Hosting Provided By

RE: Anti-vrus auto-replies

From: Dowling, Gabrielle <dowlingg(at)sullcrom.com>
Date: Mon Jun 30 2003 - 23:46:41 EDT

Pete....

I have to say I generally disagree with this.

As a response to a virus detection, replies indicating the detection ocurred and by what software would only come back to the virus writer in the initial seed of te virus, not everyone the virus is ultimately transmitted to.

I also think the particular data returned by a detection notification would not be particularly useful to anyone who wanted to compromise my enterprise.

That said, we turned our sender notifications off a while back, for the reasons Paul Schmehl describes. But that's not a real solution. It seems quite clear that since forging has become prevalent, various virus variants are persisting much longer than in the even recent past. I'd posit that that's exactly why forging has become a standard technique.

The solution is for gateway scanning products to get better at reading the headers and the ip addresses of the sending systems, rather than just reading the from line, so we can all turn our sender notifications back on.

Regards,

Gaby

Do you need help?

-----Original Message-----

From: 	Pete Herzog
Sent:	Mon Jun 30 22:50:28 2003
To:	focus-virus@securityfocus.com
Subject:	RE: Anti-vrus auto-replies

This is actually a normal security check. Often times the headers of these virus reply mails will have different network paths they pick up along the way depending on where it is sent from; it is indeed used to perform a network survey and enumeration.

Since the security tester is looking for any response from the security presence of an organization, the ideal situation is no responses to anything which is not expressly permitted under business justification.

Running a test, I do look in the headers of bounced mails, out of office mails, bounced mailing list mails, direct sent mails, read receipts, receive receipts, and AV response mails for network path information. I also use this to find live e-mail addresses, systems and applications in use, containment measures either server side or desktop, etc.

Again, no response is proper for various reasons but most of all if business justification does not expressly permit a community service for sending responses to all virus-attached mails which offsets the risk of the profiling that it may be used for and possible legal action for causing a third-party DoS.

The proper action is strip the virus and allow the recipient to receive the mail with a warning that the attachment was removed because of XYZ virus. The recipient may then decide if the person is known and worth contacting (key client perhaps). All mails which have no proper recipient do not bounce either- they forward to a common account that a designated person reviews for legitimate traffic.

Sincerely,
-pete.

www.osstmm.org

Do you need more help?

> -----Original Message-----

This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately.

Received on Tue Jul 1 13:03:22 2003

This message: [ Message body ]
Next message: Rob Rosenberger: "RE: Anti-virus auto-replies"
Previous message: Dowling, Gabrielle: "RE: Anti-virus auto-replies"
Maybe in reply to: Jonas Anden: "Anti-vrus auto-replies"
In reply to Pete Herzog: "RE: Anti-vrus auto-replies"
Next in thread: Pete Herzog: "RE: Anti-vrus auto-replies"
Reply: Pete Herzog: "RE: Anti-vrus auto-replies"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:39 EDT