|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Full-Disclosure] Re: Why are postmasters distributing the MyDoom virus?
From: Bill Royds (full-disclosure
royds.net)
Date: Sat Feb 07 2004 - 19:07:27 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The problem is not just AV systems sending out warnings which is
unnecessary. It is the fact that many viruses also forge the to addresses as
well as the from addresses. The normal MTA response to a non-existent
address is to send a Non-delivery reply back to the from address containing
the original message as an attachment. These go to the spoofed from address
of original message, adding another transmission vector for the virus, with
even better "social engineering" to persuade someone to open it. Since some
AV systems scan direct attachments, but not attachments within attachments,
it even provides a greater possibility of passing though an anti-virus
gateway than the original message.
P.S. The correct plural of virus is viruses. The original Latin word
virus had no plural. The word virii is the plural of the word vir which
means man.
-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of
gadgeteerelegantinnovations.org
Sent: February 7, 2004 4:34 PM
To: full-disclosurelists.netsys.com
Subject: [Full-Disclosure] Re: Why are postmasters distributing the MyDoom
virus?
On Sat, Feb 07, 2004 at 02:15:43PM -0500, Richard M. Smith
(rmscomputerbytesman.com) wrote:
> Perhaps these postmasters need to review
> their bounce message policies and remove all attached files from messages
> being bounced.
Since it is well known that virii forge From headers the better policy
adjustment would be to NOT bounce virii messages at all. The Anti-Virus
companies are certainly well aware of it as it is a characteristic
described in their alerts.
Many of these bounces triggered by virii are nothing less then a spam
opprotunity for the A-V software company. There is no "opt-out"
from these spam messages. This would seem to be a clear violation of
CAN-SPAM.
Some sites have implemented various schemes to reject virii at the smtp
level. See nanog mail archives for recent threads dealing with this and
related topics.
--
Chief Gadgeteer
Elegant Innovations
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]