[TOOL] vthrottle - SMTP Virus Throttling Engine

From: SecuriTeam (support_at_securiteam.com)
Date: 06/08/04

  • Next message: SecuriTeam: "[TOOL] Weplan - WEP Testing Lab"
    To: list@securiteam.com
    Date: 8 Jun 2004 12:02:26 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      vthrottle - SMTP Virus Throttling Engine
    ------------------------------------------------------------------------

    SUMMARY

    DETAILS

     <http://monkey.org/~jose/software/vthrottle/> vthrottle is an
    implementation of m. Williamson's rate throttling mechanism for mail
    bourne worms and viruses. Basically the software keeps track of what hosts
    and what senders have been sending mail. If they attempt to send mail from
    one machine or using one address more than once in a specified interval we
    back them off by sending a temporary failure. Well-behaved hosts are
    expected to not trip this detection/throttle...

    vthrottle works by evaluating mail transactions at three points: the
    connection, the HELO (or EHLO) statement, and the stated source address of
    the mail. For each of these, a list is traversed and the observed time
    interval between observations is evaluated. If the observed interval is
    shorter than the policy interval, the mail is blocked. This is
    accomplished by sending a failure reply code to the SMTP client, causing
    them to queue the message.

    A white list may be used to create exceptions to the default intervals.
    This white list can specify hostnames or mail addresses and specifies the
    expected interval for that entry. The tool vmeasure can be used to
    generate this white list based on observations on your network. This tool
    is included in the vthrottle distribution.

    The threat model for this tool requires a generic solution. Hosts infected
    with a worm that uses mail to spread will attempt to send as much mail as
    possible to spread rapidly. To prevent this system from becoming
    overwhelmed by requests, only header information is recorded and acted
    upon.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:jose@monkey.org> Jose
    Nazario.
    The tool can be downloaded from:
    <http://monkey.org/~jose/software/vthrottle/>
    http://monkey.org/~jose/software/vthrottle/

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[TOOL] Weplan - WEP Testing Lab"

    Relevant Pages

    • [NEWS] Multiple DNS Implementation DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... a DNS service must translate the name into the corresponding ... followed by the characters themselves. ... of the label length byte are 1, the remaining 14 bits specify an offset ...
      (Securiteam)
    • [TOOL] N-View - Network Monitor
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... N-View is a network monitor for small and medium-sized networks. ... ICMP responses from all hosts, signaling of timeouts and delays in the GUI ... o graphic display of traffic load for selected network interfaces, ...
      (Securiteam)
    • [TOOL] doscan, Quick Single Port Scanner
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... are sparsely populated with hosts), ... doscan scans the addresses in a seemingly random ... doscan was written to scan whole networks on a single TCP port. ...
      (Securiteam)