lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <40181464.11202.9289ABC4@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: From field spoofing and AV responses "Johnson, April" <apjohnson@...ttleschools.org> wrote: > How hard would it be to have the AV software actually check the source > email smtp host, and send an email to abuse@....com for the *actual* > offending smtp server? Probably not terribly... Of course, you immediately turn any massively fast, widespread infectiuon scenario (as we just saw with Mydoom) into a massive DoS against nearly every abuse address on the planet... > The from field is almost worthless at this point. But the header is > more reliable. ... Huh??? By "header" I presume you mean what is more conventionally referred to as "the SMTP envelope FROM address" (or similar -- the argument to the SMTP "MAIL FROM:" command). > ... Yes, it *can* be spoofed, but it's significantly more > difficult. What are you smoking? Virtually all mass-mailers with their own SMTP engines spoof this "information". If by "significantly harder" you mean it takes a few more lines of code to randonly pick or generate an address to use for that argument instead of using an address that can be got from a few RegQueryValue calls and the like, you are trivially correct, but I'd say you also greatly underestimate the typical virus writer. > I'm nearly buried in false 'AV' responses - and worse, the users that > get them are terrified because they think they've 'become infected'. I > don't mind the user being wary, but the level of fear and anxiety over a > false notice is becoming unworkable. This is, indeed, a huge problem with such false "warnings" and something THE AV industry is well aware of. That it does not fix this by the simple expedient of all AV developers agreeing between themselves to remove the ability to send all such "alerts" suggests that it sees the FUD value of keeping them as worthwhile... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists