lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200309251436.06261.dr@kyx.net>
Date: Thu, 25 Sep 2003 14:36:06 -0700
From: Dragos Ruiu <dr@....net>
To: "Nick Fisher" <bugtraq@...kdafish.com>
Cc: bugtraq@...urityfocus.com, Mike Zupan <mzupan@...o.com>
Subject: Re: Ruh-Roh SOBIG.G?


On September 25, 2003 08:48 am, Nick Fisher wrote:
> As you point out above, one of the biggest problems with SoBig was the
> bandwidth usage. As such wouldn't it be better to DISCARD the messages and
> not REJECT them? SoBig spoofs return addresses, why do you have to clog my
> mail server with bounce messages just because SoBig was spoofing one of my
> customers addresses?

On September 25, 2003 08:32 am, Mike Zupan wrote:
> I don't know if its just me but why add to the problem. Don't REJECT it
> just DISCARD it. I've got more bounced mail coming from email that is
> getting spoofed that mailservers are rejected then the actuall virus
> itself. I set up a discard and already discarded 550 emails.


Well SOBIG's mail relay is hardly well behaved.  I thought REJECT was more 
appropriate. SOBIG won't send bounces on REJECT, and that way other people
who get caught by this will get some diagnostic (since it is the sender relay 
that sends the bounce).

BTW I've put a copy of my received samples and analysis files at 
http://dragos.com/sobig.tgz

cheers,
--dr

-- 
pgpkey http://dragos.com/ kyxpgp


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ