Full Disclosure mailing list archives
RE: Backdoor not recognized by Kaspersky
From: Mike Barushok <mikehome () kcisp net>
Date: Sat, 6 Mar 2004 19:22:35 -0600 (CST)
On Thu, 4 Mar 2004, Larry Seltzer wrote:
SMTP auth does not help at all. A virus that delivers email via it's own SMTP enginecompletely bypasses the end users ISP server(s). And if the recipient server does not allow incoming mail from wherever it is presented from, then incoming mail will simply be broken unless there is some sort of SPF. Yeah, exactly, that's the point. SMTP AUTH plus something like SPF/CID/DK would stop all the existing worms from operating. Mail sent through their own engines would be rejected by SPF/CID/DK.But, SPF, caller-ID, and Domain keys all have major unsolved issues with forwards,aliases, corporate employees checking their work mail and needing to reply through their home connection ISP, but with their company 'From: ' address and several other common scenarios. Until their is universal adoption of some add on to SMTP, nobody can reject all non-conforming mail safely. It's not hard to imagine the largest ISPs and large corps accepting it, at which point it would become necessary for others to accept it or risk having their mail shut out.
I expect we may have to publish DNS records to get our users mail to be accepted. We will definitely not have to lookup their published records to decide whether to accept their mail. (and see below)
All implementations create a much greater load on DNS.Greater, yes. Much greater, I'm not so sure. Verisign doesn't think it's a substantial extra load. The DNS data could very reasonably be cached.
We had a server that is not a primary MX, but secondary or tertiary for a number of domains come to nearly a complete standstill due to a couple of bogus records being returned when it was trying to find MX's to bounce some undeliverable mail. DNS is actually a lot more fragile than most people realize. Publishing the record in zone files, and propogating the records is not that much of an issue. Doing the extra lookups and interpreting the results algorithmically is a major issue. DNS works quite well for what it is intended for, but anything beyond the simple, easily interpreted records that are in univeral use would require major hardware and software upgrades that are difficult to sell to management due to the fact that we have no 'revenues' that come from DNS (in their way of thinking).
The real issue is that their is no possible algorithmic solution to rejecting emailreliably based on any of its source, its content, or any combination. So SPF/CID/DK don't work? They reject based on domain
Well, here is the thing, if there are no TXT type records in the zone file for a given domain, but there is not a NXDOMAIN returned do you reject that mail? That would require simultaneous implementation world wide, or result in rejecting a lot more legitimate email than spam.
If the mail is not accepted, laws prohibit silently discarding it.I've never heard this before. What law? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ larryseltzer () ziffdavis com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Backdoor not recognized by Kaspersky, (continued)
- Re: Backdoor not recognized by Kaspersky Valdis . Kletnieks (Mar 04)
- RE: Backdoor not recognized by Kaspersky Sean Crawford (Mar 04)
- Re: Backdoor not recognized by Kaspersky Rodrigo Barbosa (Mar 04)
- RE: Backdoor not recognized by Kaspersky Sean Crawford (Mar 04)
- RE: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 04)
- RE: Backdoor not recognized by Kaspersky Mike Barushok (Mar 06)
- RE: Backdoor not recognized by Kaspersky Larry Seltzer (Mar 07)
- RE: Backdoor not recognized by Kaspersky Jay Sulzberger (Mar 07)
- RE: Backdoor not recognized by Kaspersky Larry Seltzer (Mar 07)
- RE: Backdoor not recognized by Kaspersky Mike Barushok (Mar 07)
- RE: Backdoor not recognized by Kaspersky Mike Barushok (Mar 06)
- Email legislation does not exist Thor Larholm (Mar 04)
- RE: Email legislation does not exist Bill Royds (Mar 04)
- RE: Email legislation does not exist Ron DuFresne (Mar 05)
- Re: Email legislation does not exist Oliver Schneider (Mar 04)
- Re: Backdoor not recognized by Kaspersky Valdis . Kletnieks (Mar 04)
- RE: Backdoor not recognized by Kaspersky Larry Seltzer (Mar 03)
- RE: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 03)