-----Original Message-----
From: asrg-admin(_at_)ietf(_dot_)org
[mailto:asrg-admin(_at_)ietf(_dot_)org]On Behalf Of
Markus Stumpf
Sent: Friday, December 12, 2003 10:22 AM
To: Fridrik Skulason
Cc: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] Re: 6. Proposals: MTA MARK
On Thu, Dec 11, 2003 at 09:22:01AM +0000, Fridrik Skulason wrote:
The document uses the term "viri". Now, there is an interesting
division of terminology in the anti-virus field. AV people use the
plural "viruses", while the "k00l VXdudez" use "viri" or "virii"
as a means of distinguishing them. The side effect is that anyone
talking about "viri" or "virii" just does not get taken seriously
by the anti-virus community.
I don't know if I am a "k00l VXdudez", but I had 5 years of Latin in
school and the correct plural of "virus" is "viri" (not "viruses" and
in no way "virii" ;-). The plural form was very rarely used in written
text, so some people say is doesn't have one in Latin, which is wrong.
However, according to the Oxford English Dictionary, the correct plural
in English language is "viruses". I'll change that. Please blame it to
the fact that I am not a native English speaker ;-)
However, MTA MARK would not have any effects on viruses. It would
only affect worms, more specifically a certain subset of worms. It
would not affect network worms like CodeRed, so I suggest not using
that as an example. It will only affect those worms which have
their own SMTP code and use that to spread, instead of sending mail
through the ISP of the end user.
This is not true.
Even very "simple" viruses like VBS/Lovelet-AS spread via eMail by using
the MAPI of the infected host. It did NOT have its own SMTP code. Some
of the recent viruses do have their own SMTP module talking SMTP directly
to remote hosts, some of them simply use e.g. the MAPI of the infected
host. Whether the message that is sent via the MAPI uses smarthosts or
gets delivered directly depends on the global configuration of the MAPI.
The mention of CodeRed and Nimda is in a section that argues
that one cannot trust on users to update their computers, even if the
security holes are some month old and patches exist for quite some time,
just like you can't count on them to configure their programs correctly
as can be seen from the number of open proxy servers.
During the Sobig.F outbreak we collected data on which machines were
responsible for sending out the viruses. It turned out that the vast
majority of analysed samples were from privately owned PCs with an
ASDL or broadband connection.
We don't have an AV software in that mailserver, but we reject
executable attachments based on base64 signatures. The rejections of
the last 7 days are at
http://www.space.net/~maex/asrg-exec.txt
First row is the number of rejections, second row is host:ip. With a
probability of nearly one, all of the filtered messages have been
viruses. Apart from the data you collected from the Sobig.F outbreak the
spreading with the average background noise shows a little different data
according to the above numbers.
This is what one would have expected
anyhow - corporate machines are generally better protected and less
likely to be compromised and machines with only a (slow) modem
connection would send out fewer messages than the ones with a fast
connection.
The relevance to spam is that this is presumably the same group of
machines as spammers using compromised machines would be interested in.
I don't think so. IMHO spammers don't care too much, speed is a nice to
have addon but I don't think it makes a big difference for them if the
compromised host takes 2 or 5 hours to blast out the spam.
"This is one of my machines, but it is not authorized to send mail
from my domain" - this result would typically indicate a compromised
machine - either trying to send out worms or spam.
"This is not one of my machines, and therefore it is not authorized
to send mail from my domain" - this result would either indicate
a forgery or perhaps a "roaming salesman" instance.
What I don't quite see is how LMAP would distinguish between those two
cases - or if it can indeed do so. Clarification, anyone?
LMAP can't distinguish and it is IMHO irrelevant. The machine is not
authorized to send emails with a sender address from domain example.com,
regardless under whom's authority the machine is.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49
(89) 32356-299
"The security, stability and reliability of a computer system is
reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg