Home page logo

bugtraq logo Bugtraq mailing list archives

RE: On the ultimate futility of server-based mail scanning
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Tue, 5 Mar 2002 21:30:58 -0500

No security system works 100% of the time.  However server-based
scanning of email attachments probably works better than many other
options like relying on end-users to not run unsafe attachments.  I vote
that we keep it.


-----Original Message-----
From: David F. Skoll [mailto:dfs () roaringpenguin com] 
Sent: Monday, March 04, 2002 5:07 PM
To: bugtraq () securityfocus com
Subject: On the ultimate futility of server-based mail scanning

Several postings on Bugtraq recently talked about DoS attacks against
server-based mail-scanners.  Compress four gigabytes of zeros and
debilitate mail scanners which uncompress .gz files, for example.

Several mail scanners try to be clever and examine .zip files, .tar.gz
files, .arc files, etc. to look inside for viruses.

This is ultimately futile.

I gave one scenario:

(cat small_x86_jmp_code; \
 dd if=/dev/zero bs=1k count=400k; \
 cat virus_payload) | gzip > virus.attach.gz

This DoS's virus-scanners which do not limit scanning-size, and sneaks
past those which do.

There's an even better method, and one which is very amenable to

"HEY!  NUDE pictures of Pamela Anderson in the attachment nudie.zip.
Just  unzip and then run pam.exe.  Oh, heh, heh, heh -- to keep your
boss from  seeing this, we've password-protected the zip file.  The
unzip password  is z3kr3t.  Enjoy!"

Zip encryption is pathetic.  But I don't think anyone's seriously
suggesting server-based scanners should brute-force encrypted zip files
to check for viruses, or perform AI analysis of messages to extract

Ultimately, the responsibility falls on the MUA and the end-user's OS
vendor.  We either put secure end-user software onto the desktop, or we
admit defeat.

David F. Skoll

Roaring Penguin Software Inc. | http://www.roaringpenguin.com GPG
fingerprint: C523 771C 3710 0F54 B2D2 4B0D C6EF 6991 34AB 95BA GPG
public key:  http://www.roaringpenguin.com/dskoll-key-2002.txt ID:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]