|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Bankshot backscatter: a philosophical question
From: Bennett Todd (bet
rahul.net)
Date: Mon Feb 07 2005 - 12:55:25 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
2005-02-07T18:32:18 Noel Jones:
> [...] Your only other choices are [ discard or ] to accept the
> mail and either tag+deliver or quarantine. [ ...] not everyone
> cares to burden their users with likely-bad and possibly dangerous
> but tagged mail.
For sure, there's no one-size-fits-all solution.
Some years back, 1999 I think, I set up a fairly simple
mail-screening solution; at the time, the attacks were pretty naive,
and simply grepping for a blocklist of filename extensions sufficed
to keep our users' mail clients from infecting their PCs. But that
is beside the point.
What I chose to do with the bad stuff that hit us was really, really
simple; I generated a brand new set of headers, and took the entire
arriving message, headers and all, and used it as the plain text
body, set off with "> " in the left margin, and delivered the result
on to the original envelope recipient.
That prevented mail clients from chewing on the malware, yet let
the receipient see the headers. In those days, before wide-spread
joe-job spam malware, that often that let them notify a friend that
they'd been infected. It let the receipient see if there was a false
positive (we didn't have one that I recall in the years that I had
that thing operating). If there ever had been a false positive, it'd
have been easy for me to reformat it back into a legit message for
them. And it had nice visibility, our users knew that they were
being protected and learned about about the state of internet email.
Of course, in those days, such crud was a tiny fraction of the
volume of email, rather than the majority.
This is yet another not-right-for-everyone solution, it still
burdens the users with likely-bad messages --- and these days likely
a majority of their total traffic --- but if you have users who use
sufficiently powerful email-handling tools to let them comfortably
handle this, it's an alternative that renders the "tagged" messages
no longer dangerous.
-Bennett
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCB7mdHZWg9mCTffwRAtPgAJ0R63cGJ6HF3arjqMH3Ai/RRGui1ACfbqZt
NK2NMtf2ABM/I2wPUzdrwcw=
=lWHD
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]