Full Disclosure mailing list archives
Re: From field spoofing and AV responses
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 28 Jan 2004 19:58:28 +1300
"Johnson, April" <apjohnson () seattleschools org> wrote:
How hard would it be to have the AV software actually check the source email smtp host, and send an email to abuse () xyz com for the *actual* offending smtp server?
Probably not terribly... Of course, you immediately turn any massively fast, widespread infectiuon scenario (as we just saw with Mydoom) into a massive DoS against nearly every abuse address on the planet...
The from field is almost worthless at this point. But the header is more reliable. ...
Huh??? By "header" I presume you mean what is more conventionally referred to as "the SMTP envelope FROM address" (or similar -- the argument to the SMTP "MAIL FROM:" command).
... Yes, it *can* be spoofed, but it's significantly more difficult.
What are you smoking? Virtually all mass-mailers with their own SMTP engines spoof this "information". If by "significantly harder" you mean it takes a few more lines of code to randonly pick or generate an address to use for that argument instead of using an address that can be got from a few RegQueryValue calls and the like, you are trivially correct, but I'd say you also greatly underestimate the typical virus writer.
I'm nearly buried in false 'AV' responses - and worse, the users that get them are terrified because they think they've 'become infected'. I don't mind the user being wary, but the level of fear and anxiety over a false notice is becoming unworkable.
This is, indeed, a huge problem with such false "warnings" and something THE AV industry is well aware of. That it does not fix this by the simple expedient of all AV developers agreeing between themselves to remove the ability to send all such "alerts" suggests that it sees the FUD value of keeping them as worthwhile... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- From field spoofing and AV responses Johnson, April (Jan 27)
- Re: From field spoofing and AV responses Erik van Straten (Jan 27)
- Re: From field spoofing and AV responses Michael Renzmann (Jan 27)
- Re: From field spoofing and AV responses Nick FitzGerald (Jan 28)
- Re: From field spoofing and AV responses Erik van Straten (Jan 27)