Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: base64
From: Louis Erickson <LErickson () ariba com>
Date: Fri, 26 Sep 2003 10:49:08 -0700


On 26 September 2003 at 10:08 AM, Bennett Todd <bet () rahul net> wrote:

<snip other issues with canonicalization>

Also, in this sort of setting at least, you need very different
handling of inbound -vs- outbound messages. Inbound messages get
repaired --- or broken, in the case of digital sigs --- and then
sent on to their intended internal recipient. Outbound traffic gets
canonicalized if necessary, with commentary, gets malware replaced
with "evil badness used to be here, I yanked it", then gets bounced
back to the internal sender.

If there is malware in the message, why are you delivering it to the end
user?  

Either discard it or reject it from real sender, so they know their machine
is doing something bad.

I think it's as - maybe more - important for hosts to be responsible senders
than a responsible receivers.

At the moment, for instance, one of my mailboxes is inundated with
Swen/Gibe.  My virus scanners are easily keeping up with and discarding the
copies which arrive intact.  This irritates me because of the extra time and
bandwidth, but is a manageable issue.  Swen/Gibe dies there, harmlessly.

However, some idiot ISP is filtering just the bad attachment, and delivering
the rest.  So, instead of getting nothing, or getting something my system
can easily detect as unwanted, I get semi-random, difficult to predict or
filter junk, hundreds of them a day, swamping my mailbox.

(I have to figure out how to get procmail to filter on zero-byte
attachments.  Haven't had the time.)

Other idiot ISPs are letting me know that someone sent me Swen/Gibe and that
they blocked the message.  I have yet to make the postmaster at one of these
sites understand how worthless that notification is on viruses which forge
everything and send in such great quantity.

With the sender disinfecting, it can't infect my machine any more -
Swen/Gibe won't be bothering my Linux machine anyway - but they're making my
mailbox just as difficult to use as if they were doing nothing.

In another life I run an ISP.  I run virus scanners on all incoming and
outgoing messages.  Viruses are rejected at SMTP time, and the messages are
not delivered.  If a real user is trying to send something which triggers a
false positive, their mail client will show "550 Message appears to contain
a virus" or something like that.

I used to send notifications to the sender, and maintain a list of viruses
which forge the "From" address to skip sending to those.  However, pretty
much every virus does that now, and I found I was unable to keep up with
marinating that list, so I've disabled all the notifications.

I think it's important that the messages containing junk be blocked as soon
as possible, and generate no more traffic, or they are able to cause DoS and
other mischief as collateral damage.  While I've felt this for a while, I
think it's even more important now with some of these new viruses able to
generate such incredible quantities of mail so quickly.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]