[Full-Disclosure] From field spoofing and AV responses
nick at virus-l.demon.co.uk
Wed Jan 28 06:58:28 GMT 2004
"Johnson, April" <apjohnson at seattleschools.org> wrote:
> How hard would it be to have the AV software actually check the source
> email smtp host, and send an email to abuse at xyz.com for the *actual*
> offending smtp server?
Probably not terribly...
Of course, you immediately turn any massively fast, widespread
infectiuon scenario (as we just saw with Mydoom) into a massive DoS
against nearly every abuse address on the planet...
> The from field is almost worthless at this point. But the header is
> more reliable. ...
By "header" I presume you mean what is more conventionally referred to
as "the SMTP envelope FROM address" (or similar -- the argument to the
SMTP "MAIL FROM:" command).
> ... Yes, it *can* be spoofed, but it's significantly more
What are you smoking?
Virtually all mass-mailers with their own SMTP engines spoof this
"information". If by "significantly harder" you mean it takes a few
more lines of code to randonly pick or generate an address to use for
that argument instead of using an address that can be got from a few
RegQueryValue calls and the like, you are trivially correct, but I'd
say you also greatly underestimate the typical virus writer.
> I'm nearly buried in false 'AV' responses - and worse, the users that
> get them are terrified because they think they've 'become infected'. I
> don't mind the user being wary, but the level of fear and anxiety over a
> false notice is becoming unworkable.
This is, indeed, a huge problem with such false "warnings" and
something THE AV industry is well aware of. That it does not fix this
by the simple expedient of all AV developers agreeing between
themselves to remove the ability to send all such "alerts" suggests
that it sees the FUD value of keeping them as worthwhile...
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Full-Disclosure is hosted and sponsored by Secunia.