ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: 6. Proposals: MTA MARK - and a LMAP note

2003-12-12 04:14:43
On Fri, Dec 12, 2003 at 12:51:55AM +0100, Markus Stumpf wrote:
However, MTA MARK would not have any effects on viruses.  It would
only affect worms, more specifically a certain subset of worms.  It
would not affect network worms like CodeRed, so I suggest not using
that as an example.  It will only affect those worms which have
their own SMTP code and use that to spread, instead of sending mail
through the ISP of the end user.

This is not true.

Perhaps I need to clarify...see below:

Even very "simple" viruses like VBS/Lovelet-AS spread via eMail

It is a worm.  The definition of a "worm" is basically "self-replicating
software that spreads over a network".  There is some disagreement on 
the formal definition of "virus" - one group of AV people considers all
intentionally self-replicating programs to be  "viruses", and worms 
therefore just a specific subset of "viruses".  Other researchers 
consider worms and viruses to be different, partially overlapping
subsets within the category of self-replicationg programs - arguing that
the definition of a virus relies on the infection process, while the
definition of "worm" relies on the distribution process and those are
somewhat independent.

In any case, any self-replicating program that sends itself by mail
(regardless of whether it uses its own SMTP engine or not is a worm.
Some of those are also viruses - in other cases there is an ongoing debate 
on whether to consider them viruses or not.  As the proposal would only
affect worms, not viruses that are not worms as well, I am just suggesting
that it would make more sense to talk just about worms to reduce the 
confusion.

Some worms would simply not be affected by MTA MARK at all, namely those
that send mail just as if a "real user" was actually sitting at the keyboard
and pressing the keys.  There is just no way for a a protocol of this kind
to distinguish between a worm of this kind and a legitimate user sending
mail.  Worms of this category do not have their own SMTP code - which is
really what I meant earlier - sorry if this was not clear enough.

The mention of CodeRed and Nimda is in a section that argues
that one cannot trust on users to update their computers, even if the
security holes are some month old and patches exist for quite some time,
just like you can't count on them to configure their programs correctly 
as can be seen from the number of open proxy servers.

All I was saying is that CodeRed is a bad example, as someone might 
incorrectly assume that MTA MARK would have been effective against it.

  "This is one of my machines, but it is not authorized to send mail
   from my domain" - this result would typically indicate a compromised
   machine - either trying to send out worms or spam.

  "This is not one of my machines, and therefore it is not authorized
   to send mail from my domain" - this result would either indicate
   a forgery or perhaps a "roaming salesman" instance.

What I don't quite see is how LMAP would distinguish between those two 
cases - or if it can indeed do so.  Clarification, anyone?

LMAP can't distinguish and it is IMHO irrelevant. The machine is not
authorized to send emails with a sender address from domain example.com,
regardless under whom's authority the machine is.

This is not relevant to MTA MARK, of course, but the issue is not
irrelevant, as the appropriate reaction would be different.  In the 
first case the the owners of the domain in question would hopefully
want to track down the compromised machine and take care of the
problem.

In the second case, the owners of the domain would only be interested 
in tracking down the machine if they were planning to go after the
person responsibel for well..."fraud".

I just brought this up because it seemed useful if LMAP would be able to
distinguish between those two cases.

-- 
Fridrik Skulason   Frisk Software International   phone: +354-540-7400
Author of F-PROT   E-mail: frisk(_at_)f-prot(_dot_)com       fax:   
+354-540-7401

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg