lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <404798B2.27807.49F9B8C@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: E-mail spoofing countermeasures (Was: Backdoor
 not recognized by Kaspersky)

"Bill Royds" <broyds@...ers.com> wrote:

<<snippage>>
>   Using authenticated SMTP, this would still allow a different return
> address in headers since envelope from would be user who authenticated to
> SMTP server. But it  would prevent spoofed email (although spam would still
> arrive, it could be tied to actual sender, allowing things like CAN-SPAM to
> work).

Wrong.  It would, at best, identify the sending _machine_, not the 
"actual sender".

There is far too much prior art in the Windows malware armory to not be 
aware of how easily an agent program on a "compromised" Windows box can 
steal whatever configuration and authentication data it may need to 
"properly" send mail "just like" the user's preferred MUA.  Just 
because, of late, spam and mass-mailing viruses have used randomized 
From: and SMTP envelope FROM addresses does not mean thay have to 
continue to do so, nor that not doing so will necessarily be less 
effective for them...

These are important considerations to not overlook despite the fact 
that the SPF, etc pushers make a habit of ignoring such.  Further, 
several IRC bot-nets in tens-of-thousands of active bots size range 
have already been found and there are probably several million such 
compromised mnachiens out there waiting for the fateful order to "wake 
up" and answer the call of their "master".

SMTP "sender authentication" is a far less trivial problem to solve 
that the SPF, aller-ID, etc folk would have you believe (and, of 
course, they don't like us pointing out that their preferred 
"solutions" are already doomed to failure).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists