Re: RFC: virus handling

To: Patrick Proniewski <patpro@xxxxxxxxxx>
Subject: Re: RFC: virus handling
From: Matthew Dharm <mdharm@xxxxxxxxxxxxxxxxxx>
Date: Tue, 3 Feb 2004 12:55:24 -0800
Cc: Thomas Zehetbauer <thomasz@xxxxxxxxxxxxxx>, Liste BugTrack <bugtraq@xxxxxxxxxxxxxxxxx>
In-reply-to: <43FFF692-51BF-11D8-90F0-0030654D97EC@xxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mail-followup-to: Patrick Proniewski <patpro@xxxxxxxxxx>, Thomas Zehetbauer <thomasz@xxxxxxxxxxxxxx>, Liste BugTrack <bugtraq@xxxxxxxxxxxxxxxxx>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: One Eyed Alien Networks
References: <1075304734.29593.147.camel@xxxxxxxxxxxxxx> <43FFF692-51BF-11D8-90F0-0030654D97EC@xxxxxxxxxx>
User-agent: Mutt/1.4.1i

On Wed, Jan 28, 2004 at 07:24:52PM +0100, Patrick Proniewski wrote:
> On 28 janv. 2004, at 16:45, Thomas Zehetbauer wrote:
> 
> >Looking at the current outbreak of the Mydoom.A worm I would like to
> >share and discuss some thoughts:
> 
> 
> You bring some definitely interesting points here.
> 
> I agree with your 1) and 2), but 3) rises some technical concern
> 
> >3.1.2.) e-mail Alias and Web-Interface
> >Additionally providers should provide e-mail aliases for the IP
> >addresses of their customers (eg. customer at 127.0.0.1 can be reached
> >via 127.0.0.1@xxxxxxxxxxxx) or a web interface with similiar
> >functionality. The latter should be provided when dynamically assigned
> >IP addresses are used for which an additional timestamp is required.
> 
> 
> could be a really good idea, if not so easy to use for spammers or even 
> for virii. The moment you setup such a service, spammers/virus coder 
> will write a script that can reach every single user with an active 
> connexion. It's a really major drawback I think.

Perhaps something with more limited functionality, then?

Consider a provider who offers the e-mail address of
virusalert@xxxxxxxxxxxx (name it what you will), to which can be fed an
e-mail consisting of a single line -- that line is the IP address and a
one-word 'name' for the problem. 

Thus, if I find I'm getting MyDoom.A from 127.2.2.1, I can send a message
that will alert _someone_ (who is presumeably not asleep at the controls).

It also means that general e-mail cannot be sent via this interface -- no
spamming.  The provider can take this information, look it up (with the
timestamp the e-mail came in at, if necessary for large dynamic pools), and
take action (the least of which, I hope, would be to notify the end-user).

This could even be done without e-mail at all.  A quick HTTP GET/POST could
carry this information.  Heck, this could run much like ident/auth
services to a designated machine (i.e. virusalert.provider.com).

Matt

-- 
Matthew Dharm                              Home: mdharm@xxxxxxxxxxxxxxxxxx 
Senior Software Designer, Momentum Computer

IT KEEPS ASKING ME WHERE I WANT TO GO TODAY! I DONT WANT TO GO ANYWHERE!
                                        -- Greg
User Friendly, 11/28/97

Attachment: pgpzVmmqqy9Ja.pgp
Description: PGP signature

Follow-Ups:
- Re: RFC: virus handling
  - From: Ben Wheeler

References:
- RFC: virus handling
  - From: Thomas Zehetbauer
- Re: RFC: virus handling
  - From: Patrick Proniewski

Prev by Date: Decompression Bombs
Next by Date: Re: MS to stop allowing passwords in URLs
Previous by thread: Re: RFC: virus handling
Next by thread: Re: RFC: virus handling
Index(es):
- Date
- Thread