uk/content/56/29137.html
>
> I didn't know about that.
>
> wow, might have to rethink then...
I think, *think*, mind you, that the following will safely and
effectively address the issue:
Change: (\?=)?"?\s*(;|$)
To: (\.\S{2,5})?(\?=)?"?\s*(;|$)
That simply allows for the possibility that an offending extension
*may* be followed by a dot-two-to-five-non-whitespace-chars. I'm not
sure whether that should be made 1-5 (thus catching 1-char third
extensions), be cut back to 3-5 (slightly reducing the possibility of
false positives?), or be left as-is.
>
> It astounds me that ANYONE, ANYWHERE, without having a gun pointed at
> his testicles, is willing to use LookOut/LookOut Express for their
> email.
Though I probably shouldn't be any longer, I continue to astonished
anew that most *businesses* still willingly put themselves in a
position of being yanked-around by a company that's repeatedly turned
out sub-standard, non-standards-compliant product that was never
well-suited for enterprise deployment in the first place. Companies
repeatedly get burned by broken-ness, incompatibility (sometimes even
between packages from the same "suite"), repeated security holes and
unbelievably expensive product fee schedules--and keep going back for
more?!?! To add insult to injury: The PHBs making these decisions
keep getting pay raises and bonuses while people like you and me
end-up having to spend an inordinate amount of time cleaning up the
mess.