Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Backdoor not recognized by Kaspersky
From: Mike Barushok <mikehome () kcisp net>
Date: Thu, 4 Mar 2004 00:01:54 -0600 (CST)

On Wed, 3 Mar 2004, Larry Seltzer wrote:

I feel the need to address the problem from an ISP perspective, since the corporate
and government and other institutional persective seems to give different answers. And
because the ISP end user problem is still the majority of the reservoir for viruses (and
spam proxy/relay/trojans).

I really feel for you guys. As I've argued in another thread, I think SMTP
authentication will likely cut this stuff down to a trickle compared to the current
volume. As an ISP, how big a problem would you have with that. An even better question:
Would you have a problem implementing SPF, Caller ID and Domain Keys (i.e. all 3)? It
gets to the same issue of changing practices for your users: at some point you have to
either bounce or segregate mail that doesn't authenticate. 

SMTP auth does not help at all. A virus that delivers email via
it's own SMTP engine completely bypasses the end users ISP
server(s). And if the recipient server does not allow incoming
mail from wherever it is presented from, then incoming mail will
simply be broken unless there is some sort of SPF. But,
SPF, caller-ID, and Domain keys all have major
unsolved issues with forwards, aliases, corporate employees
checking their work mail and needing to reply through their home
connection ISP, but with their company 'From: ' address and
several other common scenarios. Until their is universal
adoption of some add on to SMTP, nobody can reject all
non-conforming mail safely. 

All implementations create a much greater load on DNS. 

The real issue is that their is no possible algorithmic solution
to rejecting email reliably based on any of its source, its
content, or any combination. 

Then there is the 'rejection' problem. If the mail is not accepted,
laws prohibit silently discarding it. But any reasonable method
of attempting to bounce it back to its source after accepting it
for examination is a completely easily exploited back door the
spammers and virus writers will use to deliver mail.

So, the only practical point in the process to decline the mail
is before the data is sent. A transient error may result only it
retries every five minutes for the next four days. A permanent
error may result a cached failure that affects all email for a
period of time. And the delivery back to the apparent sender
within the sending ISP is still available as an infection vector.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]