Bugtraq mailing list archives
Re: RFC: virus handling
From: Sascha Wilde <wilde () agentur-sec de>
Date: Thu, 29 Jan 2004 13:18:26 +0100
On Wed, Jan 28, 2004 at 04:45:39PM +0100, Thomas Zehetbauer wrote:
1.2.1.) Standardization To allow filtering of these messages they should always carry the text 'possible virus found' in the subject optionally extended by the name of the virus or the test conducted (eg. heuristics).
I would prefer to use "X-" Extension Fields in the Mail header for this. This could be made more flexible and without messing with the Subject line, which might be localized or used to provide more speific Information like "mail-worm badthing.C found".
3.1.2.) e-mail Alias and Web-Interface Additionally providers should provide e-mail aliases for the IP addresses of their customers (eg. customer at 127.0.0.1 can be reached via 127.0.0.1 () provider com) or a web interface with similiar functionality. The latter should be provided when dynamically assigned IP addresses are used for which an additional timestamp is required.
I think this wouldn't work, and it wouldn't be a good idea in general. Thirst of all, most privat customers use dynamic IPs, so the address wouldn't belong to one specific user. Furthermore these addresses would be easy to guess (in most cases even _known_) and a great target for spamers and worms, and finaly the average customer isn't captable of distinguishing a false virus-warning from a real one -- there are many hoax out there, and some worms already spread using faked virus-warnings, so I think sending Virus-Warnings via eMail to end-users isn't a good idea at all.
3.2.) Disconnect Providers should grant their customers some grace period to clean their infection and should thereafter be disconnected entirely or filtered based on protocol (eg. outgoing SMTP) or content (eg. transparent smarthost with virus scanner) until they testify that they have cleaned their system.
Hard measurements like that may be usefull in some cases, but the reasons must be verified very carefully -- otherwise it would be a easy to abuse bases for DOS attacs, just by sending complains to the ISP. yust my two cent cheers -- Sascha Wilde We're Germans and we use Unix. That's a combination of two demographic groups known to have no sense of humour whatsoever. -- Hanno Mueller in de.comp.os.unix.programming
Attachment:
_bin
Description:
Current thread:
- Re: RFC: virus handling 3APA3A (Feb 02)
- getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Gadi Evron (Feb 03)
- Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] James A. Thornton (Feb 04)
- Re: getting rid of outbreaks and spam (junk) James Riden (Feb 04)
- Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] der Mouse (Feb 05)
- Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Georg Schwarz (Feb 06)
- <Possible follow-ups>
- Re: RFC: virus handling Sascha Wilde (Feb 02)
- Re: RFC: virus handling Pavel Levshin (Feb 02)
- Re: RFC: virus handling David F. Skoll (Feb 03)
- Re: RFC: virus handling Jeremy Mates (Feb 02)
- Hysterical first technical alert from US-CERT Larry Seltzer (Feb 03)
- Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 04)
- RE: Hysterical first technical alert from US-CERT Larry Seltzer (Feb 05)
- Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 04)
- Re: Hysterical first technical alert from US-CERT Stephen Samuel (Feb 06)
- Re: Hysterical first technical alert from US-CERT Valdis . Kletnieks (Feb 06)
- Re: Hysterical first technical alert from US-CERT Shawn McMahon (Feb 10)
- Hysterical first technical alert from US-CERT Larry Seltzer (Feb 03)
- getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling] Gadi Evron (Feb 03)