Home page logo

fulldisclosure logo Full Disclosure mailing list archives

SMTP "authentication" (was: RE: Backdoor not recognized by Kaspersky)
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 04 Mar 2004 12:28:58 +1300

"Larry Seltzer" <larry () larryseltzer com> wrote:

I really feel for you guys. As I've argued in another thread, I think
SMTP authentication will likely cut this stuff down to a trickle
compared to the current volume. As an ISP, how big a problem would you
have with that. An even better question: Would you have a problem
implementing SPF, Caller ID and Domain Keys (i.e. all 3)? It gets to
the same issue of changing practices for your users: at some point you
have to either bounce or segregate mail that doesn't authenticate. 

I really think you (and all the SPF, etc pundits) are overselling those 
"technologies" as possible solutions to problems that exist because of 
what are, and perhaps always will remain with us as, essentially psycho-
social issues.

SPF, Caller-ID, etc will either not take off or, if it does it will not 
greatly reduce the level of the spam or the self-mailing virus problem. 
If it does take off we may initially see a dip in such things but as 
these technologies will not (and _CANNOT_) be blanket implemented 
overnight, the spammers and virus writers will watch the developments 
and if they see a risk to their future success there are many tricks 
available for them to add to their "creations" that these "anti-spam" 
or "anti-forgery" technologies _alone_ cannot prevent being exploited 
to the benefit of the spammers.

Although I'm sure the "professional" mass-mailer writers and spammers 
have a fair idea of what to do next if SPF, etc do start to bite, I'm 
not going to spell out how I'd do it in case I give any less clueful 
folk some ideas they don'tdeserve.  However, the bottom line is that 
for SPF, etc to be "successful" (i.e. to become very widely deployed 
and used) they (and the things they require at the client end) have to 
be "set and forget".  Why??  Because the sad (?) reality is that most 
folk are simply lazy and won't use systems that don't let them ignore 
the things they don't care about.  To date (and SPF, etc 
notwithstanding), I've seen no reason to expect this to change, even to 
fix the spam or mass-mailing virus problem, no matter how much "common 
folk" may belly-ache about it not being fixed.  This all means Mike 
Howard's "first immutable law of computer security":

   If the bad guy can run his program on your computer, it's not
   your computer any more

is broken from the outset _AND_ will remain so.

Compound all manner of other atrociously bad anti-security features 
that most computer users have become so accustomed to they will not 
allow to be changed and the bad guys will just keep doing what they do, 
albeit after adding a few dozen more lines of code to their existing 
bots, etc so they can send "properly authenticated" Email through the 
"right" SMTP servers.  SPF, etc pundits will counter "but we can then 
quickly get the ISPs to shut those machines down because we can prove 
that 'bad' Email came from that machine".  This ignores the rather 
salient (I'd have thought) point that the ISPs have entirely failed to 
deal with the existing armies of such machines, and it seems utterly 
unlikely they will add more staff (even just short-term) to handle 
their abuse@ enquiries once (or if) SPF, etc becomes widely deployed 
(after all, SPF, etc is supposed to eliminate the core problems in 
those areas so the ISPs may even be thinking they can _reduce_ their 
abuse staff!).

In summary, it seems that the bad guys are starting from a (probably) 
insurmountable advantage of the existing vast army of readily 
compromisable and/or already backdoor-ed machines.  And, if SPF, etc is 
successfully "sold" to the consumers, add the fact that many more users 
than the current crop of utterly reckless click-a-holics would then 
_trust_ more (or even all) of their Email and its attachments _because 
the SPF, etc pundits have been telling them that this is precisely one 
of the benefits of shafting the existing mail system_.  On balance, it 
seems we could easily see things _GET WORSE_.

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]