Security Basics mailing list archives

RE: Worm.SCO.A (W32/Mydoom@MM)

From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Thu, 29 Jan 2004 08:24:43 -0800

From: Crispin.Harris () didata com au

[mailto:Crispin.Harris () didata com au]

I useful feature from the AV vendors would be to (in certain

circumstances) not generate

NDR's. This would need to be administrator configurable.


More then that there should be a check, in even non anti-virus software,
where the software
will check the sending domain against the sending MX to see if the
address was not spoofed.
this could be just a simple rDNS lookup or something more elaborate
(checking to see if the 
mailbox exists) but blindly sending out NDR's and notifications, no
matter what the cause
in the day-n-age of spam and mass-mailing worms is completely wrong.
Personally my mail spool
always has those *useful* NDR's trying to tell the spammers that their
mass mail didn't get
through.

My suggestion would be that NDR's not be generated for messages that

are identified as being

created with Virii that always falsify the source address (such as

SOBiG, MyDOOM etc.). Generating

an NDR in this case is not only useless, but actively detrimental to

the performance and stability

of the network.


That would be a nice start, be we also need to think down the road. The
worms and spam are only
getting worse. We need to cover the problem now, and as far down the
path as we dare to venture. We
can't come part of the problem because we either don't want to change or
are living in fear of outdated
RFC's. We all agree that security is an evolution, a fluid process of
forward progress and innovation. 
they build a better mouse, we make a better trap. They already have a
bigger and better mouse and we
still don't have a trap for him.

My 2c.


I ante another $0.02.

 Shawn

---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------

Current thread:

RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 27)
- <Possible follow-ups>
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 27)
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Dan Bartley (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Dan Bartley (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 28)
- RE: Worm.SCO.A (W32/Mydoom@MM) Shawn Jackson (Jan 29)
  - RE: Worm.SCO.A (W32/Mydoom@MM) & NDR Sean Kelly (Jan 30)