ietf-smtp
[Top] [All Lists]

Re: MyDoom, Sorbig - Actions taken?

2004-02-04 20:44:50


Hmmmmmmm,

It not just about the user. While that is true that top level, the key
problem is the distribution.  That is what makes this SOBIG-generation virus
different from any other normal "Do not open Attachment" email you might
get.

It is more than just "Social Engineering."

The virus success is 100% based on the weakness of the SMTP system and the
current behavior of ANTI-SPAM software to assist in the distribution
process.   It is design exploit the SMTP inability to validate return-paths
and/or sender machines

1)  Initial user gets mail or downloads the virus from somewhere.

2) Virus is installed,  gathers user Outlook  Address book.

3) It begins to send out mail to recepients using a mixed Return Path.

4) Distribution Pattern #1  Mail that gets delivered ->  go to step 1.

5) Distribution Pattern #2 - Expired addresses - Mail bounced back to return
paths.

6) Distribution Pattern #3 - Anti-Spam Software - Filtered Mail bounced back
to return paths.

With the SORBIG virus,  some AVS vendors learned to remove attachment in
bounced mail and they also learned to use a NULL address to avoid further
loops in the process.  This is evident in this new virus.

The SPF, DMP proposals has helped my customers eliminate the mis-matched
return-path/sender machine pairs.  CBV also help to reduced those return
paths mixed in the distribution that are no longer valid.  Mail Filters did
the rest.

I guess the lack of response means people don't feel this is a problem SMTP
could help address?

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com






----- Original Message ----- 
From: "Keith Moore" <moore(_at_)cs(_dot_)utk(_dot_)edu>
To: "Hector Santos" <winserver(_dot_)support(_at_)winserver(_dot_)com>
Cc: <moore(_at_)cs(_dot_)utk(_dot_)edu>; <ietf-smtp(_at_)imc(_dot_)org>
Sent: Wednesday, February 04, 2004 5:03 PM
Subject: Re: MyDoom, Sorbig - Actions taken?



I would be extremely interesting in hearing from SMTP developers here
how
they are addressing the latest big problem of the MyDoom virus with
thier
customers,etc?  What they have learn to better addressed the problem
with
the current specs.

Does anyone have the complete "technical logic" of how this email virus
exploits SMTP?

the virus doesn't exploit SMTP.  it exploits mail readers that fail to
follow the MIME specification.

--
He not busy being born, is busy dying.  - Bob Dylan