On the ultimate futility of server-based mail scanning

["David F. Skoll" <dfs () roaringpenguin com>]

Several postings on Bugtraq recently talked about DoS attacks against
server-based mail-scanners.  Compress four gigabytes of zeros and
debilitate mail scanners which uncompress .gz files, for example.

Several mail scanners try to be clever and examine .zip files, .tar.gz
files, .arc files, etc. to look inside for viruses.

This is ultimately futile.

I gave one scenario:

(cat small_x86_jmp_code; \
 dd if=/dev/zero bs=1k count=400k; \
 cat virus_payload) | gzip > virus.attach.gz

This DoS's virus-scanners which do not limit scanning-size, and sneaks past
those which do.

There's an even better method, and one which is very amenable to
social-engineering:

"HEY!  NUDE pictures of Pamela Anderson in the attachment nudie.zip.  Just
 unzip and then run pam.exe.  Oh, heh, heh, heh -- to keep your boss from
 seeing this, we've password-protected the zip file.  The unzip password
 is z3kr3t.  Enjoy!"

Zip encryption is pathetic.  But I don't think anyone's seriously suggesting
server-based scanners should brute-force encrypted zip files to check for
viruses, or perform AI analysis of messages to extract passwords.

Ultimately, the responsibility falls on the MUA and the end-user's OS
vendor.  We either put secure end-user software onto the desktop, or
we admit defeat.

--
David F. Skoll

Roaring Penguin Software Inc. | http://www.roaringpenguin.com
GPG fingerprint: C523 771C 3710 0F54 B2D2 4B0D C6EF 6991 34AB 95BA
GPG public key:  http://www.roaringpenguin.com/dskoll-key-2002.txt ID: 34AB95BA