Bugtraq mailing list archives
Re: RFC: virus handling
From: Ben Wheeler <b.wheeler () ulcc ac uk>
Date: Wed, 4 Feb 2004 13:44:30 +0000
On Tue, Feb 03, 2004 at 12:55:24PM -0800, Matthew Dharm wrote:
Consider a provider who offers the e-mail address of virusalert () provider com (name it what you will), to which can be fed an e-mail consisting of a single line -- that line is the IP address and a one-word 'name' for the problem. Thus, if I find I'm getting MyDoom.A from 127.2.2.1, I can send a message that will alert _someone_ (who is presumeably not asleep at the controls).
I don't see much difference between this and the normal strategy of just notifying abuse@ or some other address at the ISP. It is similarly doomed to failure, because you end up with so many reports that the ISP cannot possibly verify whether each report is legitimate or not. So they would have a choice of either: 1. Ignore all reports. "It's not our job to protect our lusers from viruses." or 2. Automatically take action against all reports. Thus is becomes a great way to DoS your enemies, just report them as infected. Since the ISP gets money from its customers, not from people who report abuse, they will always tend towards option 1 as the number of reports increases. Reporting abuse or infection is mostly a complete waste of time, just like reporting spam. It might have worked a few years ago, it generally doesn't anymore (and the exceptions get fewer all the time). Our time would be far better invested in ways to prevent the spread of viruses by other means rather than trying to report infections, after it's already too late, to either ISPs who will usually do nothing, or end users who will usually be clueless (otherwise they wouldn't have got infected in the first place, right?) Ben
Current thread:
- RE: Hysterical first technical alert from US-CERT, (continued)
- RE: Hysterical first technical alert from US-CERT Larry Seltzer (Feb 05)
- Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 04)
- Re: Hysterical first technical alert from US-CERT Stephen Samuel (Feb 06)
- Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 06)
- Re: Hysterical first technical alert from US-CERT Shawn McMahon (Feb 10)
- Re: Hysterical first technical alert from US-CERT Philip Rowlands (Feb 05)
- Re: Hysterical first technical alert from US-CERT Andreas Marx (Feb 06)
- Re: RFC: virus handling Matthew Dharm (Feb 03)
- Re: RFC: virus handling Ben Wheeler (Feb 04)
- Re: RFC: virus handling Shawn McMahon (Feb 07)
- Re: RFC: virus handling James C. Slora Jr. (Feb 03)
- Re: RFC: virus handling Dave Clendenan (Feb 03)
- Re: RFC: virus handling Volker Kuhlmann (Feb 04)