[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] From field spoofing and AV responses

To: Erik van Straten <emvs.fd.3FB4D11C@cpo.tn.tudelft.nl>
Subject: Re: [Full-Disclosure] From field spoofing and AV responses
From: Michael Renzmann <security@dylanic.de>
Date: Wed, 28 Jan 2004 05:52:23 +0100

Hi.

Another OT threat, so I'll keep it short.

Erik van Straten wrote:

How hard would it be to have the AV software actually check the source
email smtp host, and send an email to abuse@xyz.com for the *actual*
offending smtp server?

Incredibly hard.

Yep. Mostly because of the fact that these type of worms use their own local SMTP engine. So, what you'll likely see is that the originating SMTP server IP is within the Dial-Up-Pool of your favorite ISP.

Autoresponding AV software is a bad idea in times of from-address-spoofing. Personally, I'd vote for throwing every false "Watch, I catched a virus that YOU sent to me" auto-response towards the company that thought auto-responding would be a great idea. Maybe that would make them start thinking it over again...

Bye, Mike

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] From field spoofing and AV responses
  - From: "Erik van Straten" <emvs.fd.3FB4D11C@cpo.tn.tudelft.nl>

Prev by Date: RE: [Full-Disclosure] Mydoom
Next by Date: [Full-Disclosure] [VulnWatch] SRT2004-01-18-0747 - IBM Informix IDS 9.4 contains multiple vulnerabilities
Previous by thread: Re: [Full-Disclosure] From field spoofing and AV responses
Next by thread: Re: [Full-Disclosure] From field spoofing and AV responses
Index(es):
- Date
- Thread