Re: getting rid of outbreaks and spam (junk)
Gadi Evron <ge@xxxxxxxxxxxx> writes:
> The AV industry is built on reaction rather than prevention. Adding
> new signatures is still the #1 tool in the fight against malware.
That's why AV must never be used as the first/only line of defence
against malware. The couple of hour window between outbreak and
updated signatures could be enought to do significant damage; think of
Blaster written by a skilled and malicious individual. As you say, AV
falls into the 'detection/response' categories instead of
'prevention'.
> If backbones filtered the top-10 current outbreaks, with non-intrusive
> means such as for example running MD5 checksum checks against
> attachments, or whatever other way - wouldn't it be better? True, it
> may cause a cry of "the government spies on us, but with the current
> economic troubles outbreaks cause, can we really use that excuse
> anymore? Doesn't the police regulate speeding?
Not my area, but I believe most backbone networks are designed to get
packets from A to B as fast as possible. Egress filtering at ISPs,
for both spoofed addresses and email-borne viruses would be a start
though.
> Although completely not practical, a way to contact users (or ISP's,
> isn't that how it works?) by IP address would help a lot. But that
> would be circumventing the real problem which is ISP's not doing much
> about ABUSE REPORTS or USER SECURITY.
It would also be good to have ISPs accountable for abuse that
originates in their networks. But does any government department have
the resources to do this, even if appropriate laws are in place?
Several sites providing DNSBLs, and/or providing statistics of proxy
abusers have been taken off the 'net by massive DDoS attacks. The FBI
clearly has authority under the law to go after this kind of thing,
but has done absolutely nothing about it as far as I've heard.
cheers,
Jamie
(and, yes, everyone should turn off the !@#$ virus notifications already :)
--
James Riden / j.riden@xxxxxxxxxxxx / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.