RE: Anti-vrus auto-replies

From: Dowling, Gabrielle <dowlingg(at)sullcrom.com>
Date: Sun Jul 06 2003 - 00:26:43 EDT

Pete...

I probably won't hit every point you make since I refuse ti dial into my computer this weekend, but it's a good discussion and some immediate comments....

I only see diminishing the general level of virus prevalence as a way of diminishing risk to my org, not as a concern apart from diminishing risk to my org.

I dint want to discuss this further in this public forum, but I am happy to discuss it privately in a non anonymous mode

With respect to end user notification of virus detection, my paticular point is that the information divulged is not particularly useful, and s only revealed to the original seeder. If someone wants to hold a copy of a virus and intentionally send it to my network, a whule ago they would have gottwn what av software we use and what virus was detected.

I'll stand on that is useless information.

If my org is susceptible to a particular virus, then we're going to get taken down by it regardless.

That said, true hackers want an incursion in, and this is not to be had here.

G

 -----Original Message-----

From: 	Pete Herzog
Sent:	Wed Jul 02 09:45:04 2003
To:	Dowling, Gabrielle; focus-virus@securityfocus.com
Subject:	RE: Anti-vrus auto-replies

Gaby,

Again I think this comes from the kind of solution you are intending to find- one of decreasing risk and liability or one of stomping out the worldwide virus problem for once and for all.

> As a response to a virus detection, replies indicating the

This I find somewhat confusing. I assume you mean that a reply is okay if the reply only goes back to the sender of the person who wrote the virus mail. This, as you mentioned is not possible if the mail is forged regardless of headers since I can have even the IP address of where the mail was sent from but not the particular client with the infection sending the mail which would mean perhaps looking up the abuse desk and sending them the complaint at the very best. And that doesn't really help the sender of the e-mail. Which is why I propose the most liberal and least offending solution that the intended recipient of the e-mail should receive a virus-stripped mail with a flag saying "Attachment contained virus XYZ which may not have come from a different address than the one stated in the FROM: field" and the recipient (or Postmaster) can choose to reply to that person or not. But then a person makes that judgement call. I guarantee a great many of these mails will get deleted though due to high worm activity.

I don't think the answer is having virus software smarter and more re-active, but rather the solution has to be the implementers need to be smarter and pro-active. This means instead of automated replies, no matter how smart they can get, should be downplayed in favor of a good policy of having someone make decisions over what types of mails get deleted and when to strip them and forward them with a message to the intended recipient.

Again this comes from the policy of having security which includes business justification. I also think you may be surprised what a certified security tester can do with internal information about your network. Everything from service hijacking to loose source routing to side attacks through proxies or web servers. I have even seen clever social-engineering techniques used on people whose IP addresses from their desktop systems showed up in their e-mail headers.

Sincerely,
-pete.

> -----Original Message-----

---

---

---

This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately.

---

---

---

Received on Sun Jul 6 09:56:12 2003