Re: RFC: virus handling

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: RFC: virus handling
From: Sascha Wilde <wilde@xxxxxxxxxxxxxx>
Date: Thu, 29 Jan 2004 13:18:26 +0100
In-reply-to: <1075304734.29593.147.camel@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mail-followup-to: bugtraq@xxxxxxxxxxxxxxxxx
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <1075304734.29593.147.camel@xxxxxxxxxxxxxx>
Sender: Sascha Wilde <swilde@xxxxxxxxxxxxxx>
User-agent: Mutt/1.4i

On Wed, Jan 28, 2004 at 04:45:39PM +0100, Thomas Zehetbauer wrote:

> 1.2.1.) Standardization
> To allow filtering of these messages they should always carry the text
> 'possible virus found' in the subject optionally extended by the name of
> the virus or the test conducted (eg. heuristics).

I would prefer to use "X-" Extension Fields in the Mail header for
this.  This could be made more flexible and without messing with the
Subject line, which might be localized or used to provide more
speific Information like "mail-worm badthing.C found".

> 3.1.2.) e-mail Alias and Web-Interface
> Additionally providers should provide e-mail aliases for the IP
> addresses of their customers (eg. customer at 127.0.0.1 can be reached
> via 127.0.0.1@xxxxxxxxxxxx) or a web interface with similiar
> functionality. The latter should be provided when dynamically assigned
> IP addresses are used for which an additional timestamp is required.

I think this wouldn't work, and it wouldn't be a good idea in general.
Thirst of all, most privat customers use dynamic IPs, so the address
wouldn't belong to one specific user.  Furthermore these addresses
would be easy to guess (in most cases even _known_) and a great target
for spamers and worms, and finaly the average customer isn't captable
of distinguishing a false virus-warning from a real one -- there are
many hoax out there, and some worms already spread using faked
virus-warnings, so I think sending Virus-Warnings via eMail to
end-users isn't a good idea at all.

> 3.2.) Disconnect
> Providers should grant their customers some grace period to clean their
> infection and should thereafter be disconnected entirely or filtered
> based on protocol (eg. outgoing SMTP) or content (eg. transparent
> smarthost with virus scanner) until they testify that they have cleaned
> their system.

Hard measurements like that may be usefull in some cases, but the reasons
must be verified very carefully -- otherwise it would be a easy to
abuse bases for DOS attacs, just by sending complains to the ISP.

yust my two cent
cheers
-- 
Sascha Wilde
We're Germans and we use Unix. That's a combination of two 
demographic groups known to have no sense of humour whatsoever.
  -- Hanno Mueller in de.comp.os.unix.programming

Attachment: pgpDuEJnoO7Zj.pgp
Description: PGP signature

References:
- RFC: virus handling
  - From: Thomas Zehetbauer

Prev by Date: Re: new WIN virus?
Next by Date: Mydoom DDoS attack time table
Previous by thread: RFC: virus handling
Next by thread: Re: RFC: virus handling
Index(es):
- Date
- Thread