Bugtraq mailing list archives
Re: RFC: virus handling
From: Matthew Dharm <mdharm () one-eyed-alien net>
Date: Tue, 3 Feb 2004 12:55:24 -0800
On Wed, Jan 28, 2004 at 07:24:52PM +0100, Patrick Proniewski wrote:
On 28 janv. 2004, at 16:45, Thomas Zehetbauer wrote:Looking at the current outbreak of the Mydoom.A worm I would like to share and discuss some thoughts:You bring some definitely interesting points here. I agree with your 1) and 2), but 3) rises some technical concern3.1.2.) e-mail Alias and Web-Interface Additionally providers should provide e-mail aliases for the IP addresses of their customers (eg. customer at 127.0.0.1 can be reached via 127.0.0.1 () provider com) or a web interface with similiar functionality. The latter should be provided when dynamically assigned IP addresses are used for which an additional timestamp is required.could be a really good idea, if not so easy to use for spammers or even for virii. The moment you setup such a service, spammers/virus coder will write a script that can reach every single user with an active connexion. It's a really major drawback I think.
Perhaps something with more limited functionality, then? Consider a provider who offers the e-mail address of virusalert () provider com (name it what you will), to which can be fed an e-mail consisting of a single line -- that line is the IP address and a one-word 'name' for the problem. Thus, if I find I'm getting MyDoom.A from 127.2.2.1, I can send a message that will alert _someone_ (who is presumeably not asleep at the controls). It also means that general e-mail cannot be sent via this interface -- no spamming. The provider can take this information, look it up (with the timestamp the e-mail came in at, if necessary for large dynamic pools), and take action (the least of which, I hope, would be to notify the end-user). This could even be done without e-mail at all. A quick HTTP GET/POST could carry this information. Heck, this could run much like ident/auth services to a designated machine (i.e. virusalert.provider.com). Matt -- Matthew Dharm Home: mdharm () one-eyed-alien net Senior Software Designer, Momentum Computer IT KEEPS ASKING ME WHERE I WANT TO GO TODAY! I DONT WANT TO GO ANYWHERE! -- Greg User Friendly, 11/28/97
Attachment:
_bin
Description:
Current thread:
- Re: Hysterical first technical alert from US-CERT, (continued)
- Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 04)
- RE: Hysterical first technical alert from US-CERT Larry Seltzer (Feb 05)
- Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 04)
- Re: Hysterical first technical alert from US-CERT Stephen Samuel (Feb 06)
- Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 06)
- Re: Hysterical first technical alert from US-CERT Shawn McMahon (Feb 10)
- Re: Hysterical first technical alert from US-CERT Philip Rowlands (Feb 05)
- Re: Hysterical first technical alert from US-CERT Andreas Marx (Feb 06)
- Re: RFC: virus handling Matthew Dharm (Feb 03)
- Re: RFC: virus handling Ben Wheeler (Feb 04)
- Re: RFC: virus handling Shawn McMahon (Feb 07)
- Re: RFC: virus handling James C. Slora Jr. (Feb 03)
- Re: RFC: virus handling Dave Clendenan (Feb 03)
- Re: RFC: virus handling Volker Kuhlmann (Feb 04)