[33357] in bugtraq
Re: RFC: virus handling
daemon@ATHENA.MIT.EDU (Dave Aronson)
Tue Feb 3 06:01:28 2004
From: Dave Aronson <spamtrap.secfocus@dja.mailme.org>
To: bugtraq@securityfocus.com
Date: Wed, 28 Jan 2004 15:06:22 -0500
In-Reply-To: <1075304734.29593.147.camel@hostmaster.org>
Cc: Thomas Zehetbauer <thomasz@hostmaster.org>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200401281506.22283.spamtrap.secfocus@dja.mailme.org>
On Wed January 28 2004 10:45, Thomas Zehetbauer wrote:
> 3.1.2.) e-mail Alias and Web-Interface
> Additionally providers should provide e-mail aliases for the IP
> addresses of their customers (eg. customer at 127.0.0.1 can be
> reached via 127.0.0.1@provider.com)
This would vastly simplify dictionary-attack spamming.
> or a web interface with similiar functionality.
Better, but still might be easily abused by scripting.
> 3.2.) Disconnect
> Providers should grant their customers some grace period to clean
> their infection and should thereafter be disconnected entirely or
> filtered based on protocol (eg. outgoing SMTP) or content (eg.
> transparent smarthost with virus scanner) until they testify that
> they have cleaned their system.
Grace, shmace! Viri can do their dirty work in a matter of seconds.
How about the ISP *immediately* blocks just the port(s) in question?
(Recognizing that that could be *all* ports.) It could unblock after
some time period with no outbound virus infection (or phone home for
orders, etc.) attempts, and of course reblock when any new such
activity is detected.
--
Dave Aronson, Senior Software Engineer, Secure Software Inc.
(Opinions above NOT those of securesw.com unless so stated!)
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
Web: http://destined.to/program http://listen.to/davearonson
