RE: Backdoor not recognized by Kaspersky

[Mike Barushok <mikehome () kcisp net>]

On Thu, 4 Mar 2004, Larry Seltzer wrote:

> > > SMTP auth does not help at all. A virus that delivers email via it's own SMTP engine
> completely bypasses the end users ISP server(s). And if the recipient server does not
> allow incoming mail from wherever it is presented from, then incoming mail will simply
> be broken unless there is some sort of SPF. 
>
> Yeah, exactly, that's the point. SMTP AUTH plus something like SPF/CID/DK would stop all
> the existing worms from operating. Mail sent through their own engines would be rejected
> by SPF/CID/DK. 
>
> > > But, SPF, caller-ID, and Domain keys all have major unsolved issues with forwards,
> aliases, corporate employees checking their work mail and needing to reply through their
> home connection ISP, but with their company 'From: ' address and several other common
> scenarios. Until their is universal adoption of some add on to SMTP, nobody can reject
> all non-conforming mail safely. 
>
> It's not hard to imagine the largest ISPs and large corps accepting it, at which point
> it would become necessary for others to accept it or risk having their mail shut out. 

I expect we may have to publish DNS records to get our users mail
to be accepted. We will definitely not have to lookup their
published records to decide whether to accept their mail.

(and see below)

> > > All implementations create a much greater load on DNS. 
>
> Greater, yes. Much greater, I'm not so sure. Verisign doesn't think it's a substantial
> extra load. The DNS data could very reasonably be cached.

We had a server that is not a primary MX, but secondary or
tertiary for a number of domains come to nearly a complete
standstill due to a couple of bogus records being returned
when it was trying to find MX's to bounce some undeliverable
mail. DNS is actually a lot more fragile than most people
realize. Publishing the record in zone files, and propogating
the records is not that much of an issue. Doing the extra
lookups and interpreting the results algorithmically is
a major issue. DNS works quite well for what it is intended
for, but anything beyond the simple, easily interpreted
records that are in univeral use would require major hardware
and software upgrades that are difficult to sell to management
due to the fact that we have no 'revenues' that come from
DNS (in their way of thinking).

> > > The real issue is that their is no possible algorithmic solution to rejecting email
> reliably based on any of its source, its content, or any combination. 
>
> So SPF/CID/DK don't work? They reject based on domain

Well, here is the thing, if there are no TXT type records in the
zone file for a given domain, but there is not a NXDOMAIN returned
do you reject that mail? That would require simultaneous
implementation world wide, or result in rejecting a lot more
legitimate email than spam. 

> > > If the mail is not accepted, laws prohibit silently discarding it. 
>
> I've never heard this before. What law?
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> larryseltzer () ziffdavis com 
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html