Security Basics mailing list archives
RE: Worm.SCO.A (W32/Mydoom@MM)
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Thu, 29 Jan 2004 08:24:43 -0800
From: Crispin.Harris () didata com au
[mailto:Crispin.Harris () didata com au]
I useful feature from the AV vendors would be to (in certain
circumstances) not generate
NDR's. This would need to be administrator configurable.
More then that there should be a check, in even non anti-virus software, where the software will check the sending domain against the sending MX to see if the address was not spoofed. this could be just a simple rDNS lookup or something more elaborate (checking to see if the mailbox exists) but blindly sending out NDR's and notifications, no matter what the cause in the day-n-age of spam and mass-mailing worms is completely wrong. Personally my mail spool always has those *useful* NDR's trying to tell the spammers that their mass mail didn't get through.
My suggestion would be that NDR's not be generated for messages that
are identified as being
created with Virii that always falsify the source address (such as
SOBiG, MyDOOM etc.). Generating
an NDR in this case is not only useless, but actively detrimental to
the performance and stability
of the network.
That would be a nice start, be we also need to think down the road. The worms and spam are only getting worse. We need to cover the problem now, and as far down the path as we dare to venture. We can't come part of the problem because we either don't want to change or are living in fear of outdated RFC's. We all agree that security is an evolution, a fluid process of forward progress and innovation. they build a better mouse, we make a better trap. They already have a bigger and better mouse and we still don't have a trap for him.
My 2c.
I ante another $0.02. Shawn --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 27)
- <Possible follow-ups>
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 27)
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Dan Bartley (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Dan Bartley (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 29)
- RE: Worm.SCO.A (W32/Mydoom@MM) & NDR Sean Kelly (Jan 30)