RE: [Full-Disclosure] Re: Why are postmasters distributing the MyDoom virus?
From: Bill Royds (full-disclosure_at_royds.net)
Date: 02/08/04
- Previous message: Michael Thumann: "[Full-Disclosure] DNSDigger Update"
- In reply to: gadgeteer_at_elegantinnovations.org: "[Full-Disclosure] Re: Why are postmasters distributing the MyDoom virus?"
- Next in thread: Paul Schmehl: "Re: [Full-Disclosure] Why are postmasters distributing the MyDoom virus?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <gadgeteer@elegantinnovations.org>, <full-disclosure@lists.netsys.com> Date: Sat, 7 Feb 2004 20:07:27 -0500
The problem is not just AV systems sending out warnings which is
unnecessary. It is the fact that many viruses also forge the to addresses as
well as the from addresses. The normal MTA response to a non-existent
address is to send a Non-delivery reply back to the from address containing
the original message as an attachment. These go to the spoofed from address
of original message, adding another transmission vector for the virus, with
even better "social engineering" to persuade someone to open it. Since some
AV systems scan direct attachments, but not attachments within attachments,
it even provides a greater possibility of passing though an anti-virus
gateway than the original message.
P.S. The correct plural of virus is viruses. The original Latin word
virus had no plural. The word virii is the plural of the word vir which
means man.
-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of
gadgeteer@elegantinnovations.org
Sent: February 7, 2004 4:34 PM
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Re: Why are postmasters distributing the MyDoom
virus?
On Sat, Feb 07, 2004 at 02:15:43PM -0500, Richard M. Smith
(rms@computerbytesman.com) wrote:
> Perhaps these postmasters need to review
> their bounce message policies and remove all attached files from messages
> being bounced.
Since it is well known that virii forge From headers the better policy
adjustment would be to NOT bounce virii messages at all. The Anti-Virus
companies are certainly well aware of it as it is a characteristic
described in their alerts.
Many of these bounces triggered by virii are nothing less then a spam
opprotunity for the A-V software company. There is no "opt-out"
from these spam messages. This would seem to be a clear violation of
CAN-SPAM.
Some sites have implemented various schemes to reject virii at the smtp
level. See nanog mail archives for recent threads dealing with this and
related topics.
-- Chief Gadgeteer Elegant Innovations _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Michael Thumann: "[Full-Disclosure] DNSDigger Update"
- In reply to: gadgeteer_at_elegantinnovations.org: "[Full-Disclosure] Re: Why are postmasters distributing the MyDoom virus?"
- Next in thread: Paul Schmehl: "Re: [Full-Disclosure] Why are postmasters distributing the MyDoom virus?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
