Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is predictable spam filtering a vulnerability?

From: Gadi Evron <ge () linuxbox org>
Date: Thu, 17 Jun 2004 20:55:38 +0200
R Armiento wrote:


During a recent email conversation with several participants, we discovered that the email service of one participant 
silently dropped legitimate emails that happened to contain certain combinations of words common in spam. I believe 
this sort of filter is common practice, and in fact even in place for some of my own email addresses.
However, this experience made me think: isn't predictable spam filtering in general a vulnerability that could be used as a hoax device? Since most users reply to an email citing the complete source email, including filter-offending words, it should be possible to keep a reply, forward, or even a whole thread, under the radar of specific recipients. If used in combination with forged replies from addresses predictably dropping emails, I think this may be a dangerous tool for social engineering.
Generally, the word 'vulnerability' is attributed to actual flaw in code. Me? I believe that if a software fails to do it's job due to missing a feature or a feature not working correctly, it is indeed a vulnerability, a weakness, or whatever other name you'd like to call it.
Using the word 'vulnerability' for it might not be the best of choices, but it fits.
On the other hand, security products have to keep up with an evolving world. New attacks and ways of circumventing detection show up daily, and products update themselves accordingly. Is it being out-dated or vulnerable for a product to act as you describe?
Maybe there is a time-issue on if and when the product gets updates, or perhaps even if new blocks are required and old products can't be expected to keep up.
Me? I believe that if a product does not keep up-to-date for doing what it claims to do, it is useless. Not vulnerable.
Another good example is virus scanners which do not support unpacking of different PE packers, when nowadays malware gets released and re-released simply re-packed with a different packer, making it undetectable to about half of the current top-products. Sometimes getting a new name while at it for the media to chew on.
A poor choice of wording or plain exaggerations? I suppose that with a missing definitions each person would have to decide for him/herself. Calling it a vulnerability is fine.. but don't complain about the stoning later. :) I didn't. 

        Gadi Evron.
Previous By Date Next
Previous By Thread Next

Current thread: