No security system works 100% of the time. However server-based scanning of email attachments probably works better than many other options like relying on end-users to not run unsafe attachments. I vote that we keep it. Richard -----Original Message----- From: David F. Skoll [mailto:dfsat_private] Sent: Monday, March 04, 2002 5:07 PM To: bugtraqat_private Subject: On the ultimate futility of server-based mail scanning Several postings on Bugtraq recently talked about DoS attacks against server-based mail-scanners. Compress four gigabytes of zeros and debilitate mail scanners which uncompress .gz files, for example. Several mail scanners try to be clever and examine .zip files, .tar.gz files, .arc files, etc. to look inside for viruses. This is ultimately futile. I gave one scenario: (cat small_x86_jmp_code; \ dd if=/dev/zero bs=1k count=400k; \ cat virus_payload) | gzip > virus.attach.gz This DoS's virus-scanners which do not limit scanning-size, and sneaks past those which do. There's an even better method, and one which is very amenable to social-engineering: "HEY! NUDE pictures of Pamela Anderson in the attachment nudie.zip. Just unzip and then run pam.exe. Oh, heh, heh, heh -- to keep your boss from seeing this, we've password-protected the zip file. The unzip password is z3kr3t. Enjoy!" Zip encryption is pathetic. But I don't think anyone's seriously suggesting server-based scanners should brute-force encrypted zip files to check for viruses, or perform AI analysis of messages to extract passwords. Ultimately, the responsibility falls on the MUA and the end-user's OS vendor. We either put secure end-user software onto the desktop, or we admit defeat. -- David F. Skoll Roaring Penguin Software Inc. | http://www.roaringpenguin.com GPG fingerprint: C523 771C 3710 0F54 B2D2 4B0D C6EF 6991 34AB 95BA GPG public key: http://www.roaringpenguin.com/dskoll-key-2002.txt ID: 34AB95BA
This archive was generated by hypermail 2b30 : Wed Mar 06 2002 - 14:52:27 PST