[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] From field spoofing and AV responses

To: <full-disclosure@lists.netsys.com>
Subject: [Full-Disclosure] From field spoofing and AV responses
From: "Johnson, April" <apjohnson@seattleschools.org>
Date: Tue, 27 Jan 2004 11:06:34 -0800

Question for the group?

How hard would it be to have the AV software actually check the source
email smtp host, and send an email to abuse@xyz.com for the *actual*
offending smtp server?

The from field is almost worthless at this point.  But the header is
more reliable.  Yes, it *can* be spoofed, but it's significantly more
difficult.

I'm nearly buried in false 'AV' responses - and worse, the users that
get them are terrified because they think they've  'become infected'.  I
don't mind the user being wary, but the level of fear and anxiety over a
false notice is becoming unworkable.

Just Curious,
-apjohnson (CISSP, CCNP, SCSA)
Network Operations - Security

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] From field spoofing and AV responses
  - From: "Erik van Straten" <emvs.fd.3FB4D11C@cpo.tn.tudelft.nl>
- Re: [Full-Disclosure] From field spoofing and AV responses
  - From: Nick FitzGerald <nick@virus-l.demon.co.uk>

Prev by Date: Re: [Full-Disclosure] Status
Next by Date: Re: [Full-Disclosure] antivirus s/w
Previous by thread: Re: [Full-Disclosure] SRT2004-01-18-0747 - IBM Informix IDS 9.4 contains multiple vulnerabilities
Next by thread: Re: [Full-Disclosure] From field spoofing and AV responses
Index(es):
- Date
- Thread