Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: From field spoofing and AV responses

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 28 Jan 2004 19:58:28 +1300
"Johnson, April" <apjohnson () seattleschools org> wrote:


How hard would it be to have the AV software actually check the source
email smtp host, and send an email to abuse () xyz com for the *actual*
offending smtp server?


Probably not terribly...

Of course, you immediately turn any massively fast, widespread 
infectiuon scenario (as we just saw with Mydoom) into a massive DoS 
against nearly every abuse address on the planet...


The from field is almost worthless at this point.  But the header is
more reliable.  ...


Huh???

By "header" I presume you mean what is more conventionally referred to 
as "the SMTP envelope FROM address" (or similar -- the argument to the 
SMTP "MAIL FROM:" command).


...  Yes, it *can* be spoofed, but it's significantly more
difficult.


What are you smoking?

Virtually all mass-mailers with their own SMTP engines spoof this 
"information".  If by "significantly harder" you mean it takes a few 
more lines of code to randonly pick or generate an address to use for 
that argument instead of using an address that can be got from a few 
RegQueryValue calls and the like, you are trivially correct, but I'd 
say you also greatly underestimate the typical virus writer.


I'm nearly buried in false 'AV' responses - and worse, the users that
get them are terrified because they think they've  'become infected'.  I
don't mind the user being wary, but the level of fear and anxiety over a
false notice is becoming unworkable.


This is, indeed, a huge problem with such false "warnings" and 
something THE AV industry is well aware of.  That it does not fix this 
by the simple expedient of all AV developers agreeing between 
themselves to remove the ability to send all such "alerts" suggests 
that it sees the FUD value of keeping them as worthwhile...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: