lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040128004411.88DDC97B44@cpo.tn.tudelft.nl>
From: emvs.fd.3FB4D11C at cpo.tn.tudelft.nl (Erik van Straten)
Subject: From field spoofing and AV responses

Hi April, list,

List: sorry for responding to this OT subject. Just want to prevent
someone from inventing stuff that breaks good things. Though I admit
the basic idea seems fine (as usual, the world isn't that simple).

On Tue, 27 Jan 2004 11:06:34 -0800 April Johnson wrote:
> How hard would it be to have the AV software actually check the source
> email smtp host, and send an email to abuse@....com for the *actual*
> offending smtp server?

Incredibly hard. And if it were easy, it would be a bad idea.

> The from field is almost worthless at this point.  But the header is
> more reliable.  Yes, it *can* be spoofed, but it's significantly more
> difficult.

Header? What header? If you have a local relay (e.g. perimeter MTA)
before a message reaches your mailserver, you may trust locally added
headers and parse Received: lines upto the first external host. But this
is not trivial, and may break with a perimeter MTA software change.

During an SMTP conversation the ONLY thing that is hard to spoof is the
sending IP-address. If you've received a virus in the last 24 hours,
that could VERY WELL have been sent to you from 199.201.233.10 (either
directly to your MTA, or to your perimeter MTA, then to you).

Would you like every list member to automatically report the virus to
abuse at [199.201.233.10]?

(my guess is that Len and John had their hands full with trash that was
auto-submitted to full-disclosure-request and full-disclosure-admin,
and stuff sent to the list by unregistered users. Whatever they did,
AFAIK FD kept working flawlessly - good job guys!)

> I'm nearly buried in false 'AV' responses - and worse, the users that
> get them are terrified because they think they've  'become infected'.  I
> don't mind the user being wary, but the level of fear and anxiety over a
> false notice is becoming unworkable.

My site is nearly burried in false SPAM responses (mostly bounces)
because spammers are Joe-jobbing my site (not just mine BTW). No AV
will stop this, and it's been going on since June 03. Some bounces do
end up in user mailboxes. These users are not terrified, but they DO
hate the idea that many people are receiving spam that SEEMS to
originate from us/them.

I ask that everyone who has been accused of transmitting viruses
today, thinks about this for a moment. Quite a lot of sites are being
Joe-jobbed (random-name@...e), and some spammers will deliberately
Joe-job existing accounts. Really, you don't want to be the owner of
such an account. Have a look in some spam headers, and try to imagine
it was your site, or worse, your account, they were spoofing.

Please tell everyone you know  (in particular Symantec AV/MTA admins
and morons that write "whitelisting request" software) that the From:
header (and envelope MAIL FROM) can be spoofed. Easily. Many viruses
SEEM to have been sent to you by people you know, because you, and
the apparent sender, likely are in someone else's WAB. Spam and recent
viruses usually originate from an IP-address that is hardly traceable
by ordinary users.

<definitely OT>
There may be an answer to viruses/spammers spoofing senders (that is,
the site, not the username), called SPF (spf.pobox.com). It only has
one major problem: it will break email forwarding. Currently I am
beginning to think that, in order to save SMTP, loosing forwarding may
be acceptable. But this is not an FD topic I guess.
</definitely OT>

P.S. I hope this MyDoom/Novarg bitch is not Yet Another spambot.

Regards,
Erik


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ