ietf-smtp
[Top] [All Lists]

Re: MyDoom, Sorbig - Actions taken?

2004-02-05 09:17:24
On Thu, 05 Feb 2004 02:27:43 EST, Hector Santos said:

Yes, it is too bad that many designers of today have not taken ethical
engineering courses like I was required.   Yes, it too bad  there was alot
of pressure to have "automation" to be more important over security
concerns.   But this has NOTHING to do with how the SOBIG-generation virus
are exploiting everything that is weak about SMTP.

If it didn't get run, it wouldn't be exploiting *anything* about SMTP.

Why does it get run? Breakage at the MUA level.  Failing to understand
that means you're doomed to keep shimming your SMTP to "fix" the problem.
If you like, I'll send you the logfiles of the 3 million or so MyDoom-A
that managed to blast through our Listserv machine, which *NONE* of your
checks would actually have stopped (by sheer blind luck, coming INTO
the list the EHLO and From: and To: and MAIL FROM: and RCPT TO: were all
correctly set for a posting from a "local" user.

While one can question of the quality assurance of the tire design, one can
also question the quality assurance of the materials,  the manufacting,  the
testing and the risk assessment analysis used to suggest that "risk" is a
"user problem"  not a "vendor"  problem.     The fact is the WORLD did not
consider to lower speed limits because it would be a RIDICULOUS suggestion
conflictive with all other industries - car racing/chasing for one.   It is
so dumb, it is not even worth any more further thought.

So changing the roads because the tires are bad is stupid,
but changing the SMTP because the MUA is bad isn't.

What's wrong with that picture?

Attachment: pgpx91Jyr83Dn.pgp
Description: PGP signature

<Prev in Thread] Current Thread [Next in Thread>