Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: viruses being sent to this list
From: John Cartwright <johnc () grok org uk>
Date: Tue, 23 Mar 2004 13:56:48 +0000

On Mon, Mar 22, 2004 at 11:36:18PM +0200, Gadi Evron wrote:

Viruses must not be spread, especially on a security mailing list and to
such a huge audience.

It is my opinion that it is the _duty_ of the list owners to do
something about this, as it is not only illegal, but it is irresponsible.

I'd have emailed the list owners privately, but as I am the latest
victim of the latest spreading mechanism for viruses - Full-Disclosure,
I demand and immediate public announcement on what is going to be done
about this problem.


Apologies for the belated reply, I was travelling for a large part of 
yesterday and my access to mail was sporadic to say the least. There 
were many interesting points raised, and rather than attempt to reply 
to all individuals concerned, I felt it pertinent to send this open 
reply to the list to try and clarify the situation regarding virii/
malware and the Full-Disclosure list.

Len and myself remove a large number of malicious posts due to the 
fact that the sender address is typically not subscribed.  Due to the 
open nature of the list, posts appearing to come from subscribed 
addresses will never hit the admin queue, so if a virus spoofs an 
approved sender address then, with the current set-up, it will 
clearly be re-transmitted to list members.  If a virus is identified 
as actually originating from a list member (i.e. non-spoofed) then 
that individual is clearly in violation of the list charter and will 
be contacted and dealt with appropriately.

As I see it, there are two means of regulating malicious content 
from spoofed subscribed addresses. One, we moderate the list. Two, we 
use anti-virus or other scanning to try to prevent this data flow. 
Let's consider the effect of these options:

Firstly, moderating the list. This has never been a real option, and 
to do so would destroy the very ideal that Full-Disclosure was built 
upon. Len and I already spend several hours per day dealing with non-
member posts and related administrative duties, and we have no wish to 
increase this workload, or to censor or restrict the flow of 
information. So, I am dismissing this option as unacceptable whatever 
the circumstances.

Secondly, the provision of anti-virus on the server side. This raises 
a number of points, the most obvious of which is the problem with 
false positives. I have yet to see any anti-virus software that is 
100% reliable in its detection and classification, and I doubt I will 
ever see such a piece of software. So, automatic rejection of posts 
due to virus signature matches would not be possible. The net result: 
despite the financial burden placed on Len and myself, this would also 
increase our workload, as we would have to manually review the filter 
results for false positives. Given that the most likely cause of false 
positives is new exploit code, we then run the risk of unnecessarily 
delaying that which is most important to the list subscriber base, 
and this is my primary reason for also rejecting the idea of automated 
virus scanning at this moment in time.

However, if we shift the filtering from server- to client- side, then 
there are advantages for all concerned. Treating virii/malware just 
like any other noise allows the discerning user to decide exactly what 
he/she wishes to receive via our list, and to silently drop that which 
they do not. Given that subscribers are probably receiving virii from 
other sources apart from FD, one would expect that anyone vulnerable 
to such code would already have defences in place. I'd also assume 
that individuals who made a conscious decision to subscribe to an 
unmoderated security list were capable of dealing with unknown 
binaries in a sensible manner. Client-side filtering means that the 
associated costs and workload are distributed amongst list members. 
Those who wish to employ filters can then accept that they may miss 
out on something important, those of us who are not threatened by 
virii can continue to receive unfiltered list mail in a timely manner.

As far as the legalities of the situation are concerned, I'd 
appreciate input from any knowledgeable individuals on this matter. As 
far as I am concerned, Full-Disclosure is a publicly available opt-in 
mailing list, run privately by individuals on a best-effort, not-for-
profit basis, and due to the unmoderated nature of the list, we cannot 
and will not be held responsible for the data transferred via the list.  
Please remember that every single list member is here because they 
chose to be, and in doing so implicitly accepted the risks associated 
with that membership. Like any other source of information you are 
free to make use of its raw form, filter or transform it to meet your 
needs, or simply discard it and find an alternative source that fulfils 
your requirements.

I hope that addresses all concerns. Let's get back on topic - comments 
are welcome off-list.

- John

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]