lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 26 Sep 2003 10:49:08 -0700
From: Louis Erickson <LErickson@...ba.com>
To: 'Bennett Todd' <bet@...ul.net>, Earl Hood <earl@...lhood.com>
Cc: bugtraq@...urityfocus.com, MightyE <trash@...htye.org>,
	Lawrence MacIntyre <lpz@...l.gov>
Subject: RE: base64



On 26 September 2003 at 10:08 AM, Bennett Todd <bet@...ul.net> wrote:

<snip other issues with canonicalization>

> Also, in this sort of setting at least, you need very different
> handling of inbound -vs- outbound messages. Inbound messages get
> repaired --- or broken, in the case of digital sigs --- and then
> sent on to their intended internal recipient. Outbound traffic gets
> canonicalized if necessary, with commentary, gets malware replaced
> with "evil badness used to be here, I yanked it", then gets bounced
> back to the internal sender.

If there is malware in the message, why are you delivering it to the end
user?  

Either discard it or reject it from real sender, so they know their machine
is doing something bad.

I think it's as - maybe more - important for hosts to be responsible senders
than a responsible receivers.

At the moment, for instance, one of my mailboxes is inundated with
Swen/Gibe.  My virus scanners are easily keeping up with and discarding the
copies which arrive intact.  This irritates me because of the extra time and
bandwidth, but is a manageable issue.  Swen/Gibe dies there, harmlessly.

However, some idiot ISP is filtering just the bad attachment, and delivering
the rest.  So, instead of getting nothing, or getting something my system
can easily detect as unwanted, I get semi-random, difficult to predict or
filter junk, hundreds of them a day, swamping my mailbox.

(I have to figure out how to get procmail to filter on zero-byte
attachments.  Haven't had the time.)

Other idiot ISPs are letting me know that someone sent me Swen/Gibe and that
they blocked the message.  I have yet to make the postmaster at one of these
sites understand how worthless that notification is on viruses which forge
everything and send in such great quantity.

With the sender disinfecting, it can't infect my machine any more -
Swen/Gibe won't be bothering my Linux machine anyway - but they're making my
mailbox just as difficult to use as if they were doing nothing.

In another life I run an ISP.  I run virus scanners on all incoming and
outgoing messages.  Viruses are rejected at SMTP time, and the messages are
not delivered.  If a real user is trying to send something which triggers a
false positive, their mail client will show "550 Message appears to contain
a virus" or something like that.

I used to send notifications to the sender, and maintain a list of viruses
which forge the "From" address to skip sending to those.  However, pretty
much every virus does that now, and I found I was unable to keep up with
marinating that list, so I've disabled all the notifications.

I think it's important that the messages containing junk be blocked as soon
as possible, and generate no more traffic, or they are able to cause DoS and
other mischief as collateral damage.  While I've felt this for a while, I
think it's even more important now with some of these new viruses able to
generate such incredible quantities of mail so quickly.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ