lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20040208010715.TYAF189272.fep03-mail.bloor.is.net.cable.rogers.com@BillDell>
From: full-disclosure at royds.net (Bill Royds)
Subject: Re: Why are postmasters distributing the MyDoom virus?

The problem is not just AV systems sending out warnings which is
unnecessary. It is the fact that many viruses also forge the to addresses as
well as the from addresses. The normal MTA response to a non-existent
address is to send a Non-delivery reply back to the from address containing
the original message as an attachment. These go to the spoofed from address
of original message, adding another transmission vector for the virus, with
even better "social engineering" to persuade someone to open it. Since some
AV systems scan direct attachments, but not attachments within attachments,
it even provides a greater possibility of passing though an anti-virus
gateway than the original message.
   P.S. The correct plural of virus is viruses. The original Latin word
virus had no plural. The word virii is the plural of the word vir which
means  man.

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
gadgeteer@...gantinnovations.org
Sent: February 7, 2004 4:34 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Re: Why are postmasters distributing the MyDoom
virus?

On Sat, Feb 07, 2004 at 02:15:43PM -0500, Richard M. Smith
(rms@...puterbytesman.com) wrote:
> Perhaps these postmasters need to review
> their bounce message policies and remove all attached files from messages
> being bounced.

Since it is well known that virii forge From headers the better policy 
adjustment would be to NOT bounce virii messages at all.  The Anti-Virus 
companies are certainly well aware of it as it is a characteristic 
described in their alerts.

Many of these bounces triggered by virii are nothing less then a spam 
opprotunity for the A-V software company.  There is no "opt-out" 
from these spam messages.  This would seem to be a clear violation of 
CAN-SPAM.

Some sites have implemented various schemes to reject virii at the smtp 
level.  See nanog mail archives for recent threads dealing with this and 
related topics.
-- 
Chief Gadgeteer
Elegant Innovations

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ