Full Disclosure mailing list archives

RE: Re: Why are postmasters distributing the MyDoom virus?

From: "Bill Royds" <full-disclosure () royds net>
Date: Sat, 7 Feb 2004 20:07:27 -0500

The problem is not just AV systems sending out warnings which is
unnecessary. It is the fact that many viruses also forge the to addresses as
well as the from addresses. The normal MTA response to a non-existent
address is to send a Non-delivery reply back to the from address containing
the original message as an attachment. These go to the spoofed from address
of original message, adding another transmission vector for the virus, with
even better "social engineering" to persuade someone to open it. Since some
AV systems scan direct attachments, but not attachments within attachments,
it even provides a greater possibility of passing though an anti-virus
gateway than the original message.
   P.S. The correct plural of virus is viruses. The original Latin word
virus had no plural. The word virii is the plural of the word vir which
means  man.

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of
gadgeteer () elegantinnovations org
Sent: February 7, 2004 4:34 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Re: Why are postmasters distributing the MyDoom
virus?

On Sat, Feb 07, 2004 at 02:15:43PM -0500, Richard M. Smith
(rms () computerbytesman com) wrote:

Perhaps these postmasters need to review
their bounce message policies and remove all attached files from messages
being bounced.


Since it is well known that virii forge From headers the better policy 
adjustment would be to NOT bounce virii messages at all.  The Anti-Virus 
companies are certainly well aware of it as it is a characteristic 
described in their alerts.

Many of these bounces triggered by virii are nothing less then a spam 
opprotunity for the A-V software company.  There is no "opt-out" 
from these spam messages.  This would seem to be a clear violation of 
CAN-SPAM.

Some sites have implemented various schemes to reject virii at the smtp 
level.  See nanog mail archives for recent threads dealing with this and 
related topics.
-- 
Chief Gadgeteer
Elegant Innovations

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Why are postmasters distributing the MyDoom virus? Richard M. Smith (Feb 07)
- RE: Why are postmasters distributing the MyDoom virus? Edward W. Ray (Feb 07)
- Re: Why are postmasters distributing the MyDoom virus? gadgeteer (Feb 07)
  - RE: Re: Why are postmasters distributing the MyDoom virus? Bill Royds (Feb 07)
- Re: Why are postmasters distributing the MyDoom virus? Paul Schmehl (Feb 07)