lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <401808A4.9010301@orlandi.com>
Date: Wed, 28 Jan 2004 20:08:20 +0100
From: Daniele Orlandi <daniele@...andi.com>
To: bugtraq@...urityfocus.com
Subject: Re: RFC: virus handling


Thomas Zehetbauer wrote:
> 
> 1.1.) Configuration
> Unless the virus scanner provides special handling for worms and virii
> which knowingly use a faked sender address

I think that virus scanners SHOULD provide some sort of information on
the reliability of headers and SMTP envelope of the virus e-mail and act
accordingly.

I use amavisd-new which has support for listing viruses/worms that fake
the sender's email address. Unfortunatelly the list is external to the
actual virus scanner and has to be updated manually.

This is a major problem, since the administrators are often (an with
good reason) not responsive enought with the rapid floods like the one
we saw recently.

> it should not send out notification messages unless the administrator has
> been warned that these notification messages may not reach the intended
> recipient and has still enabled this feature.

I would say that a virus scanner SHOULD NOT send notifications unless it
has informations on the reliability of the sender's e-mail address.

> 1.2.) Format
> These messages cannot be easily filtered because they come in many
> different formats and do often not contain any useful information at
> all.

They could be formatted with a message/delivery-status part but the
problem wouldn't exist at all if all the notifications are sent to the
real infected recipient.

Bye.

-- 
 Daniele Orlandi



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ