lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40D1E92A.2060500@linuxbox.org>
Date: Thu, 17 Jun 2004 20:55:38 +0200
From: Gadi Evron <ge@...uxbox.org>
To: rar_bt@...iento.se
Cc: bugtraq@...urityfocus.com
Subject: Re: Is predictable spam filtering a vulnerability?


R Armiento wrote:

> During a recent email conversation with several participants, we discovered that the email service of one participant silently dropped legitimate emails that happened to contain certain combinations of words common in spam. I believe this sort of filter is common practice, and in fact even in place for some of my own email addresses.
> 
> However, this experience made me think: isn't predictable spam filtering in general a vulnerability that could be used as a hoax device? Since most users reply to an email citing the complete source email, including filter-offending words, it should be possible to keep a reply, forward, or even a whole thread, under the radar of specific recipients. If used in combination with forged replies from addresses predictably dropping emails, I think this may be a dangerous tool for social engineering. 

Generally, the word 'vulnerability' is attributed to actual flaw in 
code. Me? I believe that if a software fails to do it's job due to 
missing a feature or a feature not working correctly, it is indeed a 
vulnerability, a weakness, or whatever other name you'd like to call it.

Using the word 'vulnerability' for it might not be the best of choices, 
but it fits.

On the other hand, security products have to keep up with an evolving 
world. New attacks and ways of circumventing detection show up daily, 
and products update themselves accordingly. Is it being out-dated or 
vulnerable for a product to act as you describe?

Maybe there is a time-issue on if and when the product gets updates, or 
perhaps even if new blocks are required and old products can't be 
expected to keep up.

Me? I believe that if a product does not keep up-to-date for doing what 
it claims to do, it is useless. Not vulnerable.

Another good example is virus scanners which do not support unpacking of 
different PE packers, when nowadays malware gets released and 
re-released simply re-packed with a different packer, making it 
undetectable to about half of the current top-products. Sometimes 
getting a new name while at it for the media to chew on.

A poor choice of wording or plain exaggerations? I suppose that with a 
missing definitions each person would have to decide for him/herself. 
Calling it a vulnerability is fine.. but don't complain about the 
stoning later. :) I didn't.

	Gadi Evron.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ