[TOOL] vthrottle - SMTP Virus Throttling Engine

From: SecuriTeam (support_at_securiteam.com)
Date: 06/08/04

  • Next message: SecuriTeam: "[TOOL] Weplan - WEP Testing Lab"
    To: list@securiteam.com
    Date: 8 Jun 2004 12:02:26 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      vthrottle - SMTP Virus Throttling Engine



     <http://monkey.org/~jose/software/vthrottle/> vthrottle is an
    implementation of m. Williamson's rate throttling mechanism for mail
    bourne worms and viruses. Basically the software keeps track of what hosts
    and what senders have been sending mail. If they attempt to send mail from
    one machine or using one address more than once in a specified interval we
    back them off by sending a temporary failure. Well-behaved hosts are
    expected to not trip this detection/throttle...

    vthrottle works by evaluating mail transactions at three points: the
    connection, the HELO (or EHLO) statement, and the stated source address of
    the mail. For each of these, a list is traversed and the observed time
    interval between observations is evaluated. If the observed interval is
    shorter than the policy interval, the mail is blocked. This is
    accomplished by sending a failure reply code to the SMTP client, causing
    them to queue the message.

    A white list may be used to create exceptions to the default intervals.
    This white list can specify hostnames or mail addresses and specifies the
    expected interval for that entry. The tool vmeasure can be used to
    generate this white list based on observations on your network. This tool
    is included in the vthrottle distribution.

    The threat model for this tool requires a generic solution. Hosts infected
    with a worm that uses mail to spread will attempt to send as much mail as
    possible to spread rapidly. To prevent this system from becoming
    overwhelmed by requests, only header information is recorded and acted


    The information has been provided by <mailto:jose@monkey.org> Jose
    The tool can be downloaded from:


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] Weplan - WEP Testing Lab"