Re: RFC: virus handling

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: RFC: virus handling
From: Dave Aronson <spamtrap.secfocus@xxxxxxxxxxxxxx>
Date: Wed, 28 Jan 2004 15:06:22 -0500
Cc: Thomas Zehetbauer <thomasz@xxxxxxxxxxxxxx>
In-reply-to: <1075304734.29593.147.camel@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <1075304734.29593.147.camel@xxxxxxxxxxxxxx>
User-agent: KMail/1.5.2

On Wed January 28 2004 10:45, Thomas Zehetbauer wrote:

 > 3.1.2.) e-mail Alias and Web-Interface
 > Additionally providers should provide e-mail aliases for the IP
 > addresses of their customers (eg. customer at 127.0.0.1 can be
 > reached via 127.0.0.1@xxxxxxxxxxxx)

This would vastly simplify dictionary-attack spamming.

 > or a web interface with similiar functionality.

Better, but still might be easily abused by scripting.

 > 3.2.) Disconnect
 > Providers should grant their customers some grace period to clean
 > their infection and should thereafter be disconnected entirely or
 > filtered based on protocol (eg. outgoing SMTP) or content (eg.
 > transparent smarthost with virus scanner) until they testify that
 > they have cleaned their system.

Grace, shmace!  Viri can do their dirty work in a matter of seconds.  
How about the ISP *immediately* blocks just the port(s) in question?  
(Recognizing that that could be *all* ports.)  It could unblock after 
some time period with no outbound virus infection (or phone home for 
orders, etc.) attempts, and of course reblock when any new such 
activity is detected.

-- 
Dave Aronson, Senior Software Engineer, Secure Software Inc.
(Opinions above NOT those of securesw.com unless so stated!)
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
Web: http://destined.to/program http://listen.to/davearonson

References:
- RFC: virus handling
  - From: Thomas Zehetbauer

Prev by Date: 0verkill - little simple vulnerability.
Next by Date: RFC: content-filter and AV notifications (Was: Re: RFC: virus handling)
Previous by thread: Re: RFC: virus handling
Next by thread: RFC: content-filter and AV notifications (Was: Re: RFC: virus handling)
Index(es):
- Date
- Thread