Seth said >"The From_ line can't be trusted. The From: line can't be trusted. Both >are forged these days. >What I advocate for instead is the MTA returning a diagnostic before >accepting the message for delivery -- that way, guilty people with olde >fashionede virusese will still get the helpful notice they are infected, >and innocent people [who incidently don't run outlook] don't get notified >that a From_ or From: was forged." I also appreciate getting sent a message that someone in my domain is sending out viruses. Perhaps the virus scanners of the world could include a flag in the data base that the engine uses that would indicate whether a virus spoofs the source. Then the part of the software that sends notices to the senders would know that the sender was faked. In this way the help desks of the world would not be bombarded by questions from users that never actually had the virus. The world would be grateful and throw money at these vendors. Another interesting twist is happening with viruses like SOBIG. A mail filter detected the presence of the executable in the mime attachment and sent the entire message to the spoofed sender! Of course it was a text copy of the mime attachment, but if you are interested in collecting the virus source in a somewhat safer format, here it is for the taking. The mail filter also says, in different words, if you intended to subvert the security of the system you should enclose the executable in a zip file. How nice and accommodating! Craig A Schiller, CISSP Global Information Security Officer RadiSys Corporation craig.schiller@private 503.615.1646 This electronic message contains information which may be confidential, privileged or otherwise protected from disclosure. The information is intended to be used solely by the named recipient(s). If you are not a named recipient, any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify me immediately. |---------+----------------------------> | | Seth Arnold | | | <sarnold@private| | | m> | | | Sent by: | | | owner-crime@private| | | x.edu | | | | | | | | | 08/20/2003 03:53| | | PM | | | | |---------+----------------------------> >-------------------------------------------------------------------------------------------------------------------------------| | | | To: "'crime@private '" <crime@private> | | cc: | | Subject: Re: CRIME SOBIG ADVISORY | >-------------------------------------------------------------------------------------------------------------------------------| On Wed, Aug 20, 2003 at 02:48:11PM -0700, Kuo, Jimmy wrote: > Are you referring to the situation where you get the Undeliverable message > because your name got forged in the From field, or about warnings issued by > AV companies on all the viruses, or both? Jimmy, if you are in position of sufficient influence, please, for the love of god please, get those silly "your message was <foo>" out of the virus scanners. :) The From_ line can't be trusted. The From: line can't be trusted. Both are forged these days. What I advocate for instead is the MTA returning a diagnostic before accepting the message for delivery -- that way, guilty people with olde fashionede virusese will still get the helpful notice they are infected, and innocent people [who incidently don't run outlook] don't get notified that a From_ or From: was forged. While I'm dreaming, I'd also like to see my gpg signatures let through. :) [Yes, bugtraq posts with gpg signatures kinda suck; 20+ "i'm on vacation" messages, 10+ "we've got a virus!!" messages...] </rant> -- "Now there are some who would like to re-write history --- `revisionist histororians' is what I like to call them." -- Pres. Bush on forged intelligence in the state of the union address (See attached file: att7jjx8.dat)
This archive was generated by hypermail 2b30 : Thu Aug 21 2003 - 16:42:42 PDT