lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <40181464.11202.9289ABC4@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: From field spoofing and AV responses

"Johnson, April" <apjohnson@...ttleschools.org> wrote:

> How hard would it be to have the AV software actually check the source
> email smtp host, and send an email to abuse@....com for the *actual*
> offending smtp server?

Probably not terribly...

Of course, you immediately turn any massively fast, widespread 
infectiuon scenario (as we just saw with Mydoom) into a massive DoS 
against nearly every abuse address on the planet...

> The from field is almost worthless at this point.  But the header is
> more reliable.  ...

Huh???

By "header" I presume you mean what is more conventionally referred to 
as "the SMTP envelope FROM address" (or similar -- the argument to the 
SMTP "MAIL FROM:" command).

> ...  Yes, it *can* be spoofed, but it's significantly more
> difficult.

What are you smoking?

Virtually all mass-mailers with their own SMTP engines spoof this 
"information".  If by "significantly harder" you mean it takes a few 
more lines of code to randonly pick or generate an address to use for 
that argument instead of using an address that can be got from a few 
RegQueryValue calls and the like, you are trivially correct, but I'd 
say you also greatly underestimate the typical virus writer.

> I'm nearly buried in false 'AV' responses - and worse, the users that
> get them are terrified because they think they've  'become infected'.  I
> don't mind the user being wary, but the level of fear and anxiety over a
> false notice is becoming unworkable.

This is, indeed, a huge problem with such false "warnings" and 
something THE AV industry is well aware of.  That it does not fix this 
by the simple expedient of all AV developers agreeing between 
themselves to remove the ability to send all such "alerts" suggests 
that it sees the FUD value of keeping them as worthwhile...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ