RE: Worm.SCO.A (W32/Mydoom@MM) & NDR

From: Sean Kelly (sean_at_itsecurityconsultant.com)
Date: 01/29/04

  • Next message: Michele Orsenigo: "Re: Domain HiJacking by SPAMMERS" 
    To: "'Shawn Jackson'" <sjackson@horizonusa.com>
Date: Thu, 29 Jan 2004 19:58:33 -0000

    I don't think antivirus vendors will stop sending NDR's unless there is
    a hell of a lot of pressure put on them to do so.
    We all know the NDR's are useless, and that 90+% of viruses spoof the
    senders address, and therefore the NDR is directed at the wrong person.

    But look at it from the Antivirus Vendors point of view.

    Everytime there is a virus.

    They get to spam the whole world with their marketing speel, and they
    use your network to do it with
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    We pay the av vendor to protect our network, not steal or bandwidth and
    use us as their marketing agents.

    Sean Kelly
    IT Security Consultant
     
    sean@itsecurityconsultant.com
    www.itsecurityconsultant.com
     
    Int Tel (0044) 07792 982593
     
    Independent IT Security Consultant for Business
    UK Agent for International Vendors
     

    -----Original Message-----
    From: Shawn Jackson [mailto:sjackson@horizonusa.com]
    Sent: 29 January 2004 16:25
    To: Crispin.Harris@didata.com.au
    Cc: Dan Bartley; security-basics@securityfocus.com;
    support@trendmicro.com
    Subject: RE: Worm.SCO.A (W32/Mydoom@MM)

    >From: Crispin.Harris@didata.com.au
    [mailto:Crispin.Harris@didata.com.au]

    >I useful feature from the AV vendors would be to (in certain
    circumstances) not generate
    >NDR's. This would need to be administrator configurable.

    More then that there should be a check, in even non anti-virus software,
    where the software
    will check the sending domain against the sending MX to see if the
    address was not spoofed.
    this could be just a simple rDNS lookup or something more elaborate
    (checking to see if the
    mailbox exists) but blindly sending out NDR's and notifications, no
    matter what the cause
    in the day-n-age of spam and mass-mailing worms is completely wrong.
    Personally my mail spool
    always has those *useful* NDR's trying to tell the spammers that their
    mass mail didn't get
    through.

    >My suggestion would be that NDR's not be generated for messages that
    are identified as being
    >created with Virii that always falsify the source address (such as
    SOBiG, MyDOOM etc.). Generating
    >an NDR in this case is not only useless, but actively detrimental to
    the performance and stability
    >of the network.

    That would be a nice start, be we also need to think down the road. The
    worms and spam are only
    getting worse. We need to cover the problem now, and as far down the
    path as we dare to venture. We
    can't come part of the problem because we either don't want to change or
    are living in fear of outdated
    RFC's. We all agree that security is an evolution, a fluid process of
    forward progress and innovation.
    they build a better mouse, we make a better trap. They already have a
    bigger and better mouse and we
    still don't have a trap for him.

    >My 2c.

    I ante another $0.02.

     Shawn

    ------------------------------------------------------------------------ 

    ---
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
any 
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off 
any course!  
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------
  • Next message: Michele Orsenigo: "Re: Domain HiJacking by SPAMMERS"