Full Disclosure mailing list archives
Re: From field spoofing and AV responses
From: Michael Renzmann <security () dylanic de>
Date: Wed, 28 Jan 2004 05:52:23 +0100
Hi. Another OT threat, so I'll keep it short. Erik van Straten wrote:
How hard would it be to have the AV software actually check the source email smtp host, and send an email to abuse () xyz com for the *actual* offending smtp server?Incredibly hard.
Yep. Mostly because of the fact that these type of worms use their own local SMTP engine. So, what you'll likely see is that the originating SMTP server IP is within the Dial-Up-Pool of your favorite ISP.
Autoresponding AV software is a bad idea in times of from-address-spoofing. Personally, I'd vote for throwing every false "Watch, I catched a virus that YOU sent to me" auto-response towards the company that thought auto-responding would be a great idea. Maybe that would make them start thinking it over again...
Bye, Mike _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- From field spoofing and AV responses Johnson, April (Jan 27)
- Re: From field spoofing and AV responses Erik van Straten (Jan 27)
- Re: From field spoofing and AV responses Michael Renzmann (Jan 27)
- Re: From field spoofing and AV responses Nick FitzGerald (Jan 28)
- Re: From field spoofing and AV responses Erik van Straten (Jan 27)