Bugtraq mailing list archives

RE: On the ultimate futility of server-based mail scanning

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Tue, 5 Mar 2002 21:30:58 -0500

No security system works 100% of the time.  However server-based
scanning of email attachments probably works better than many other
options like relying on end-users to not run unsafe attachments.  I vote
that we keep it.

Richard

-----Original Message-----
From: David F. Skoll [mailto:dfs () roaringpenguin com] 
Sent: Monday, March 04, 2002 5:07 PM
To: bugtraq () securityfocus com
Subject: On the ultimate futility of server-based mail scanning


Several postings on Bugtraq recently talked about DoS attacks against
server-based mail-scanners.  Compress four gigabytes of zeros and
debilitate mail scanners which uncompress .gz files, for example.

Several mail scanners try to be clever and examine .zip files, .tar.gz
files, .arc files, etc. to look inside for viruses.

This is ultimately futile.

I gave one scenario:

(cat small_x86_jmp_code; \
 dd if=/dev/zero bs=1k count=400k; \
 cat virus_payload) | gzip > virus.attach.gz

This DoS's virus-scanners which do not limit scanning-size, and sneaks
past those which do.

There's an even better method, and one which is very amenable to
social-engineering:

"HEY!  NUDE pictures of Pamela Anderson in the attachment nudie.zip.
Just  unzip and then run pam.exe.  Oh, heh, heh, heh -- to keep your
boss from  seeing this, we've password-protected the zip file.  The
unzip password  is z3kr3t.  Enjoy!"

Zip encryption is pathetic.  But I don't think anyone's seriously
suggesting server-based scanners should brute-force encrypted zip files
to check for viruses, or perform AI analysis of messages to extract
passwords.

Ultimately, the responsibility falls on the MUA and the end-user's OS
vendor.  We either put secure end-user software onto the desktop, or we
admit defeat.

--
David F. Skoll

Roaring Penguin Software Inc. | http://www.roaringpenguin.com GPG
fingerprint: C523 771C 3710 0F54 B2D2 4B0D C6EF 6991 34AB 95BA GPG
public key:  http://www.roaringpenguin.com/dskoll-key-2002.txt ID:
34AB95BA

Current thread:

On the ultimate futility of server-based mail scanning David F. Skoll (Mar 05)
- RE: On the ultimate futility of server-based mail scanning Richard M. Smith (Mar 06)
- <Possible follow-ups>
- Re: On the ultimate futility of server-based mail scanning David Kennedy CISSP (Mar 06)
  - Re: On the ultimate futility of server-based mail scanning aleph1 (Mar 08)