RE: [Full-Disclosure] Backdoor not recognized by Kaspersky

["Larry Seltzer" <larry@xxxxxxxxxxxxxxxx>]

>>SMTP auth does not help at all. A virus that delivers email via it's own SMTP 
>>engine
completely bypasses the end users ISP server(s). And if the recipient server 
does not
allow incoming mail from wherever it is presented from, then incoming mail will 
simply
be broken unless there is some sort of SPF. 

Yeah, exactly, that's the point. SMTP AUTH plus something like SPF/CID/DK would 
stop all
the existing worms from operating. Mail sent through their own engines would be 
rejected
by SPF/CID/DK. 

>>But, SPF, caller-ID, and Domain keys all have major unsolved issues with 
>>forwards,
aliases, corporate employees checking their work mail and needing to reply 
through their
home connection ISP, but with their company 'From: ' address and several other 
common
scenarios. Until their is universal adoption of some add on to SMTP, nobody can 
reject
all non-conforming mail safely. 

It's not hard to imagine the largest ISPs and large corps accepting it, at 
which point
it would become necessary for others to accept it or risk having their mail 
shut out. 

>>All implementations create a much greater load on DNS. 

Greater, yes. Much greater, I'm not so sure. Verisign doesn't think it's a 
substantial
extra load. The DNS data could very reasonably be cached.

>>The real issue is that their is no possible algorithmic solution to rejecting 
>>email
reliably based on any of its source, its content, or any combination. 

So SPF/CID/DK don't work? They reject based on domain

>>If the mail is not accepted, laws prohibit silently discarding it. 

I've never heard this before. What law?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
larryseltzer@xxxxxxxxxxxxx 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html