Bugtraq mailing list archives

Re: getting rid of outbreaks and spam (junk)

From: James Riden <j.riden () massey ac nz>
Date: Thu, 05 Feb 2004 09:07:24 +1300

Gadi Evron <ge () linuxbox org> writes:

The AV industry is built on reaction rather than prevention. Adding
new signatures is still the #1 tool in the fight against malware.


That's why AV must never be used as the first/only line of defence
against malware. The couple of hour window between outbreak and
updated signatures could be enought to do significant damage; think of
Blaster written by a skilled and malicious individual. As you say, AV
falls into the 'detection/response' categories instead of
'prevention'.

If backbones filtered the top-10 current outbreaks, with non-intrusive
means such as for example running MD5 checksum checks against
attachments, or whatever other way - wouldn't it be better? True, it
may cause a cry of "the government spies on us, but with the current
economic troubles outbreaks cause, can we really use that excuse
anymore? Doesn't the police regulate speeding?


Not my area, but I believe most backbone networks are designed to get
packets from A to B as fast as possible.  Egress filtering at ISPs,
for both spoofed addresses and email-borne viruses would be a start
though.

Although completely not practical, a way to contact users (or ISP's,
isn't that how it works?) by IP address would help a lot. But that
would be circumventing the real problem which is ISP's not doing much
about ABUSE REPORTS or USER SECURITY.


It would also be good to have ISPs accountable for abuse that
originates in their networks. But does any government department have
the resources to do this, even if appropriate laws are in place?

Several sites providing DNSBLs, and/or providing statistics of proxy
abusers have been taken off the 'net by massive DDoS attacks. The FBI
clearly has authority under the law to go after this kind of thing,
but has done absolutely nothing about it as far as I've heard.

cheers,
 Jamie
(and, yes, everyone should turn off the !@#$ virus notifications already :)
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.

Current thread:

Re: RFC: virus handling 3APA3A (Feb 02)
- getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Gadi Evron (Feb 03)
  - Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] James A. Thornton (Feb 04)
  - Re: getting rid of outbreaks and spam (junk) James Riden (Feb 04)
  - Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] der Mouse (Feb 05)
  - Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Georg Schwarz (Feb 06)
- <Possible follow-ups>
- Re: RFC: virus handling Sascha Wilde (Feb 02)
- Re: RFC: virus handling Pavel Levshin (Feb 02)
  - Re: RFC: virus handling David F. Skoll (Feb 03)
- Re: RFC: virus handling Jeremy Mates (Feb 02)
  - Hysterical first technical alert from US-CERT Larry Seltzer (Feb 03)
    - Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 04)
    - RE: Hysterical first technical alert from US-CERT Larry Seltzer (Feb 05)
    - Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 04)

(Thread continues...)