[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <E1AqfYj-0005Ce-PY@mikro.physik.TU-Berlin.DE>
Date: Tue, 10 Feb 2004 22:36:45 +0100 (CET)
From: Georg Schwarz <geos@...st.de>
To: "Richard M. Smith" <rms@...puterbytesman.com>
Cc: "BUGTRAQ@...URITYFOCUS. COM" <BUGTRAQ@...urityfocus.com>
Subject: Re: Why are postmasters distributing the MyDoom virus?
> It looks like some postmasters are in the virus distribution business pretty
> much like the MyDoom virus itself. Perhaps these postmasters need to review
> their bounce message policies and remove all attached files from messages
> being bounced.
the mails probably bounced (were rejected by the target SMTP server) because
of an invalid recipient address. It is an ordinary and IMHO still good
practise to include the entire original mail in the bounce message.
Those mail servers did not bother about the content of the mail, so they
just sent it back (to the alledged return address), whether or not it
contained any malicious attachment. I think this is exactly what they are
supposed to do, and it is IMHO the best way they can react to the upstream
SMTP rejecting an email.
I think intermediate systems should not tamper with the mail, including
scanning for virii. The worst are such systems that only remove the virus
(which in many cases could easily be scanned for by the reciving system at
the end), leving the rest of the mail as hard-to-filter annoying junkmail.
Now the real issue is you, as the recipient, being in danger of executing
any arbitrary code (with powerful abilities to your system) found in an
email attachment by just an accidental mouse click (regardless how exactly
that mail reached you). Such MUAs are just an invitation for abuse. It is
here where any security measures should start. If it does not, such users
will always remain in jeopardy.
--
Georg Schwarz http://home.pages.de/~schwarz/
geos@...st.de +49 177 8811442
Powered by blists - more mailing lists