[TOOL] vthrottle - SMTP Virus Throttling Engine

• Previous message: SecuriTeam: "[TOOL] Garuda - Wireless Intrusion Detection System"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 8 Jun 2004 12:02:26 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  vthrottle - SMTP Virus Throttling Engine
------------------------------------------------------------------------

SUMMARY

DETAILS

 <http://monkey.org/~jose/software/vthrottle/> vthrottle is an
implementation of m. Williamson's rate throttling mechanism for mail
bourne worms and viruses. Basically the software keeps track of what hosts
and what senders have been sending mail. If they attempt to send mail from
one machine or using one address more than once in a specified interval we
back them off by sending a temporary failure. Well-behaved hosts are
expected to not trip this detection/throttle...

vthrottle works by evaluating mail transactions at three points: the
connection, the HELO (or EHLO) statement, and the stated source address of
the mail. For each of these, a list is traversed and the observed time
interval between observations is evaluated. If the observed interval is
shorter than the policy interval, the mail is blocked. This is
accomplished by sending a failure reply code to the SMTP client, causing
them to queue the message.

A white list may be used to create exceptions to the default intervals.
This white list can specify hostnames or mail addresses and specifies the
expected interval for that entry. The tool vmeasure can be used to
generate this white list based on observations on your network. This tool
is included in the vthrottle distribution.

The threat model for this tool requires a generic solution. Hosts infected
with a worm that uses mail to spread will attempt to send as much mail as
possible to spread rapidly. To prevent this system from becoming
overwhelmed by requests, only header information is recorded and acted
upon.

ADDITIONAL INFORMATION

The information has been provided by <mailto:jose@monkey.org> Jose
Nazario.
The tool can be downloaded from:
<http://monkey.org/~jose/software/vthrottle/>
http://monkey.org/~jose/software/vthrottle/

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[TOOL] Garuda - Wireless Intrusion Detection System"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]