Full Disclosure mailing list archives
RE: E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky)
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 04 Mar 2004 20:59:30 +1300
"Bill Royds" <broyds () rogers com> wrote: <<snippage>>
Using authenticated SMTP, this would still allow a different return address in headers since envelope from would be user who authenticated to SMTP server. But it would prevent spoofed email (although spam would still arrive, it could be tied to actual sender, allowing things like CAN-SPAM to work).
Wrong. It would, at best, identify the sending _machine_, not the "actual sender". There is far too much prior art in the Windows malware armory to not be aware of how easily an agent program on a "compromised" Windows box can steal whatever configuration and authentication data it may need to "properly" send mail "just like" the user's preferred MUA. Just because, of late, spam and mass-mailing viruses have used randomized From: and SMTP envelope FROM addresses does not mean thay have to continue to do so, nor that not doing so will necessarily be less effective for them... These are important considerations to not overlook despite the fact that the SPF, etc pushers make a habit of ignoring such. Further, several IRC bot-nets in tens-of-thousands of active bots size range have already been found and there are probably several million such compromised mnachiens out there waiting for the fateful order to "wake up" and answer the call of their "master". SMTP "sender authentication" is a far less trivial problem to solve that the SPF, aller-ID, etc folk would have you believe (and, of course, they don't like us pointing out that their preferred "solutions" are already doomed to failure). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky) Lachniet, Mark (Mar 03)
- Re: E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky) Dave Sherohman (Mar 03)
- RE: E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky) Bill Royds (Mar 03)
- RE: E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky) Nick FitzGerald (Mar 04)
- RE: E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky) Bill Royds (Mar 04)
- Re: E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky) Szilveszter Adam (Mar 04)
- RE: E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky) Bill Royds (Mar 03)
- Re: E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky) Dave Sherohman (Mar 03)