[33399] in bugtraq
Re: RFC: virus handling
daemon@ATHENA.MIT.EDU (Matthew Dharm)
Wed Feb 4 05:42:08 2004
Date: Tue, 3 Feb 2004 12:55:24 -0800
From: Matthew Dharm <mdharm@one-eyed-alien.net>
To: Patrick Proniewski <patpro@patpro.net>
Cc: Thomas Zehetbauer <thomasz@hostmaster.org>,
Liste BugTrack <bugtraq@securityfocus.com>
Message-ID: <20040203205524.GB25470@one-eyed-alien.net>
Mail-Followup-To: Patrick Proniewski <patpro@patpro.net>,
Thomas Zehetbauer <thomasz@hostmaster.org>,
Liste BugTrack <bugtraq@securityfocus.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="5I6of5zJg18YgZEa"
Content-Disposition: inline
In-Reply-To: <43FFF692-51BF-11D8-90F0-0030654D97EC@patpro.net>
--5I6of5zJg18YgZEa
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Jan 28, 2004 at 07:24:52PM +0100, Patrick Proniewski wrote:
> On 28 janv. 2004, at 16:45, Thomas Zehetbauer wrote:
>=20
> >Looking at the current outbreak of the Mydoom.A worm I would like to
> >share and discuss some thoughts:
>=20
>=20
> You bring some definitely interesting points here.
>=20
> I agree with your 1) and 2), but 3) rises some technical concern
>=20
> >3.1.2.) e-mail Alias and Web-Interface
> >Additionally providers should provide e-mail aliases for the IP
> >addresses of their customers (eg. customer at 127.0.0.1 can be reached
> >via 127.0.0.1@provider.com) or a web interface with similiar
> >functionality. The latter should be provided when dynamically assigned
> >IP addresses are used for which an additional timestamp is required.
>=20
>=20
> could be a really good idea, if not so easy to use for spammers or even=
=20
> for virii. The moment you setup such a service, spammers/virus coder=20
> will write a script that can reach every single user with an active=20
> connexion. It's a really major drawback I think.
Perhaps something with more limited functionality, then?
Consider a provider who offers the e-mail address of
virusalert@provider.com (name it what you will), to which can be fed an
e-mail consisting of a single line -- that line is the IP address and a
one-word 'name' for the problem.=20
Thus, if I find I'm getting MyDoom.A from 127.2.2.1, I can send a message
that will alert _someone_ (who is presumeably not asleep at the controls).
It also means that general e-mail cannot be sent via this interface -- no
spamming. The provider can take this information, look it up (with the
timestamp the e-mail came in at, if necessary for large dynamic pools), and
take action (the least of which, I hope, would be to notify the end-user).
This could even be done without e-mail at all. A quick HTTP GET/POST could
carry this information. Heck, this could run much like ident/auth
services to a designated machine (i.e. virusalert.provider.com).
Matt
--=20
Matthew Dharm Home: mdharm@one-eyed-alien.net=
=20
Senior Software Designer, Momentum Computer
IT KEEPS ASKING ME WHERE I WANT TO GO TODAY! I DONT WANT TO GO ANYWHERE!
-- Greg
User Friendly, 11/28/97
--5I6of5zJg18YgZEa
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFAIAq8IjReC7bSPZARAkSKAKCUJ3XYL3mZJ82OBHqMdpM7lpT9YACeN1S7
E2tuA++MHUvMUUBphs8kMUE=
=pq60
-----END PGP SIGNATURE-----
--5I6of5zJg18YgZEa--
