Full Disclosure mailing list archives
Re: From field spoofing and AV responses
From: "Erik van Straten" <emvs.fd.3FB4D11C () cpo tn tudelft nl>
Date: Wed, 28 Jan 2004 01:44:10 +0100
Hi April, list, List: sorry for responding to this OT subject. Just want to prevent someone from inventing stuff that breaks good things. Though I admit the basic idea seems fine (as usual, the world isn't that simple). On Tue, 27 Jan 2004 11:06:34 -0800 April Johnson wrote:
How hard would it be to have the AV software actually check the source email smtp host, and send an email to abuse () xyz com for the *actual* offending smtp server?
Incredibly hard. And if it were easy, it would be a bad idea.
The from field is almost worthless at this point. But the header is more reliable. Yes, it *can* be spoofed, but it's significantly more difficult.
Header? What header? If you have a local relay (e.g. perimeter MTA) before a message reaches your mailserver, you may trust locally added headers and parse Received: lines upto the first external host. But this is not trivial, and may break with a perimeter MTA software change. During an SMTP conversation the ONLY thing that is hard to spoof is the sending IP-address. If you've received a virus in the last 24 hours, that could VERY WELL have been sent to you from 199.201.233.10 (either directly to your MTA, or to your perimeter MTA, then to you). Would you like every list member to automatically report the virus to abuse at [199.201.233.10]? (my guess is that Len and John had their hands full with trash that was auto-submitted to full-disclosure-request and full-disclosure-admin, and stuff sent to the list by unregistered users. Whatever they did, AFAIK FD kept working flawlessly - good job guys!)
I'm nearly buried in false 'AV' responses - and worse, the users that get them are terrified because they think they've 'become infected'. I don't mind the user being wary, but the level of fear and anxiety over a false notice is becoming unworkable.
My site is nearly burried in false SPAM responses (mostly bounces) because spammers are Joe-jobbing my site (not just mine BTW). No AV will stop this, and it's been going on since June 03. Some bounces do end up in user mailboxes. These users are not terrified, but they DO hate the idea that many people are receiving spam that SEEMS to originate from us/them. I ask that everyone who has been accused of transmitting viruses today, thinks about this for a moment. Quite a lot of sites are being Joe-jobbed (random-name@site), and some spammers will deliberately Joe-job existing accounts. Really, you don't want to be the owner of such an account. Have a look in some spam headers, and try to imagine it was your site, or worse, your account, they were spoofing. Please tell everyone you know (in particular Symantec AV/MTA admins and morons that write "whitelisting request" software) that the From: header (and envelope MAIL FROM) can be spoofed. Easily. Many viruses SEEM to have been sent to you by people you know, because you, and the apparent sender, likely are in someone else's WAB. Spam and recent viruses usually originate from an IP-address that is hardly traceable by ordinary users. <definitely OT> There may be an answer to viruses/spammers spoofing senders (that is, the site, not the username), called SPF (spf.pobox.com). It only has one major problem: it will break email forwarding. Currently I am beginning to think that, in order to save SMTP, loosing forwarding may be acceptable. But this is not an FD topic I guess. </definitely OT> P.S. I hope this MyDoom/Novarg bitch is not Yet Another spambot. Regards, Erik _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- From field spoofing and AV responses Johnson, April (Jan 27)
- Re: From field spoofing and AV responses Erik van Straten (Jan 27)
- Re: From field spoofing and AV responses Michael Renzmann (Jan 27)
- Re: From field spoofing and AV responses Nick FitzGerald (Jan 28)
- Re: From field spoofing and AV responses Erik van Straten (Jan 27)