Discussion:
Zombie spam
(too old to reply)
Tim Bedding
2004-07-19 12:59:43 UTC
Permalink
I have been thinking about the zombie issue and how it
relates to the spam problem.

I have a few questions about where we are on it. I have read the
list archives looking for answers.


Can the ISP hosting the zombie machine reduce the amount of
zombie spam by taking appropriate measures? Or is it generally
too expensive to identify and quarantine a zombie?

If there is a lack of will on the part of the hosting ISP,
how can we put pressure on it to conform?

I am trying to reduce the issue down to one clear item (such
as investigating how to construct an affordable zombie identification
system). Then I can think some more about that item.


By the way, my mailer is such that if you hit reply on this message,
the reply may go only to me rather than the list.

I would like to discuss this on the list if possible so that I can
see what the consensus is.

Regards
Tim

Capital City
Wendy: It's just symptomatic of why my department's falling down.
It just doesn't have a clearly defined role.
John Levine
2004-07-19 14:02:54 UTC
Permalink
Post by Tim Bedding
Can the ISP hosting the zombie machine reduce the amount of
zombie spam by taking appropriate measures?
Sure. It's quite effective to force all outgoing mail from consumer
customers through the ISP's outgoing servers, then rate limit the
amount they send. Few consumer users need to send more than, say,
100 messages/hour, so they'll have to arrange for exceptions.

Comcast is watching outgoing direct port 25 connections and blocking
hosts that have volume spikes. It's not yet clear how well this
works. Until they told me about it, I didn't realize it was practical
to do that on a large cable modem networks.
Post by Tim Bedding
If there is a lack of will on the part of the hosting ISP,
how can we put pressure on it to conform?
One very large ISP has had some success in telling other ISPs that
either they will get their zombie problem under control, or they
won't be able to send the very large ISP any mail at all. But there
aren't very many ISPs big enough to make that a credible threat.

Regards,
John Levine, ***@taugh.com, Taughannock Networks, Trumansburg NY
http://www.taugh.com
Dave Crocker
2004-07-19 14:07:40 UTC
Permalink
Tim,

TB> Can the ISP hosting the zombie machine reduce the amount of
TB> zombie spam by taking appropriate measures? Or is it generally
TB> too expensive to identify and quarantine a zombie?
...
TB> I am trying to reduce the issue down to one clear item (such
TB> as investigating how to construct an affordable zombie identification
TB> system). Then I can think some more about that item.

The problem comes in two interesting forms.

1. The compromised machine tries to act as an smtp client, sending mail
around the world directly. <http://brandenburg.com/CSV> offers an
approach that will prevent or detect that. I suppose that spf and
sender-id are viewed as dealing with that also.

2. The compromised machine uses their local provider's MTA to do the
cross-next sending. The problem, here, is much more difficult. How can
the provider know whether the machine is compromised? What is is doing
that it should not be doing?


d/
--
Dave Crocker <mailto:***@brandenburg.com>
Brandenburg InternetWorking <http://www.brandenburg.com>
Sunnyvale, CA USA <tel:+1.408.246.8253>, <fax:+1.866.358.5301>
Barry Shein
2004-07-19 21:59:08 UTC
Permalink
Post by Dave Crocker
2. The compromised machine uses their local provider's MTA to do the
cross-next sending. The problem, here, is much more difficult. How can
the provider know whether the machine is compromised? What is is doing
that it should not be doing?
Generating complaints (including RBL additions)?

I know, you were asking about something more pro-active, before one
has to respond to complaints etc.

It might however seem like a good service for someone like the DCC
folks to sell. Pay them to keep your ISP's mail servers in a watch
list so you can be alerted by them when some threshold is exceeded.

It might be difficult to distinguish from forwarding hosts.

We see problems where hosts which are primarily forward-only (like
those college-alumni or professional organization sites) get
interpreted (I won't quite say mistaken) to be spam sources since all
their boxes get hit, often in a fairly short period of time, and they
just forward it all on.

Oh let's just admit it, we're seriously f*****d.

There, I said it.
--
-Barry Shein

Software Tool & Die | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
The World | Public Access Internet | Since 1989 *oo*
Dave Crocker
2004-07-20 06:43:55 UTC
Permalink
Barry,
Post by Dave Crocker
2. The compromised machine uses their local provider's MTA to do the
cross-next sending. The problem, here, is much more difficult. How can
the provider know whether the machine is compromised? What is is doing
that it should not be doing?
BS> Generating complaints (including RBL additions)?

BS> I know, you were asking about something more pro-active, before one
BS> has to respond to complaints etc.

right. I was asking about "technical" characteristics of zombie traffic
that distinguishes it from "legitimate" traffic.

the instant we start trying to use things like "complaints" we are in
the realm of social assessment, not technical, nevermind the fuzziness
and politics of it.


BS> It might however seem like a good service for someone like the DCC
BS> folks to sell. Pay them to keep your ISP's mail servers in a watch
BS> list so you can be alerted by them when some threshold is exceeded.

I'll guess that 'threshhold' refers to something like amount of traffic
from a particular host, on the theory that greater load means it might
be a zombie. Of course, the clever spammers control enough machines
that they well might just keep the per-zombie traffic load below that
limit...


BS> It might be difficult to distinguish from forwarding hosts.

Right. And, alas, this leads us down the path of considering having
forwarding hosts be registered with the ISP.

The part of this that might not be so crazy is that providers often
distinguish charges between low-traffic and high-traffic hosts within
their networks.


BS> Oh let's just admit it, we're seriously f*****d.

I thought we all had already done that.

The challenge, now is to followup up that fact with... hmmm. can't think
of a clever comment that won't get me into all sorts of political
correctness trouble.





d/
--
Dave Crocker <mailto:***@brandenburg.com>
Brandenburg InternetWorking <http://www.brandenburg.com>
Sunnyvale, CA USA <tel:+1.408.246.8253>, <fax:+1.866.358.5301>
Chris Lewis
2004-07-20 13:51:55 UTC
Permalink
Post by Dave Crocker
BS> It might however seem like a good service for someone like the DCC
BS> folks to sell. Pay them to keep your ISP's mail servers in a watch
BS> list so you can be alerted by them when some threshold is exceeded.
I'll guess that 'threshhold' refers to something like amount of traffic
from a particular host, on the theory that greater load means it might
be a zombie. Of course, the clever spammers control enough machines
that they well might just keep the per-zombie traffic load below that
limit...
Right. There's nothing that will uniquely identify them. There's a
couple of good clues (volume or HELOs), but both can be evaded, and the
results are at best, "statistical".

One thing that ISPs _can_ do which is somewhat more proactive is
download one or more of the highly effective blacklists and grep them
for their own space.

The CBL is very good at detecting trojans for example.
Eugene Crosser
2004-07-20 17:15:46 UTC
Permalink
Post by Chris Lewis
Post by Dave Crocker
BS> It might however seem like a good service for someone like the DCC
BS> folks to sell. Pay them to keep your ISP's mail servers in a watch
BS> list so you can be alerted by them when some threshold is exceeded.
I'll guess that 'threshhold' refers to something like amount of traffic
from a particular host, on the theory that greater load means it might
be a zombie. Of course, the clever spammers control enough machines
that they well might just keep the per-zombie traffic load below that
limit...
Right. There's nothing that will uniquely identify them. There's a
couple of good clues (volume or HELOs), but both can be evaded, and the
results are at best, "statistical".
I have a feeling that this is the way spammers are taking now. If they
own enough zombies, each one of them can stay below radar traffic-wise.
Even with wide adoption of a sender authentication scheme which will
effectively prevent direct submission, zombies can start sending through
their ISP relays, and ISPs won't be able to block customers for sedning
just a few messages per hour.

What we could potentially do with such "spread spectrum" distribution is
content analisys. Advertizers cannot wait months until their material
is distributed, so an ad campaign will necessarily cause a spike of
messages with similarities in content. If we learn to such spikes of
new content (which requires vastly distributed collection system), we'll
be able to identify and squash sources of spam even after a single
submission.

Eugene
Barry Shein
2004-07-20 21:16:21 UTC
Permalink
Post by Dave Crocker
the instant we start trying to use things like "complaints" we are in
the realm of social assessment, not technical, nevermind the fuzziness
and politics of it.
Which is why I believe the only workable solution to spam is per-piece
charges for e-mail (which might include some "reasonable" amount of
bundled allotment.)

If we don't charge then all we can really do is organize committees to
decide who is worthy and who is not.
Post by Dave Crocker
BS> It might be difficult to distinguish from forwarding hosts.
Right. And, alas, this leads us down the path of considering having
forwarding hosts be registered with the ISP.
Which would mean that any spam filtering would only be as strong as
the sum (or, perhaps, intersection) of those blessed hosts.

We run into that problem from time to time.

People want alumni or professional organizations they're nostalgically
attached to blindly white-listed (oh the horror that anyone might
mistake alumni.pacifictech.edu for a spam source!) But often they're
administered poorly so become the target of spammers.
Post by Dave Crocker
The part of this that might not be so crazy is that providers often
distinguish charges between low-traffic and high-traffic hosts within
their networks.
BS> Oh let's just admit it, we're seriously f*****d.
I thought we all had already done that.
The challenge, now is to followup up that fact with... hmmm. can't think
of a clever comment that won't get me into all sorts of political
correctness trouble.
We're being slimed 7x24 by grow your penis and live lolita site and
pirated software ads and you're worried about our delicate
sensibilities?!
Post by Dave Crocker
d/
--
Brandenburg InternetWorking <http://www.brandenburg.com>
Sunnyvale, CA USA <tel:+1.408.246.8253>, <fax:+1.866.358.5301>
--
-Barry Shein

Software Tool & Die | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
The World | Public Access Internet | Since 1989 *oo*
Devdas Bhagat
2004-07-19 14:14:17 UTC
Permalink
Post by Tim Bedding
I have been thinking about the zombie issue and how it
relates to the spam problem.
I have a few questions about where we are on it. I have read the
list archives looking for answers.
Can the ISP hosting the zombie machine reduce the amount of
zombie spam by taking appropriate measures? Or is it generally
too expensive to identify and quarantine a zombie?
Identifying a zombie automatically needs a skilled network engineer &&
programmer.

There are a few choices I can think of off the cuff:
1> Block traffic from port 25 inbound. This stops responses from remote
MTAs, and the TCP connection is never established. It also stops
spammers using spoofed IP addresses and a slow+fast connection pair to
spam.
Log this traffic, and script something which will ratelimit/disable the
users connection.

2> Block outbound port 25. This works against zombies, fails to attack
the direct spammer. Again, logging and acting on those logs works.

3> Look for large numbers of reverse DNS queries for an IP address. All
mailservers being connected to will look up the sending hosts reverse
DNS. A large number of rDNS queries for a host which should not be
queried is suspicious behaviour.

Any action taken will usually generate a customer call, handling which
is expensive.
Post by Tim Bedding
If there is a lack of will on the part of the hosting ISP,
how can we put pressure on it to conform?
Block them. DNSBLs do exactly this. They exert social pressure on the
non conformant ISPs to fix their problem.
Post by Tim Bedding
I am trying to reduce the issue down to one clear item (such
as investigating how to construct an affordable zombie identification
system). Then I can think some more about that item.
Affordable? I don't know, but the cbl at cbl.abuseat.org works just fine
for catching zombies.

A zombie identification system for a broadband ISP is not hard to
implement. The support calls it generates are an issue.

Once identified, quarantining can be scripted as well.

Devdas Bhagat
Tim Bedding
2004-07-19 14:58:41 UTC
Permalink
Devdas Bhagat
Post by Devdas Bhagat
Block them. DNSBLs do exactly this. They exert social pressure on
the non conformant ISPs to fix their problem.
DNS blacklists have been around for a while. They have not been
successful in getting ISPs to fix the problem as far as I know.

This would not seem to be a practical solution.

Do you think it is?

Regards
Tim

Crusade - Patterns of the Soul
Gideon: There's a benefit in knowing people in
high places.
Devdas Bhagat
2004-07-19 15:37:14 UTC
Permalink
Post by Devdas Bhagat
Devdas Bhagat
Post by Devdas Bhagat
Block them. DNSBLs do exactly this. They exert social pressure on
the non conformant ISPs to fix their problem.
DNS blacklists have been around for a while. They have not been
successful in getting ISPs to fix the problem as far as I know.
Apparently, they work well enough. The more the number of people using
them, the more effective they are. The open relay blacklists were
successful enough to get spammers to move to zombies instead.

Lists like the CBL are having an effect.

What is not working is filtering. The spammers response to filters is to
send more spam.
Post by Devdas Bhagat
This would not seem to be a practical solution.
Do you think it is?
Works for me, and for my employer.

Devdas Bhagat
Tony Finch
2004-07-19 15:52:11 UTC
Permalink
Post by Dave Crocker
2. The compromised machine uses their local provider's MTA to do the
cross-next sending. The problem, here, is much more difficult. How can
the provider know whether the machine is compromised? What is is doing
that it should not be doing?
I have had some success with running an anti-virus scanner over all the
email passing through my relays. Richard Clayton has had some success
with heuristic analysis of the SMTP server logs for an ISP's relays,
which is a much more lightweight approach.

Tony.
--
f.a.n.finch <***@dotat.at> http://dotat.at/
BAILEY: MAINLY WESTERLY BACKING SOUTHEASTERLY 3 OR 4. SHOWERS. GOOD.
Alan DeKok
2004-07-19 18:18:02 UTC
Permalink
Post by Tony Finch
I have had some success with running an anti-virus scanner over all the
email passing through my relays.
Heck, check for:

/^((Content-(Disposition: attachment;|Type:).*|\ +)| *)(file)?name\ *=\ *"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/ REJECT attachment type not allowed

If you really think that users will be sending non-virus EXE's to
each other on a regular basis, and you really care about their
unfettered access to the net, route those messages through a slow
machine. Rate-limit it's sending capability, and limit it's storage
space for messages. Small numbers of non-virus files can get through,
but a large virus load will overwhelm the machine, and cause most
traffic to be discarded/rejected.

Alan DeKok.
Devdas Bhagat
2004-07-19 18:36:41 UTC
Permalink
Post by Alan DeKok
Post by Tony Finch
I have had some success with running an anti-virus scanner over all the
email passing through my relays.
/^((Content-(Disposition: attachment;|Type:).*|\ +)| *)(file)?name\ *=\ *"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/ REJECT attachment type not allowed
Jim Seymous has a collection of checks at
http://jimsun.linxnet.com/misc/header_checks.txt

Devdas Bhagat
Devdas Bhagat
2004-07-19 19:06:57 UTC
Permalink
Post by Devdas Bhagat
Jim Seymous has a collection of checks at
^^^^^^^^^^^^^^^^^^
That should be Jim Seymour. Sorry for the typo.

Devdas Bhagat
Chris Lewis
2004-07-19 20:00:04 UTC
Permalink
Post by Tony Finch
Post by Dave Crocker
2. The compromised machine uses their local provider's MTA to do the
cross-next sending. The problem, here, is much more difficult. How can
the provider know whether the machine is compromised? What is is doing
that it should not be doing?
I have had some success with running an anti-virus scanner over all the
email passing through my relays. Richard Clayton has had some success
with heuristic analysis of the SMTP server logs for an ISP's relays,
which is a much more lightweight approach.
Doesn't help with zombies - they don't (or almost never) go thru relays.
They have their own clients and go direct to the victim's MX. Thus, A-V
on your outbounds won't do a thing.
William Leibzon
2004-07-20 11:13:46 UTC
Permalink
Post by Chris Lewis
Doesn't help with zombies - they don't (or almost never) go thru relays.
They have their own clients and go direct to the victim's MX. Thus,
A-V on your outbounds won't do a thing.
Unified SPF has potential to help in this scenario if ISPs cooperate.
The framework consists of checks on multiple identities, one of these
is SPF record for dns name listed as PTR record for the client IP
(if there is a PTR that is...). ISPs may set this spf to "-all", i.e like:

1.0.0.10.IN-ADDR.ARPA. IN PTR 10-0-0-1.dialpool.example.com.

10-0-0-1.dialpool.example.com. IN A 10.0.0.1
10-0-0-1.dialpoool.example.com. IN TXT "v=spf1 -all"

This is basicly equivalent to MTA Mark records and allows ISPs to indicate
which of their IPs should not have any mail servers. However in case ISP
is not cooperative in removing the record for case of legitimate mail
service (linux hobbiest, etc), the records can be overridden with positive
SPF record for that particular ip for EHLO name (spammers can use this
too to override ISP record, but they are forced to expose themselve with
particular domain and this changes situation as currently their use of
zombies involve trying to remain anonymous and using many thousands of
them at no extra cost).

The adaption of this system by even 100 largest ISPs will mean that we'll
have easy way to block more then 95% of zombie ips and the system allows
ISPs to keep things updated in the future. This system my opinion has
greatest potential of all technical proposals to stop current widewspread
zombie abuse.

---
William Leibzon
***@completewhois.com
Tony Finch
2004-07-19 22:39:07 UTC
Permalink
Post by Alan DeKok
Post by Tony Finch
I have had some success with running an anti-virus scanner over all the
email passing through my relays.
/^((Content-(Disposition: attachment;|Type:).*|\ +)| *)(file)?name\ *=\ *"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/ REJECT attachment type not allowed
We do something like that as well, but there have been viruses
recently which occupy zip files (which we can't block because of past
recommendations to our users which painted us into a corner) and at
least one which uses an exploit that requires no attachment at all.

Tony.
--
f.a.n.finch <***@dotat.at> http://dotat.at/
FORTIES CROMARTY FORTH TYNE WEST DOGGER: SOUTHERLY BACKING SOUTHEASTERLY 4 OR
5, OCCASIONALLY 6 LATER IN TYNE. RAIN OR SHOWERS. GOOD OCCASIONALLY MODERATE.
Tony Finch
2004-07-20 10:54:42 UTC
Permalink
Post by Chris Lewis
Doesn't help with zombies - they don't (or almost never) go thru relays.
They have their own clients and go direct to the victim's MX. Thus, A-V
on your outbounds won't do a thing.
Viruses often propagate within the organization, or get sent through the
relays because of a .forward file. So scanning all email is definitely
useful.

Tony.
--
f.a.n.finch <***@dotat.at> http://dotat.at/
WHITBY TO THE WASH: SOUTH OR SOUTHEAST 2 TO 4 GRADUALLY INCREASING SOUTHEAST 4
OR 5 ON TUESDAY. MAINLY FAIR, BUT RISK OF A SHOWER. GOOD. SLIGHT TO MODERATE.
Chris Lewis
2004-07-20 16:13:21 UTC
Permalink
Post by Tony Finch
Viruses often propagate within the organization, or get sent through the
relays because of a .forward file. So scanning all email is definitely
useful.
True enough. On the other hand, I see a lot of people insisting that
their "A-V on outbound mailers" makes virus emission impossible.

I don't think that relying on .forward splashback will detect too many
viruses. Especially when you consider that it's _relayed_, and hence
you're probably detecting the person who .forwarded it, not the guy
outside your network who's infected and managed to get past your inbound
filters.

We heavily use detection on the _inside_ of our network for internal
infestations, and that works well. Provided that people _do_ email
internally a lot (in order for the addressbooks to be "primed" with
internal email addresses for the viruses to harvest). Which will be
more effective for corporate (like us), not ISPs.
Tim Bedding
2004-07-19 16:06:56 UTC
Permalink
Devdas
Post by Devdas Bhagat
Apparently, they work well enough. The more the number of people
using them, the more effective they are. The open relay blacklists
were successful enough to get spammers to move to zombies instead.
Lists like the CBL are having an effect.
Do you have any figures? How many US ISPs now have an acceptable
level of response to zombie spam?

What is the time-lag between being listed and adopting a good
policy?

Regards
Tim

Crusade - The Long Road
Gideon: That could take weeks. We don't have that
kind of time.
Alan Monaghan
2004-07-19 19:07:54 UTC
Permalink
Here is our list of extensions that we block from our world, in case it
helps anyone. We are a windows shop w/ Exchange and Anti-Gen on our front
end...

*.386
*.acm
*.ade
*.adp
*.adt
*.aif
*.aifc
*.aiff
*.app
*.asd
*.asf
*.asp
*.asx
*.au
*.avi
*.ax
*.bas
*.bat
*.bin
*.bxd
*.cda
*.cdr
*.chm
*.cla
*.cmd
*.cnt
*.cnv
*.com
*.cpl
*.crt
*.css
*.dev
*.dll
*.drv
*.exe
*.gms
*.grp
*.hlp
*.hta
*.hto
*.inf
*.ini
*.ins
*.isp
*.ivf
*.js
*.jse
*.lnk
*.m3u
*.mdb
*.mde
*.mid
*.midi
*.mlv
*.mov
*.mp2
*.mp3
*.mpa
*.mpd
*.mpe
*.mpeg
*.mpg
*.mpp
*.mpt
*.mpv2
*.msc
*.msi
*.mso
*.msp
*.mst
*.nws
*.obd
*.obt
*.ocx
*.ole
*.pcd
*.pci
*.pif
*.pot
*.prc
*.pwz
*.qlb
*.qpw
*.qt
*.reg
*.rmi
*.sbf
*.scr
*.sct
*.shb
*.shs
*.smm
*.snd
*.sys
*.td0
*.tlb
*.tsp
*.tty
*.vb
*.vbe
*.vbs
*.vwp
*.wav
*.wax
*.wbt
*.wiz
*.wma
*.wml
*.wmp
*.wms
*.wmv
*.wmx
*.wmz
*.wpc
*.wpd
*.wsc
*.wsf
*.wsh
*.wvx
*.xml
*.xsl
*.xtp





Be like water my friend ...
Alan G. Monaghan
[ MCSE+I - Win4.0/ MCSE - Win2k/ BJCP # C0389(Recognized) Ò¿Ó¬ ]
Systems Administrator
Gardner Publications, Inc.

*Phone ...... 1-513-527-8867
*Fax ........ 1-513-527-8801
*Car ........ 1-513-520-6866
*Cell ....... 1-513-378-0919
*E-mail ..... ***@Gardnerweb.com
*URL ........ http://Bullwinkle.GardnerWeb.Com/
George Ou
2004-07-20 00:15:56 UTC
Permalink
RE: [Asrg] Zombie spamThis is a Band-Aid. I noticed you were not blocking *.zip files or *.* files since users will manually rename their files to anything. Many viruses will come through as encrypted zip files. For example, an encrypted zip called "KillMySystem.zip" will come through with the password "IAmSuchAnIdiot" and there will be users that will still go and open up the attachment. Ultimately, the only thing that will keep unwanted executables from launching is strict Authenticode policies. Windows XP SP2 is a huge step in that direction.
----- Original Message -----
From: Alan Monaghan
To: '***@ietf.org'
Sent: Monday, July 19, 2004 12:07 PM
Subject: RE: [Asrg] Zombie spam


Here is our list of extensions that we block from our world, in case it helps anyone. We are a windows shop w/ Exchange and Anti-Gen on our front end...

*.386
*.acm
*.ade
*.adp
*.adt
*.aif
*.aifc
*.aiff
*.app
*.asd
*.asf
*.asp
*.asx
*.au
*.avi
*.ax
*.bas
*.bat
*.bin
*.bxd
*.cda
*.cdr
*.chm
*.cla
*.cmd
*.cnt
*.cnv
*.com
*.cpl
*.crt
*.css
*.dev
*.dll
*.drv
*.exe
*.gms
*.grp
*.hlp
*.hta
*.hto
*.inf
*.ini
*.ins
*.isp
*.ivf
*.js
*.jse
*.lnk
*.m3u
*.mdb
*.mde
*.mid
*.midi
*.mlv
*.mov
*.mp2
*.mp3
*.mpa
*.mpd
*.mpe
*.mpeg
*.mpg
*.mpp
*.mpt
*.mpv2
*.msc
*.msi
*.mso
*.msp
*.mst
*.nws
*.obd
*.obt
*.ocx
*.ole
*.pcd
*.pci
*.pif
*.pot
*.prc
*.pwz
*.qlb
*.qpw
*.qt
*.reg
*.rmi
*.sbf
*.scr
*.sct
*.shb
*.shs
*.smm
*.snd
*.sys
*.td0
*.tlb
*.tsp
*.tty
*.vb
*.vbe
*.vbs
*.vwp
*.wav
*.wax
*.wbt
*.wiz
*.wma
*.wml
*.wmp
*.wms
*.wmv
*.wmx
*.wmz
*.wpc
*.wpd
*.wsc
*.wsf
*.wsh
*.wvx
*.xml
*.xsl
*.xtp






Be like water my friend ...
Alan G. Monaghan
[ MCSE+I - Win4.0/ MCSE - Win2k/ BJCP # C0389(Recognized) Ò¿Ó¬ ]
Systems Administrator
Gardner Publications, Inc.

*Phone ...... 1-513-527-8867
*Fax ........ 1-513-527-8801
*Car ........ 1-513-520-6866
*Cell ....... 1-513-378-0919
*E-mail ..... ***@Gardnerweb.com
*URL ........ http://Bullwinkle.GardnerWeb.Com/
Hallam-Baker, Phillip
2004-07-20 00:14:07 UTC
Permalink
Are the zip file messages viruses or trojans?

I don't see how a true virus is going to propagate if it relies on
people opening up a zip file from someone they don't know. But I can
see that blasting it out as spam might be a viable means of distributing
a trojan.

Anyone got some hard data on the different vectors in use here?

Phill
-----Original Message-----
Tony Finch
Sent: Monday, July 19, 2004 6:39 PM
Subject: Re: [Asrg] Zombie spam
Post by Alan DeKok
Post by Tony Finch
I have had some success with running an anti-virus scanner
over all the
Post by Alan DeKok
Post by Tony Finch
email passing through my relays.
/^((Content-(Disposition: attachment;|Type:).*|\ +)|
*)(file)?name\ *=\
*"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr
|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/ REJECT
attachment type not allowed
We do something like that as well, but there have been viruses
recently which occupy zip files (which we can't block because of past
recommendations to our users which painted us into a corner) and at
least one which uses an exploit that requires no attachment at all.
Tony.
--
FORTIES CROMARTY FORTH TYNE WEST DOGGER: SOUTHERLY BACKING
SOUTHEASTERLY 4 OR
5, OCCASIONALLY 6 LATER IN TYNE. RAIN OR SHOWERS. GOOD
OCCASIONALLY MODERATE.
_______________________________________________
Asrg mailing list
https://www1.ietf.org/mailman/listinfo/asrg
Tony Finch
2004-07-20 10:44:38 UTC
Permalink
Post by Hallam-Baker, Phillip
Are the zip file messages viruses or trojans?
They are worms that propagate by spamming a trojan or an exploit.
Post by Hallam-Baker, Phillip
I don't see how a true virus is going to propagate if it relies on
people opening up a zip file from someone they don't know.
Hahahahaha. People are so determined to infect themselves that they'll
unpack a password-protected zip from a stranger without the slightest idea
of what is in it.
Post by Hallam-Baker, Phillip
Anyone got some hard data on the different vectors in use here?
http://vil.nai.com/vil/
http://www.f-secure.com/weblog/

etc. etc.

Tony.
--
f.a.n.finch <***@dotat.at> http://dotat.at/
LOUGH FOYLE TO CARLINGFORD LOUGH: SOUTHEAST 3 OR 4, INCREASES 5 TO 7, BECOMES
WEST TO SOUTHWEST 3 OR 4 LATER. RAIN CLEARS LATER TO SCATTERED SHOWERS.
MODERATE LOCALLY POOR IN RAIN, OTHERWISE GOOD. SLIGHT BECOMES MODERATE OR
ROUGH EXPOSED WATERS.
William Leibzon
2004-07-20 11:43:56 UTC
Permalink
Post by Tony Finch
Post by Hallam-Baker, Phillip
I don't see how a true virus is going to propagate if it relies on
people opening up a zip file from someone they don't know.
Hahahahaha. People are so determined to infect themselves that they'll
unpack a password-protected zip from a stranger without the slightest idea
of what is in it.
Post by Hallam-Baker, Phillip
Anyone got some hard data on the different vectors in use here?
http://vil.nai.com/vil/
http://www.f-secure.com/weblog/
The purpose of all these variants to trying in different ways to social
engineer the person into thinking it really is legitimate email that(s)he
should open. It might be an interesting study for sociologist to see which
of the variants are working on which population groups and how many people
get caught, but it does appear that there exist large enough percentage
(more then 1% from what I heard) of population, who get caught on at list
one of these schemes, sometimes even more then ones!

I note that spammers are also social engineers by trade since they need to
create an email with content that person will want to buy it even if he
knows it came through email and probably is spam. They also try many
variations of the same offer emails. I'm sure you see where I'm going
which might explain why we have so many different variations of baggle
(and note that creating new variation does not really require serious
techical skills, knowing how to work with hex editor all that is necessary)
and why these are still quite sucessfull.

So to conclude this all, if we could find a way to explain to all internet
users that they should never buy from spam, then we would have no spam
problem. But as this is not happening, you should not expect any better
situation with trying to edication users how to open emails so that
they don't get cought and turn their computer into zombime.

---
William Leibzon
***@completewhois.com
Larry Seltzer
2004-07-20 12:12:48 UTC
Permalink
Post by Tony Finch
Post by Hallam-Baker, Phillip
I don't see how a true virus is going to propagate if it relies on
people opening up a zip file from someone they don't know.
Hahahahaha. People are so determined to infect themselves that they'll
unpack a password-protected zip from a stranger without the slightest
idea of what is in it.
Clearly there are people out there stupid enough to do this, but it's not obvious to me
that it's a significant problem. If I'm not mistaken every virus that has done this (all
Bagle I believe) has used this as just one of several propagation techniques. They also
use the conventional executable attachment, for example, and only some percentage of
recipients get the password-protected ZIP file. So even if a worm that does this spreads
successfully, it's not clear that the ZIP variant is having any success.

Beyond that, I wonder how successful any of the variants are. The fact that we see
copies sent around is no direct indicator of how many systems are actually infected, and
I've never seen convincing numbers on how many there are for any particular worm,
probably because it's a difficult thing to determine. I have a theory that there are a
relatively small number of users who get infected with all these things and they
constitute something like 3/4 of all infected users. Every month or so their system
becomes unusable, they reinstall Windows and blame the whole thing on Microsoft.

LJS
Hallam-Baker, Phillip
2004-07-20 00:24:26 UTC
Permalink
Further thought, a lot of the more recent ZIP viruses are using
encryption to stop the package getting through. so looking for
executable content is not going to work.

How about this for an alternative scheme?

1) Block all directly executable content entirely, notify in cases
that do not look spammy.

2) In the case of a document format that may contain macro content
allow through directly iff a scan shows that there are no
live macros, otherwise quarantine.

3) In the case of a zip file allow it through directly iff:
a scan of the contents shows it to not contain any executable
otherwise quarantine.

4) In the case of quarantined content send a not out to the end user
and they can pick it off a web site.

The thing I find attractive about this scheme is that it eliminates the
need for maintenance of a library of virus fingerprints. That particular
strategy does not seem to have eliminated viruses over the past 15
years and does not seem to be working very well now that the viruses
are propagating much faster and spam trojan techniques seem to be used
more.
-----Original Message-----
From: Hallam-Baker, Phillip
Sent: Monday, July 19, 2004 8:14 PM
Subject: RE: [Asrg] Zombie spam
Are the zip file messages viruses or trojans?
I don't see how a true virus is going to propagate if it relies on
people opening up a zip file from someone they don't know. But I can
see that blasting it out as spam might be a viable means of
distributing
a trojan.
Anyone got some hard data on the different vectors in use here?
Phill
-----Original Message-----
Tony Finch
Sent: Monday, July 19, 2004 6:39 PM
Subject: Re: [Asrg] Zombie spam
Post by Alan DeKok
Post by Tony Finch
I have had some success with running an anti-virus scanner
over all the
Post by Alan DeKok
Post by Tony Finch
email passing through my relays.
/^((Content-(Disposition: attachment;|Type:).*|\ +)|
*)(file)?name\ *=\
*"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr
|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/ REJECT
attachment type not allowed
We do something like that as well, but there have been viruses
recently which occupy zip files (which we can't block
because of past
recommendations to our users which painted us into a corner) and at
least one which uses an exploit that requires no attachment at all.
Tony.
--
FORTIES CROMARTY FORTH TYNE WEST DOGGER: SOUTHERLY BACKING
SOUTHEASTERLY 4 OR
5, OCCASIONALLY 6 LATER IN TYNE. RAIN OR SHOWERS. GOOD
OCCASIONALLY MODERATE.
_______________________________________________
Asrg mailing list
https://www1.ietf.org/mailman/listinfo/asrg
George Ou
2004-07-20 02:09:30 UTC
Permalink
Windows XP Service Pack 2 has deployed what is probably the most practical
solution to this problem. You can't really "block" EXEs since people will
simply rename the file to something else. XP SP2 will flag the attachment
(even after it is saved to the HD in some folder) as untrusted and will
refuse to execute. I'm assuming they must using Authenticode here to
determine the validity or trustworthiness of a file. You can't stop people
from sending or receiving executable files, so the best thing to do is to
make sure that the EXE has not been tampered with and is from a trusted
source such as a major software publisher or your IT department.

George Ou


----- Original Message -----
From: "Hallam-Baker, Phillip" <***@verisign.com>
To: "Hallam-Baker, Phillip" <***@verisign.com>; "'Tony Finch'"
<***@dotat.at>; <***@ietf.org>
Sent: Monday, July 19, 2004 5:24 PM
Subject: RE: [Asrg] Zombie spam
Post by Hallam-Baker, Phillip
Further thought, a lot of the more recent ZIP viruses are using
encryption to stop the package getting through. so looking for
executable content is not going to work.
How about this for an alternative scheme?
1) Block all directly executable content entirely, notify in cases
that do not look spammy.
2) In the case of a document format that may contain macro content
allow through directly iff a scan shows that there are no
live macros, otherwise quarantine.
a scan of the contents shows it to not contain any executable
otherwise quarantine.
4) In the case of quarantined content send a not out to the end user
and they can pick it off a web site.
The thing I find attractive about this scheme is that it eliminates the
need for maintenance of a library of virus fingerprints. That particular
strategy does not seem to have eliminated viruses over the past 15
years and does not seem to be working very well now that the viruses
are propagating much faster and spam trojan techniques seem to be used
more.
-----Original Message-----
From: Hallam-Baker, Phillip
Sent: Monday, July 19, 2004 8:14 PM
Subject: RE: [Asrg] Zombie spam
Are the zip file messages viruses or trojans?
I don't see how a true virus is going to propagate if it relies on
people opening up a zip file from someone they don't know. But I can
see that blasting it out as spam might be a viable means of
distributing
a trojan.
Anyone got some hard data on the different vectors in use here?
Phill
-----Original Message-----
Tony Finch
Sent: Monday, July 19, 2004 6:39 PM
Subject: Re: [Asrg] Zombie spam
Post by Alan DeKok
Post by Tony Finch
I have had some success with running an anti-virus scanner
over all the
Post by Alan DeKok
Post by Tony Finch
email passing through my relays.
/^((Content-(Disposition: attachment;|Type:).*|\ +)|
*)(file)?name\ *=\
*"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr
|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/ REJECT
attachment type not allowed
We do something like that as well, but there have been viruses
recently which occupy zip files (which we can't block
because of past
recommendations to our users which painted us into a corner) and at
least one which uses an exploit that requires no attachment at all.
Tony.
--
FORTIES CROMARTY FORTH TYNE WEST DOGGER: SOUTHERLY BACKING
SOUTHEASTERLY 4 OR
5, OCCASIONALLY 6 LATER IN TYNE. RAIN OR SHOWERS. GOOD
OCCASIONALLY MODERATE.
_______________________________________________
Asrg mailing list
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
https://www1.ietf.org/mailman/listinfo/asrg
Devdas Bhagat
2004-07-20 09:23:32 UTC
Permalink
On 19/07/04 19:09 -0700, George Ou wrote:
<reset to bottom posting, trimmed>
Post by George Ou
----- Original Message -----
Sent: Monday, July 19, 2004 5:24 PM
Subject: RE: [Asrg] Zombie spam
Post by Hallam-Baker, Phillip
Post by Hallam-Baker, Phillip
Further thought, a lot of the more recent ZIP viruses are using
encryption to stop the package getting through. so looking for
executable content is not going to work.
How about this for an alternative scheme?
1) Block all directly executable content entirely, notify in cases
that do not look spammy.
<snip>
Post by George Ou
Windows XP Service Pack 2 has deployed what is probably the most practical
solution to this problem. You can't really "block" EXEs since people will
simply rename the file to something else. XP SP2 will flag the attachment
I thought that the test would be from file(1) rather than the extension.
The filename itself does not matter.

file: file (1) - determine file type

Devdas Bhagat
Tony Finch
2004-07-20 10:40:34 UTC
Permalink
You can't really "block" EXEs since people will simply rename the file
to something else.
That won't get around my filter since we do content analysis to spot
executables. The supported way of sending executables is to zip them.

Tony.
--
f.a.n.finch <***@dotat.at> http://dotat.at/
BERWICK ON TWEED TO WHITBY: SOUTHEAST 3 INCREASES 5, PERHAPS LOCALLY 6 IN
NORTH, VEERING SOUTH DECREASING 3 OR 4 LATER. RAIN OR SHOWERS. MODERATE OR
GOOD. SLIGHT BECOMES MODERATE.
Chris Lewis
2004-07-20 13:48:00 UTC
Permalink
Hallam-Baker, Phillip wrote:

Strictly speaking most of these things are trojans, however, using the
.scr/.pif trick (amongst others), you can make self-extracting zips launch.

While you'd think people would be suspicious of such things, when you're
talking medium to large populations, at least some always fall for it.
Even after the Mydoom explosion, we had people falling for beagle.

Some of these things are getting quite good at human engineering. Not
quite as good as some of the phishing attempts we see, but close.

It's relatively easy to stop executables, either bare attachments, or
zipped ones, regardless of suffix. Body scan for the executable "magic
strings". There's one for .exes and one for .coms: 2. Then generate all
three base64 rotations of those: 6. Then, split each in half, so that
line wrap in a base64 zip file won't break the string in an inopportune
time: 12 patterns in total. This is essentially 100% on Mydoom/Netsky
and a host of others, and is partially effective on Bagel/Beagle.

For the encrypted variants of Bagel/Beagle, there's two approaches:
simply catch everything that's an encrypted zip regardless of suffix
(which is what we're doing now), or, realize that encrypted zips don't
encrypt file names, and look for "suspicious" file names.

As for notification: not only is bouncing virus warnings a bad idea
(because the sender is always forged), in the large scale, forwarding
notices (or even eviscerated viruses like Antigen does) is bad. The
latter is particularly obnoxious because it _looks_ like a virus and
panics people (help line calls etc). The volume is just way too high -
we have one user whose averaging 8000 viruses per _day_. God knows how
that happened (I've tried to analyze it to see if it's possible to get
them nuked at source, but aside from a few IPs being responsible for
about a quarter of it, the rest are from all over). I hate to think of
what it would be like if we were forwarding notices...
Alan Monaghan
2004-07-20 10:30:52 UTC
Permalink
We are lucky here. Our mail virus scanner will open .zip files automatically
and put them in quarantine if it finds one of the extensions listed. Also,
renaming doesn't work because it looks at the actual file itself. Password
protected .zips are blocked by the software itself with a different set of
notices.



Alas, we could not block all files here, we are publisher and we have .PDF,
jpegs, and the like coming and going all day. I have elected to block
anything that can run on its own in a Windows World. We find this stops all
of it for now. The solution must work for the company, we tried the blocking
all attachments, it ended up taking a person a full day to deal with the
forwarding on of the files, so it was not economy feasible for a company of
120 people.

Maybe the scale would work better in the 500+ companies, but then the
administration would be incredible. As it is now, it is up to the user to
forward on the quarantine message to get the file from us.





Be like water my friend ...
Alan G. Monaghan
[ MCSE+I - Win4.0/ MCSE - Win2k/ BJCP # C0389(Recognized) Ò¿Ó¬ ]
Systems Administrator
Gardner Publications, Inc.

*Phone ...... 1-513-527-8867
*Fax ........ 1-513-527-8801
?Car ........ 1-513-520-6866
*Cell ....... 1-513-378-0919
*E-mail ..... <mailto:***@Gardnerweb.com> ***@Gardnerweb.com
*URL ........ http://Bullwinkle.GardnerWeb.Com/
<http://Bullwinkle.GardnerWeb.Com/>



_____

From: asrg-***@ietf.org [mailto:asrg-***@ietf.org] On Behalf Of
George Ou
Sent: Monday, July 19, 2004 8:16 PM
To: Alan Monaghan; ***@ietf.org
Subject: Re: [Asrg] Zombie spam



This is a Band-Aid. I noticed you were not blocking *.zip files or *.*
files since users will manually rename their files to anything. Many
viruses will come through as encrypted zip files. For example, an encrypted
zip called "KillMySystem.zip" will come through with the password
"IAmSuchAnIdiot" and there will be users that will still go and open up the
attachment. Ultimately, the only thing that will keep unwanted executables
from launching is strict Authenticode policies. Windows XP SP2 is a huge
step in that direction.

----- Original Message -----

From: Alan Monaghan <mailto:***@Gardnerweb.com>

To: '***@ietf.org' <mailto:'***@ietf.org'>

Sent: Monday, July 19, 2004 12:07 PM

Subject: RE: [Asrg] Zombie spam



Here is our list of extensions that we block from our world, in case it
helps anyone. We are a windows shop w/ Exchange and Anti-Gen on our front
end...

*.386
*.acm
*.ade
*.adp
*.adt
*.aif
*.aifc
*.aiff
*.app
*.asd
*.asf
*.asp
*.asx
*.au
*.avi
*.ax
*.bas
*.bat
*.bin
*.bxd
*.cda
*.cdr
*.chm
*.cla
*.cmd
*.cnt
*.cnv
*.com
*.cpl
*.crt
*.css
*.dev
*.dll
*.drv
*.exe
*.gms
*.grp
*.hlp
*.hta
*.hto
*.inf
*.ini
*.ins
*.isp
*.ivf
*.js
*.jse
*.lnk
*.m3u
*.mdb
*.mde
*.mid
*.midi
*.mlv
*.mov
*.mp2
*.mp3
*.mpa
*.mpd
*.mpe
*.mpeg
*.mpg
*.mpp
*.mpt
*.mpv2
*.msc
*.msi
*.mso
*.msp
*.mst
*.nws
*.obd
*.obt
*.ocx
*.ole
*.pcd
*.pci
*.pif
*.pot
*.prc
*.pwz
*.qlb
*.qpw
*.qt
*.reg
*.rmi
*.sbf
*.scr
*.sct
*.shb
*.shs
*.smm
*.snd
*.sys
*.td0
*.tlb
*.tsp
*.tty
*.vb
*.vbe
*.vbs
*.vwp
*.wav
*.wax
*.wbt
*.wiz
*.wma
*.wml
*.wmp
*.wms
*.wmv
*.wmx
*.wmz
*.wpc
*.wpd
*.wsc
*.wsf
*.wsh
*.wvx
*.xml
*.xsl
*.xtp






Be like water my friend ...
Alan G. Monaghan
[ MCSE+I - Win4.0/ MCSE - Win2k/ BJCP # C0389(Recognized) Ò¿Ó¬ ]
Systems Administrator
Gardner Publications, Inc.

*Phone ...... 1-513-527-8867
*Fax ........ 1-513-527-8801
*Car ........ 1-513-520-6866
*Cell ....... 1-513-378-0919
*E-mail ..... ***@Gardnerweb.com
*URL ........ http://Bullwinkle.GardnerWeb.Com/
<http://Bullwinkle.GardnerWeb.Com/>




_____
Hallam-Baker, Phillip
2004-07-20 14:07:00 UTC
Permalink
Post by Tony Finch
Post by Tony Finch
Post by Hallam-Baker, Phillip
I don't see how a true virus is going to propagate if it relies on
people opening up a zip file from someone they don't know.
Hahahahaha. People are so determined to infect themselves
that they'll
Post by Tony Finch
unpack a password-protected zip from a stranger without the
slightest
Post by Tony Finch
idea of what is in it.
Clearly there are people out there stupid enough to do this,
but it's not obvious to me
that it's a significant problem. If I'm not mistaken every
virus that has done this (all
Bagle I believe) has used this as just one of several
propagation techniques.
The issue for me is where does the address list to attack come
from? I think that it is very important to differentiate between
a trojan that is spammed and a virus that is replicating by
nearest neighbor contact.

I can't find any good data on this, the virus companies don't
make this distinction, and I am not surprised since it is not
in their interest to make it.


Getting a true virus to propagate using only the information it
can collect from host machines is actually very hard. For the
infection to spread each infected host has to infect more than
one new host.

That is actually quite hard now that use of virus scanning etc
is routine. But scanners that eliminate executables would be
more effective in this respect than fingerprint dependent scanners.

I want to see hard data on how many bozos open up a zip attachment
when it is mailed to them. That is the mail message makes it through
the mail filters, the person sees the mail and opens the attachment
and then runs whatever executable is inside.
Larry Seltzer
2004-07-20 14:28:34 UTC
Permalink
The issue for me is where does the address list to attack come from? I think that it
is very important to differentiate between a trojan that is spammed and a virus that is
replicating by nearest neighbor contact.

This is actually very well understood, at least for the average mass-mailing worm. A
spammed trojan is probably seeded through regular e-mail from a zombied system or some
other similar technique for covering tracks.

But for several years mass-mailing worms have used pretty much the same technique for
gathering e-mail addresses: They scan certain files in the user's file system for
addresses. They use this list both for the destination and the spoofed from: address.
The files they scan include the raw address book files of e-mail clients, txt and doc
files and, most importantly, .htm* files, especially those in the user's browser cache.
(According to Symantec, the latest Bagle variant that we're talking about searches for
these files: .adb, .asp, .cfg, .cgi, .dbx, .dhtm, .eml, .htm, .jsp, .mbx, .mdx, .mht,
.mmf, .msg, .nch, .ods, .oft, .php, .pl, .sht, .shtm, .stm, .tbb, .txt, .uin, .wab,
.wsh, .xls, .xml ) It would be interesting to see how many addresses one can get from
the average system this way.

Many years ago in the Melissa/LoveLetter era, worms used MAPI calls to access the
address book, but Microsoft put a stop to this for non-stupid users. The Outlook E-mail
Security Update, released over 4 years ago, blocked programmatic access to the address
book without explicit user permission (this is why you get that dialog box when you try
to synch your Palm with Outlook). It also blocked all directly-executable attachments. A
similar update for Outlook Express came later. So, IOW, all users still getting and
executing these worms - apart from the ones who actually extract the password-protected
ZIP file - are using either non-Microsoft e-mail clients or clients that have not been
updated in several years.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
***@ziffdavis.com
Hallam-Baker, Phillip
2004-07-20 14:19:21 UTC
Permalink
Post by Chris Lewis
Strictly speaking most of these things are trojans, however,
using the
.scr/.pif trick (amongst others), you can make
self-extracting zips launch.
Is this just cluelessness on the part of the zip programs? Why should
opening a tar file cause anything to execute? [I don't doubt that it
does but it seems we should be blaming programer not user stupidity
since I don't exepect opening an attachment to cause malicious
code to run]
Post by Chris Lewis
While you'd think people would be suspicious of such things,
when you're
talking medium to large populations, at least some always
fall for it.
Even after the Mydoom explosion, we had people falling for beagle.
Almost anything is going to have some traction as a trojan. You
could probably send out a message saying'run this it will trash
your machine'.
Post by Chris Lewis
simply catch everything that's an encrypted zip regardless of suffix
(which is what we're doing now), or, realize that encrypted
zips don't
encrypt file names, and look for "suspicious" file names.
Thats a very interesting hole in the encryption scheme.
Post by Chris Lewis
As for notification: not only is bouncing virus warnings a bad idea
(because the sender is always forged), in the large scale, forwarding
notices (or even eviscerated viruses like Antigen does) is bad. The
latter is particularly obnoxious because it _looks_ like a virus and
panics people (help line calls etc).
I agree, all those warnings tell me is that the virus program that
sent them is not very good or the authors know that they are spamming
people at a forged address.

I think this is yet another case where the specs are out to lunch.
I don't care what the spec says, people do not expect bounce mail
any more, and most of the bounce mail they do get is malicious or
clueless.

It is very clear to me that in band signalling of bounces is a bad
idea, there should be a better way to process bounces.


At the MARID F2F Microsoft showed that you can eliminate all
bounce mail by using an SRS style encoding scheme on your outgoing
RFC 2821 email addresses.
Larry Seltzer
2004-07-20 14:44:04 UTC
Permalink
Post by Hallam-Baker, Phillip
Post by Devdas Bhagat
using the
.scr/.pif trick (amongst others), you can make self-extracting zips
launch.
Is this just cluelessness on the part of the zip programs?
Why should opening a tar file cause anything to execute?
[I don't doubt that it does but it seems we should be
blaming programer not user stupidity since I don't exepect
opening an attachment to cause malicious code to run]
Self-extracting ZIP files are executables, typically .EXE files. Any system that blocks
executables blocks them. Nothing to see here folks, move on.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
***@ziffdavis.com
John Levine
2004-07-20 19:43:35 UTC
Permalink
At the MARID F2F Microsoft showed that you can eliminate all bounce
mail by using an SRS style encoding scheme on your outgoing RFC 2821
email addresses.
I've tried it. It works pretty well, but there are some seriously
broken MTAs that manage to send real bounces that will fail any
signature check. I agree that you won't get any blowback with valid
signatures.
--
John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 330 5711
***@iecc.com, Mayor, http://johnlevine.com,
Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Hallam-Baker, Phillip
2004-07-20 14:30:39 UTC
Permalink
Post by William Leibzon
So to conclude this all, if we could find a way to explain to
all internet
users that they should never buy from spam, then we would have no spam
problem. But as this is not happening, you should not expect
any better
situation with trying to edication users how to open emails so that
they don't get cought and turn their computer into zombime.
Actually I think that there would still be large amounts of spam
even if nobody ever bought anything.

Five years ago the vast majority of spam was trying to sell spamming
services. Then they started to clue in that this was not a good sales
tactic and so people started to advertise fake products to make it
appear that SPAM WORKS!!!

Today I suspect that less than 20% of spam is actually a solicitation
for an actual product that is being sold. The vast bulk of it
appears to me to be attempts to phish the credit cards with a fake
merchant front, 419 scams, work at home scams that will be either
for money laundering or Package Reshipping, etc.

The nearest these guys get to 'actual product' is selling hijacked
software, fake 'herbal viagra' or porn.


Phill
Hallam-Baker, Phillip
2004-07-20 14:40:02 UTC
Permalink
Post by Larry Seltzer
But for several years mass-mailing worms have used pretty
much the same technique for
But is that how they are propagating or how they try to
propagate?

If I was a spammer looking to get some new trojans I would
simply send a trojan out to 100,000 machines from my spamming
list. Getting the virus to self propagate looks icky to me.

I am told that this is how MyDoom was propagated initially,
but getting a hard reference for that is not easy. There
is also the interesting fact that releases of MyDoom were followed
shortly afterwards by major bank impersonation phishing attacks.


I am starting to think that the way to stop spam is to break up
the criminal value chain. Stop the acquisition of zombie platforms,
prevent or limit their use, detect people involved in the
work at home money laundering and package reshipping schemes.

There would be no point in stealling so many credit card #s
if there was no way to card them. The uptick in phishing is
probably the result of advances in carding fraud and the uptick
in phishing is simply a symptom of increased demand for stolen
cards rather than being technology driven.
Hallam-Baker, Phillip
2004-07-20 15:54:45 UTC
Permalink
Post by Larry Seltzer
Self-extracting ZIP files are executables, typically .EXE
files. Any system that blocks
executables blocks them. Nothing to see here folks, move on.
This is what I assume, but the way people are talking about them
it implies the existence of a .zip format file that contains auto-execute
content.

This is not as unlikely as it sounds since CDRoms auto-execute and working
out how to turn it off on Windows-XP or W2K is a non trivial problem.


I am trying to get to a very precise statement of the problem here.
One of the problems with the whole security field is that we have
a huge amount of folklore and lots of it turns out on examination
to be either misleading or outright bogus.

We 'know' that viruses read address books, only they don't we know
that they read files on the computer for addresses - only that might
not be the main propagation mechanism, we know that MyDoom was
targetted at SCO and Microsoft, only there is strong evidence to
suggest that we are dealling with a criminal phishing ring.


CNET published my article on the new approach I think is needed this
morning, it is constrained by the word limit and it is not for this
audience but it makes the general point:
http://news.com.com/2010-1029-5275150.html?tag=nefd.acpro

I don't think we are going to erradicate viruses and trojans using the
techniques being attempted today. I don't think it is exactly in the
interests of some to do that. I am looking for a disruptive change here.
Peter Smith
2004-07-20 17:02:25 UTC
Permalink
Post by Hallam-Baker, Phillip
I am trying to get to a very precise statement of the problem here.
One of the problems with the whole security field is that we have
a huge amount of folklore and lots of it turns out on examination
to be either misleading or outright bogus.
Is a precise statement possible? It seems to me that there are many
different 'bad guys' out there with many different motivations and
consequently, there are many different forms of attack.
Post by Hallam-Baker, Phillip
We 'know' that viruses read address books, only they don't we know
that they read files on the computer for addresses - only that might
not be the main propagation mechanism, we know that MyDoom was
targetted at SCO and Microsoft, only there is strong evidence to
suggest that we are dealling with a criminal phishing ring.
With regards to what we 'know', if you take any one form of attack you can
make a strong case for changing your security to counter it, but to use it
as an argument for removing or ignoring other measures as they do not seem
to apply in this instance seems a little questionable.


Peter Smith
Hallam-Baker, Phillip
2004-07-20 19:45:29 UTC
Permalink
Post by Peter Smith
Post by Hallam-Baker, Phillip
I am trying to get to a very precise statement of the problem here.
One of the problems with the whole security field is that we have
a huge amount of folklore and lots of it turns out on examination
to be either misleading or outright bogus.
Is a precise statement possible? It seems to me that there are many
different 'bad guys' out there with many different motivations and
consequently, there are many different forms of attack.
At this point 8 out of the top 10 viruses are Netsky variants. Sure
there are a zillion viruses out there in the wild, but only a handfull
ever propagate.

The spam rings are pretty lazy guys, they don't even write their own
viruses, they pirate stuff that has proved it works.
Post by Peter Smith
Post by Hallam-Baker, Phillip
We 'know' that viruses read address books, only they don't we know
that they read files on the computer for addresses - only that might
not be the main propagation mechanism, we know that MyDoom was
targetted at SCO and Microsoft, only there is strong evidence to
suggest that we are dealling with a criminal phishing ring.
With regards to what we 'know', if you take any one form of
attack you can
make a strong case for changing your security to counter it,
but to use it
as an argument for removing or ignoring other measures as
they do not seem
to apply in this instance seems a little questionable.
The question I am trying to answer is why the dominant anti-virus
strategy is blocking executable attachments with signatures of known
malicious code when it is easier and more effective to block all
executables and all encrypted zipped content and moreover this
technique does not depend on continuous updates to be effective?

Its not a question of weakening the security stance, quite the
opposite.

Phill
Seth Breidbart
2004-07-20 20:50:03 UTC
Permalink
Post by Hallam-Baker, Phillip
The question I am trying to answer is why the dominant anti-virus
strategy is blocking executable attachments with signatures of known
malicious code when it is easier and more effective to block all
executables and all encrypted zipped content and moreover this
technique does not depend on continuous updates to be effective?
The end of that paragraph provides the answer.

What would anti-virus companies sell if they were successful?

Seth
Roger B.A. Klorese
2004-07-21 04:53:34 UTC
Permalink
Post by Seth Breidbart
Post by Hallam-Baker, Phillip
The question I am trying to answer is why the dominant anti-virus
strategy is blocking executable attachments with signatures of known
malicious code when it is easier and more effective to block all
executables and all encrypted zipped content and moreover this
technique does not depend on continuous updates to be effective?
The end of that paragraph provides the answer.
What would anti-virus companies sell if they were successful?
It's much simpler: many send executables and encrypted ZIP files as part
of normal business, and social engineering would be more expensive than
virus scan updates.
George Ou
2004-07-20 21:12:14 UTC
Permalink
----- Original Message -----
From: "Hallam-Baker, Phillip" <***@verisign.com>
To: "'Peter Smith'" <***@onlinecounsellors.co.uk>; "Hallam-Baker, Phillip"
<***@verisign.com>; "'Larry Seltzer'" <***@larryseltzer.com>; "'Chris
Lewis'" <***@nortelnetworks.com>
Cc: <***@ietf.org>
Sent: Tuesday, July 20, 2004 12:45 PM
Subject: RE: [Asrg] Zombie spam
Post by Hallam-Baker, Phillip
The question I am trying to answer is why the dominant anti-virus
strategy is blocking executable attachments with signatures of known
malicious code when it is easier and more effective to block all
executables and all encrypted zipped content and moreover this
technique does not depend on continuous updates to be effective?
Its not a question of weakening the security stance, quite the
opposite.
Phill
Yes it works, but at what cost? You're telling people to cut their arm off
to stop an infection at the finger when that finger can be treated
effectively at well over 99.9% of the time using existing and proven
technology. It's like telling people to take a knife to their T1 link to
the internet if they don't want to get hacked from the network. Why bother
with anti-virus or firewalls at all? Just rip out your Ethernet adapter and
you'll never have to worry about getting infected again.

When you say "executable", there is a list of over 30 file extensions that
are executable or contain executable capability. People need to transmit
some form of these files to one another at some point, including the ability
to transmit PGP or S/MIME emails with sensitive attachments such as
financial data. Breaking functionality for the sake of security is not a
solution for most of us. We are not going to an era of clear text files
only with zero attachments.

The fact of the matter is, signature based scanning system DO WORK. There
is a very small statistical chance that you will get infected by a day zero
virus. In the 3 years of anti-virus SMTP gateway operation in our company,
a day zero outbreak happened only once for a 1 hour period before it was
contained in my 1000 user environment. The fact of the matter is, email
viruses are largely a non-issue for organizations with anti-virus SMTP
gateways. It provides a massive umbrella for 99.9% of the issues. 99.9% of
the problems are from people with no SMTP gateway protection and no firewall
protection. Recently, the encrypted zip files have provided a challenge to
the anti-virus SMTP gateway, but that is why we have desktop level
anti-virus protection. Ultimately, the OS must not permit executables to
run regardless of where it came from if it isn't from a trusted source and
if it has been tampered with. Strict Authenticode policies will soon be the
norm on the desktop. Windows XP SP2 is a huge step in the direction for the
better.

Some of these threads are just getting plain silly.


George Ou
Alan DeKok
2004-07-21 13:54:47 UTC
Permalink
Post by George Ou
When you say "executable", there is a list of over 30 file extensions that
are executable or contain executable capability.
But how many are there really?

I assume you're talking about Windows... other OS's tend not to have
wild hacks like deciding on executability based on name. And in
Windows, NO ONE knows the true list of which files are executable or
not.
Post by George Ou
Breaking functionality for the sake of security is not a solution
for most of us.
Others prefer to have systems that *work*. Insecure systems with
"functionality" are illusions. You will rue the day you chose such a
system when something you didn't catch destroys all the functionality
you hold dear.

It's also known as "not building your house on a foundation of
sand". These ideas have been well-known for thousands of years, why
won't people learn?

Alan DeKok.
David Maxwell
2004-07-21 15:44:29 UTC
Permalink
Post by George Ou
When you say "executable", there is a list of over 30 file extensions that
are executable or contain executable capability. People need to transmit
some form of these files to one another at some point, including the ability
to transmit PGP or S/MIME emails with sensitive attachments such as
financial data. Breaking functionality for the sake of security is not a
solution for most of us. We are not going to an era of clear text files
only with zero attachments.
I haven't seen anyone here mention the _real_ problem.

"For a naive end-user, there is no difference between clicking on a
button/icon to run local OS/MTA code, and clicking on an attached
executable to run foreign code."

Refusing to send executable attachments is a way of trying to educate
people that clicking on .exe files is bad.

Scanning for virus strings is a way of working around the above flaw by
not letting known bad .exe's get into the users mailbox.

MS's 'zones' is a way of trying to be smarter than the user, by treating
different sources differently - but this fails when the attachment is a
virus from a coworker on your local zone.

Blocking .exe's, and recommending ftp links, or .zip's is a way of
forcing the user to take extra, different actions to run foreign code.
If you had to paste the link in a brower, save the .exe to disk, find
it, and run it, you have some hope of educating people about the
significance of their actions. Likewise, if they have to open a .zip
file.

Of course, in order to make life easy, both browsers and zip programs
will let you run the .exe without the step of first saving it to disk -
thereby repeating the flaw the email program had. "There's no difference
to a naive end-user between clicking 'close' and double-clicking a .exe
file in winzip."
--
David Maxwell, ***@vex.net|***@maxwell.net --> Unless you have a solution
when you tell them things like that, most people collapse into a gibbering,
unthinking mass. This is the same reason why you probably don't tell your
boss about everything you read on BugTraq! - Signal 11
Devdas Bhagat
2004-07-20 21:57:24 UTC
Permalink
On 20/07/04 12:45 -0700, Hallam-Baker, Phillip wrote:
<snip>
Post by Hallam-Baker, Phillip
The question I am trying to answer is why the dominant anti-virus
strategy is blocking executable attachments with signatures of known
malicious code when it is easier and more effective to block all
executables and all encrypted zipped content and moreover this
technique does not depend on continuous updates to be effective?
The Default Deny vs Default allow debate again?
Convenience against security?
Marketing?

Take your pick of the reasons. People for some reason do want to send
executables around. There are better methods, but they don't want to use
them. After all, email is so easy to use. Just drag the file onto the
mail client icon. Or right click and choose "send to email recipient" or
whatever it says.

Being able to say we block n signatures and then n+K allows for selling
virus signature updates. As opposed to a secure system which can be
sold once, but then never again.

As far as the encrypted content goes, I *like* being able to encrypt
stuff and then send it. Encryption has its place. So does compression.

Let me ask the question the other way, why do we have to deal with
platforms that allow for such easy infection?
Post by Hallam-Baker, Phillip
Its not a question of weakening the security stance, quite the
opposite.
Ask any good firewall administrator. Then figure out why there are so
many misconfigured firewalls out there.

Devdas Bhagat
John Levine
2004-07-21 00:07:48 UTC
Permalink
Post by Hallam-Baker, Phillip
The question I am trying to answer is why the dominant anti-virus
strategy is blocking executable attachments with signatures of known
malicious code when it is easier and more effective to block all
executables and all encrypted zipped content and moreover this
technique does not depend on continuous updates to be effective?
Surely you know the answer: because then they'd lose their update
subscription revenue.

My copy of qmail uses a patch from Russ Nelson that rejects EXE and a
few other type of attachments at SMTP time, based on the first few
bytes of the attached file, not on what the MIME metadata claims. It
works great. I don't remember the last time I saw a virus.

Regards,
John Levine, ***@taugh.com, Taughannock Networks, Trumansburg NY
http://www.taugh.com
Hallam-Baker, Phillip
2004-07-20 21:05:49 UTC
Permalink
Post by John Levine
At the MARID F2F Microsoft showed that you can eliminate all bounce
mail by using an SRS style encoding scheme on your outgoing RFC 2821
email addresses.
I've tried it. It works pretty well, but there are some seriously
broken MTAs that manage to send real bounces that will fail any
signature check. I agree that you won't get any blowback with valid
signatures.
At this point I am not at all bother about loosing a few legit bounces
from a misconfigured mailer. I actually pipe all bounce mail straight
to /dev/null.

I think that we need to get out of paralysis due to broken legacy
code. I feel quite comfortable telling everyone who wants to continue
to send email reliably to deploy a standards compliant mail system.

The real problem is how sysadmins can tell if they have a standards
compliant mailer. What we really need is some form of interop testing
forum, possibly even a certification scheme.
John Levine
2004-07-21 00:08:44 UTC
Permalink
Post by Hallam-Baker, Phillip
The real problem is how sysadmins can tell if they have a standards
compliant mailer. What we really need is some form of interop testing
forum, possibly even a certification scheme.
Excellent point. I'm speaking to the Open Group, which does a lot of
interop testing and best practices, on Thursday and will be sure to
mention it.

Regards,
John Levine, ***@taugh.com, Taughannock Networks, Trumansburg NY
http://www.taugh.com
der Mouse
2004-07-22 04:10:17 UTC
Permalink
Post by Hallam-Baker, Phillip
The real problem is how sysadmins can tell if they have a standards
compliant mailer. What we really need is some form of interop
testing forum, possibly even a certification scheme.
I'm speaking to the Open Group, which does a lot of interop testing
and best practices, on Thursday and will be sure to mention it.
Interop testing isn't enough. Lots of mailers will happily accept tons
of non-conformant...well, "crap" is really about the only word for it.

What's needed here is interop testing against a mailer specifically
designed to require that its peers toe all the important lines (and
preferably a lot of the less-important ones, against the day when they
become important) - or at the very least to notice violations and flag
them somehow, even if that doesn't necessarily mean returning errors.

Indeed, there's a nascent consulting company I'm half of that has
exactly that - technical standards conformance testing - as part of one
of its "products" (="services", really), and it wouldn't surprise me if
other email consultants offered similar things.

/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
der Mouse
2004-07-21 03:03:30 UTC
Permalink
I actually pipe all bounce mail straight to /dev/null. [...] I feel
quite comfortable telling everyone who wants to continue to send
email reliably to deploy a standards compliant mail system.
Does anyone else find it as ironic as I do that someone who is willing
to take a strict standards-compliance stance with _others_ is content
to do something as egregious and mail-system-breaking as discarding
bounces without even looking at them? Even if it's, strictly,
standards compliant (which I'm not sure it is; I'm just not sure it's
not), that's a great way to break email.

Not that that detracts from the point that ignoring standards is a
large part of what's keeping us in the mess we're in.
The real problem is how sysadmins can tell if they have a standards
compliant mailer.
I suppose actually understanding what they're working with (the
standards and the software) is out of the question?

/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Alan DeKok
2004-07-21 14:00:34 UTC
Permalink
Post by der Mouse
Does anyone else find it as ironic as I do that someone who is willing
to take a strict standards-compliance stance with _others_ is content
to do something as egregious and mail-system-breaking as discarding
bounces without even looking at them?
Are bounces still useful to some people? Wow...

Wait a few months, maybe a few years. They won't be.

For many domains, off-site secondary MX's stopped being useful long
ago. For me, it's over half a decade, and approaching a decade.

The design flaws of SMTP are being hilighted daily. Bounces & MX
secondaries are just two pieces of SMTP which are no longer useful for
many systems. We can play "head in the sand", and refuse to fix the
problem because some people find those features useful. Or, we can
recognize that the features are flawed, and try to find a way of
retaining their positive aspects without also keeping their negative
ones.

Alan DeKok.
Tony Finch
2004-07-21 15:30:21 UTC
Permalink
Post by Alan DeKok
Are bounces still useful to some people?
It's easy to preserve the usefulness of bounces. Cryptographically sign
the envelope return path of all messages you send, and reject any bounces
whose recipient address does not have a valid signature. You don't even
need to do the crypto thing -- IME using an obscure envelope address is
enough.

Tony.
--
f.a.n.finch <***@dotat.at> http://dotat.at/
FAEROES: SOUTH OR SOUTHWEST 4 OR 5 BACKING SOUTHEAST 3 OR 4. OCCASIONAL RAIN.
MODERATE OR GOOD, OCCASIONALLY POOR.
Roger B.A. Klorese
2004-07-21 19:21:53 UTC
Permalink
Post by Tony Finch
Post by Alan DeKok
Are bounces still useful to some people?
It's easy to preserve the usefulness of bounces.
Even if 99.99% of them are backscatter noise, that's tirivial -- the
world is drowning in email bandwidth, and the backscatter bounces are
easy to differentiate from the real ones based on the content of the
bounced message. Real bounces, however, are essential.

Try not forgetting that the purpose of email is to figure out how to
make the real mail get through -- that the only reason to block any
other types is because they interfere with reading and finding the real
stuff.
Alan DeKok
2004-07-21 13:49:28 UTC
Permalink
Post by Hallam-Baker, Phillip
At this point I am not at all bother about loosing a few legit bounces
from a misconfigured mailer. I actually pipe all bounce mail straight
to /dev/null.
Bounces should *never* have used SMTP for their delivery. Control
signalling should always be out of band with respect to the data.
e.g. TCP to non-open ports returns ICMP "port unreachable", not a
return TCP connection to the originating host.

Alan DeKok.
der Mouse
2004-07-22 04:38:21 UTC
Permalink
Post by Alan DeKok
e.g. TCP to non-open ports returns ICMP "port unreachable", not a
return TCP connection to the originating host.
Not in my experience. When I see an open attempt to a non-listening
port, I normally see an RST segment coming back. (It's UDP that port
unreachables are normal for.)

/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Alan DeKok
2004-07-22 15:50:51 UTC
Permalink
Post by der Mouse
Post by Alan DeKok
e.g. TCP to non-open ports returns ICMP "port unreachable", not a
return TCP connection to the originating host.
Not in my experience. When I see an open attempt to a non-listening
port, I normally see an RST segment coming back. (It's UDP that port
unreachables are normal for.)
Sorry, thinking of: http://www.striker.ottawa.on.ca

Firewalling port 25...

Also, ~4 day-old baby, and lack of sleep...

Alan DeKok.
Hallam-Baker, Phillip
2004-07-20 22:20:39 UTC
Permalink
Post by George Ou
Post by Hallam-Baker, Phillip
The question I am trying to answer is why the dominant anti-virus
strategy is blocking executable attachments with signatures of known
malicious code when it is easier and more effective to block all
executables and all encrypted zipped content and moreover this
technique does not depend on continuous updates to be effective?
Its not a question of weakening the security stance, quite the
opposite.
Phill
Yes it works, but at what cost? You're telling people to cut
their arm off
to stop an infection at the finger when that finger can be treated
effectively at well over 99.9% of the time using existing and proven
technology.
No, first off I don't send executables arround the net and I never
have, nor have I ever received any legitimate executables. I can't
imagine that there are many real users who would do this either.
I can't imagine anywhere geekier than Microsoft and they have blocked
executable code outright for years.

As for the current strategies being a success I get hundreds of virus
attacks each day.

If anti-virus software was 99.9% efficient then there would be no
viruses. Instead they are a plague.
Post by George Ou
When you say "executable", there is a list of over 30 file
extensions that
are executable or contain executable capability. People need
to transmit
some form of these files to one another at some point,
including the ability
to transmit PGP or S/MIME emails with sensitive attachments such as
financial data.
The use of PGP and S/MIME is negligible, and no virus scanner works
on them or encrypted ZIP files anyway.

Ergo if encryption on the desktop is going to be permitted there has
to be scanning built into the decryption capability.
Post by George Ou
Breaking functionality for the sake of
security is not a
solution for most of us. We are not going to an era of clear
text files
only with zero attachments.
Err nobody suggested that. HTML, Office documents without Macros are
fine, any signed code is fine. executables, screen savers, javascript
are not.
Post by George Ou
The fact of the matter is, signature based scanning system DO
WORK.
Then why do viruses still propagate?
Post by George Ou
There
is a very small statistical chance that you will get infected
by a day zero virus.
I got live code passing through the virus filters on a weekly basis.

Modern viruses are being blasted out from botnets. A small botnet of
100 nodes sending 100 spams per second can send 100 million emails in
less than 3 hours. It typically takes six hours for a new virus to
be identified and the fingerprint distributed.
Post by George Ou
Ultimately, the OS must not permit
executables to
run regardless of where it came from if it isn't from a
trusted source and
if it has been tampered with. Strict Authenticode policies
will soon be the
norm on the desktop. Windows XP SP2 is a huge step in the
direction for the
better.
hang on, you just went from arguing against exchange of executables
in email to saying that all executables should be signed.

I tend to see the latter as being a somewhat more extreeme
position than the one I was proposing. Certainly it will come,
there is really no reason why windows should not check the
signature of every executable and dll before it loads it,
developer machines would have to sign the code as part of
the build process.


Phill
Larry Seltzer
2004-07-20 22:49:40 UTC
Permalink
If anti-virus software was 99.9% efficient then there would be no viruses. Instead
they are a plague.

The problem here is people running no antivirus software at all or old protection. These
things wouldn't spread very far, even the new ones, if everyone had antivirus
protection.
Post by George Ou
The fact of the matter is, signature based scanning system DO WORK.
Then why do viruses still propagate?
Ditto
I got live code passing through the virus filters on a weekly basis.
What virus filters are you running? Did you buy the house brand at Pathmark?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
***@ziffdavis.com
George Ou
2004-07-21 00:27:25 UTC
Permalink
----- Original Message -----
From: "Hallam-Baker, Phillip" <***@verisign.com>
To: "'George Ou'" <***@netzero.com>; "Hallam-Baker, Phillip"
<***@verisign.com>; "'Peter Smith'" <***@onlinecounsellors.co.uk>;
"'Larry Seltzer'" <***@larryseltzer.com>; "'Chris Lewis'"
<***@nortelnetworks.com>
Cc: <***@ietf.org>
Sent: Tuesday, July 20, 2004 3:20 PM
Subject: RE: [Asrg] Zombie spam
Post by Hallam-Baker, Phillip
Post by George Ou
Post by Hallam-Baker, Phillip
The question I am trying to answer is why the dominant anti-virus
strategy is blocking executable attachments with signatures of known
malicious code when it is easier and more effective to block all
executables and all encrypted zipped content and moreover this
technique does not depend on continuous updates to be effective?
Its not a question of weakening the security stance, quite the
opposite.
Phill
Yes it works, but at what cost? You're telling people to cut
their arm off
to stop an infection at the finger when that finger can be treated
effectively at well over 99.9% of the time using existing and proven
technology.
No, first off I don't send executables arround the net and I never
have, nor have I ever received any legitimate executables. I can't
imagine that there are many real users who would do this either.
I can't imagine anywhere geekier than Microsoft and they have blocked
executable code outright for years.
The key word here is "I". "I" does not comprise the rest of the world. The
rest of the world needs to be able to transmit files to each other and don't
live in the stone age. If it can't go through email, then an ftp link or
and http link sent within the email will suffice and your EXE blocking
policy is totally useless. Microsoft has attempted to block EXEs in the
past but is shifting their strategy to trusted and untrusted zones. It
doesn't matter if the file is stored as an attachment or as a file in your
HD and it doesn't matter if it came from Sneaker-net, SMB, NFS, HTTP FTP or
MIME. What they do is flag the file as untrusted so that it cannot be
launched by the user period. Blocking executables was a Band-Aid that never
really worked well. It is not a comprehensive solution and it only serves
to make computing more difficult for the average user. Strict Authenticode
policies are the not so distant future.
Post by Hallam-Baker, Phillip
As for the current strategies being a success I get hundreds of virus
attacks each day.
You must not have read my email. Those of us that have anti-virus SMTP
gateways that automatically update themselves daily with something like
Trend VirusWall virtually never see any infected emails. In the 3 years of
operation, I have only seen a single out break that was contained within an
hour. Recently with the advent of encrypted ZIP files, those have come
through but our desktop antivirus have kicked in. Within the next few
months, I'm going to mandate that our IT department upgrades everyone to
SP2. Once that is done, executables won't launch even if they don't match
an existing virus signature.
Post by Hallam-Baker, Phillip
If anti-virus software was 99.9% efficient then there would be no
viruses. Instead they are a plague.
Nonsense, comprehensive Anti-virus solutions are over 99.9% effective when
implemented properly. This means you have auto-updating
SMTP/FTP/HTTP/Exchange/Notes anti-virus gateways that provide a large
protective umbrella. Then a centrally managed desktop anti-virus solution
that is centrally patched protects the end-level protection. It is a fact
that these are well over 99.9% effective. Since you're seeing hundreds of
infected emails everyday, you must be using a lousy product or a poor
implementation. It surprises me to no end that some organizations still
don't have a clue how to implement effective anti-virus. The plague of
zombies that you are seeing are from people with out-dated or no anti-virus
protection and/or they're connected to the dirty internet with zero firewall
protection (not even NAT). It is a fact that the bulk of these zombies came
from Comcast users who were connected 24x7 with zero protection.
Post by Hallam-Baker, Phillip
Post by George Ou
When you say "executable", there is a list of over 30 file
extensions that
are executable or contain executable capability. People need
to transmit
some form of these files to one another at some point,
including the ability
to transmit PGP or S/MIME emails with sensitive attachments such as
financial data.
The use of PGP and S/MIME is negligible, and no virus scanner works
on them or encrypted ZIP files anyway.
Still, your recommendation breaks PGP and S/MIME not to mention that it is
totally useless against FTP or HTTP links such as
ftp://test.somedomain.com/binnary.exe. Even if you have an email app that
doesn't make it clickable, you can't stop someone from doing a cut-paste
operation in to their browser.
Post by Hallam-Baker, Phillip
Ergo if encryption on the desktop is going to be permitted there has
to be scanning built into the decryption capability.
Ah, I thought you didn't believe in anti-virus or scanning?
Post by Hallam-Baker, Phillip
Post by George Ou
Breaking functionality for the sake of
security is not a
solution for most of us. We are not going to an era of clear
text files
only with zero attachments.
Err nobody suggested that. HTML, Office documents without Macros are
fine, any signed code is fine. executables, screen savers, javascript
are not.
Ah, now you're singing my tune. Once XP SP2 is installed and a
comprehensive and strict trust/untrust mechanism is in place, then the
problem is largely mitigated.
Post by Hallam-Baker, Phillip
Post by George Ou
The fact of the matter is, signature based scanning system DO
WORK.
Then why do viruses still propagate?
Because people don't always use them, they don't implement a comprehensive
solution or they implemented a lousy solution.
Post by Hallam-Baker, Phillip
Post by George Ou
There
is a very small statistical chance that you will get infected
by a day zero virus.
I got live code passing through the virus filters on a weekly basis.
You must be using a lousy product. Other than the encrypted ZIP stuff, I
see zero infected emails showing up in any of our user's mail boxes. If
that gets to be a bigger problem, we'll start blocking encrypted ZIPs. One
possible solution is if the anti-virus gateway will send a form letter to
the user asking the user to decipher the password so that the gateway can
decrypt the ZIP and scan it. Ultimately, I'm looking to XP SP2.

What I've noticed on many occasions and installations is that for some
reason, the Unix version of Trend VirusWall would let several infected
attachments through while the Windows version wouldn't.
Post by Hallam-Baker, Phillip
Modern viruses are being blasted out from botnets. A small botnet of
100 nodes sending 100 spams per second can send 100 million emails in
less than 3 hours. It typically takes six hours for a new virus to
be identified and the fingerprint distributed.
XP SP2 trusted/untrusted executables resolves this. I've explained this
enough times, go look this up.
Post by Hallam-Baker, Phillip
Post by George Ou
Ultimately, the OS must not permit
executables to
run regardless of where it came from if it isn't from a
trusted source and
if it has been tampered with. Strict Authenticode policies
will soon be the
norm on the desktop. Windows XP SP2 is a huge step in the
direction for the
better.
hang on, you just went from arguing against exchange of executables
in email to saying that all executables should be signed.
I don't see how the two arguments are mutually exclusive. I've been saying
XP SP2 will be a huge factor in mitigating Trojans and viruses for months
including the last few emails. You just appear to be ignoring them or not
reading them.
Post by Hallam-Baker, Phillip
I tend to see the latter as being a somewhat more extreeme
position than the one I was proposing. Certainly it will come,
there is really no reason why windows should not check the
signature of every executable and dll before it loads it,
developer machines would have to sign the code as part of
the build process.
Phill
The latter is not more extreme and it's a hell of a lot more functional and
effective that brute force binary blocking. Microsoft would seem to agree
with their soon to be released XP SP2.

I would take the code signing machines a step further. Make sure that they
are using HSMs so that their private keys can't be harvested by worms or
viruses. Many new computers have embedded TPMs (Trusted Platform Modules)
in them, and that is a step in the right direction.


George Ou
Hallam-Baker, Phillip
2004-07-21 02:27:52 UTC
Permalink
Post by George Ou
The key word here is "I". "I" does not comprise the rest of
the world.
True, but my experience of the net tends to be a better guide
that most IETF'ers or Sysops.

The vast majority of net users do not run executables that
don't come off a CDROM or a Web site.
Post by George Ou
The
rest of the world needs to be able to transmit files to each
other and don't
live in the stone age. If it can't go through email, then an
ftp link or
and http link sent within the email will suffice and your EXE blocking
policy is totally useless.
You sound like someone who argues that we should not bother with
seatbelts because they don't protect you against rocket propelled
grenades.
Post by George Ou
What they do is flag the file as untrusted so that it cannot be
launched by the user period.
Why not just delete it?
Post by George Ou
Post by Hallam-Baker, Phillip
As for the current strategies being a success I get
hundreds of virus
Post by Hallam-Baker, Phillip
attacks each day.
You must not have read my email. Those of us that have
anti-virus SMTP
gateways that automatically update themselves daily with
something like
Yeah we have several, they don't seem to have protected anyone
who does not have one.

What I am arguing for here is that the default config of a
mail server should be to block incomming executables, if there
are people who really want to send executables by mail then they
can finance the anti-virus companies to make that possible. But
I believe that 98% of the market would be happy to accept a
situation where executables were supressed by default.

No rules, no updates, no subscriptions.

I don't want to create a product here, I want to stop people
hijacking PCs and then using botnets of zombies to spam, phish
and DDoS my customers. I don't think the anti-virus companies
are likely to offer that technology for free so I am looking for
a strategy that can be deployed at no cost.
Post by George Ou
Within the next few
months, I'm going to mandate that our IT department upgrades
everyone to
SP2. Once that is done, executables won't launch even if
they don't match
an existing virus signature.
In the real world we can't force everyone to upgrade to XP.
Post by George Ou
Nonsense, comprehensive Anti-virus solutions are over 99.9%
effective when implemented properly.
Not unless people pay for them.

I think that the idea of exchanging executables via email is
clueless, it should never have been possible in the first place.

Unix folk don't seem to feel the need to send executables about
via email.
Post by George Ou
Since you're
seeing hundreds of
infected emails everyday, you must be using a lousy product or a poor
implementation.
Most of them don't have live virus, but I have seen that on occasion

There is no way that a fingerprint product is going to be of use if
you are the target of a trojan attack.
Post by George Ou
It is a fact that the bulk of these zombies came
from Comcast users who were connected 24x7 with zero protection.
I can't get a national cybersecurity policy in place that forces
comcast to subscribe to a virus fingerprint service, blocking
dangerous MIME types on the other hand is a much more tractable
proposition.
Post by George Ou
Still, your recommendation breaks PGP and S/MIME not to
mention that it is
totally useless against FTP or HTTP links such as
ftp://test.somedomain.com/binnary.exe. Even if you have an
email app that
doesn't make it clickable, you can't stop someone from doing
a cut-paste
operation in to their browser.
That is what a web proxy does, no authenticode, no download.
Post by George Ou
Post by Hallam-Baker, Phillip
Ergo if encryption on the desktop is going to be permitted there has
to be scanning built into the decryption capability.
Ah, I thought you didn't believe in anti-virus or scanning?
Actually I don't believe that end to end security is fully thought
through.
Post by George Ou
Because people don't always use them, they don't implement a
comprehensive
solution or they implemented a lousy solution.
I don't thinkI am going to change these people, so after ten years
its time to look at a different solution.
Post by George Ou
XP SP2 trusted/untrusted executables resolves this. I've
explained this enough times, go look this up.
Go look up the number of papers and specs i have co-authored
with Microsoft in the past three years.

Also look up who the main issuer of authenticode certs is.

I don't rely on one strategy alone and I don't think it is
exactly going to be well received if I start plugging my own
products as the panacea.
Post by George Ou
I don't see how the two arguments are mutually exclusive.
I've been saying
XP SP2 will be a huge factor in mitigating Trojans and
viruses for months
including the last few emails. You just appear to be
ignoring them or not
reading them.
XP SP2 will only work for people running XP. I want to stop
the W2K and W95 platforms being co-opted into botnets.
Post by George Ou
I would take the code signing machines a step further. Make
sure that they
are using HSMs so that their private keys can't be harvested
by worms or
viruses. Many new computers have embedded TPMs (Trusted
Platform Modules)
in them, and that is a step in the right direction.
George Ou
2004-07-21 05:59:09 UTC
Permalink
----- Original Message -----
From: "Hallam-Baker, Phillip" <***@verisign.com>
To: "'George Ou'" <***@netzero.com>; "Hallam-Baker, Phillip"
<***@verisign.com>; "'Peter Smith'" <***@onlinecounsellors.co.uk>;
"'Larry Seltzer'" <***@larryseltzer.com>; "'Chris Lewis'"
<***@nortelnetworks.com>
Cc: <***@ietf.org>
Sent: Tuesday, July 20, 2004 7:27 PM
Subject: RE: [Asrg] Zombie spam
Post by Hallam-Baker, Phillip
Post by George Ou
The key word here is "I". "I" does not comprise the rest of
the world.
True, but my experience of the net tends to be a better guide
that most IETF'ers or Sysops.
Key phrase here is "IETF'ers or Sysops". I'm talking about mere mortals.
Mime a very convenient mechanism for mere mortals, if one can provide a save
environment with modern anti-virus measures for a few thousand dollars, then
most corporations will not penny pinch. It's a hell of a lot more expensive
in man-hours if you have more than 20 users. The maintenance license is
really not that expensive.
Post by Hallam-Baker, Phillip
The vast majority of net users do not run executables that
don't come off a CDROM or a Web site.
What about S/MIME and PGP messages? What about encrypted ZIP files? Are
you going to make exceptions for those?
Post by Hallam-Baker, Phillip
Post by George Ou
The
rest of the world needs to be able to transmit files to each
other and don't
live in the stone age. If it can't go through email, then an
ftp link or
and http link sent within the email will suffice and your EXE blocking
policy is totally useless.
You sound like someone who argues that we should not bother with
seatbelts because they don't protect you against rocket propelled
grenades.
Why don't you stick to the topic and answer the question? HTTP and FTP
links are a reality except it's a little more difficult for most people to
use. The reality is, any organization should implement anti-virus
technology at the HTTP, FTP, and SMTP gateways for that large umbrella of
protection. Exchange or Notes anti-virus and Desktop level protection are
the last line of defense. Windows XP SP2 trusted and untrusted executables
takes this to the next level and protects against Trojans and viruses that
don't have any known signature.
Post by Hallam-Baker, Phillip
Post by George Ou
What they do is flag the file as untrusted so that it cannot be
launched by the user period.
Why not just delete it?
Stupid question. You should know better than that. Let me give you a clue,
it's the same reason you quarantine questionable spam instead of deleting
it.
Post by Hallam-Baker, Phillip
What I am arguing for here is that the default config of a
mail server should be to block incomming executables, if there
are people who really want to send executables by mail then they
can finance the anti-virus companies to make that possible. But
I believe that 98% of the market would be happy to accept a
situation where executables were supressed by default.
No rules, no updates, no subscriptions.
What I'm getting at is that it's penny wise and a pound foolish for any
email system serving more than 25 people.
Post by Hallam-Baker, Phillip
I don't want to create a product here, I want to stop people
hijacking PCs and then using botnets of zombies to spam, phish
and DDoS my customers. I don't think the anti-virus companies
are likely to offer that technology for free so I am looking for
a strategy that can be deployed at no cost.
There are free basic firewalls out there for any OS. Anti-virus usually
come bundled with most PCs and even many motherboards. Downloading new
definitions don't cost a thing. Since the majority of computers in the
world run Windows XP, upgrading to SP2 is free. You get a default on
firewall, recompiled OS with a buffer overflow checking compiler, an OS that
refuses to execute untrusted binaries. Cost is not much of a concern here.
Post by Hallam-Baker, Phillip
Post by George Ou
Within the next few
months, I'm going to mandate that our IT department upgrades
everyone to
SP2. Once that is done, executables won't launch even if
they don't match
an existing virus signature.
In the real world we can't force everyone to upgrade to XP.
In the real world, most people already run Windows XP, and that number will
only rise. If you don't run XP, get yourself a free firewall. ISPs should
mandate these free downloads to customers when they sign them up or they
should provide inbound protection for their users. Users who refuse to
protect themselves should be disconnected. There is no excuse for not
running inbound firewall protection.
Post by Hallam-Baker, Phillip
Post by George Ou
Nonsense, comprehensive Anti-virus solutions are over 99.9%
effective when implemented properly.
Not unless people pay for them.
Most computers and motherboards come with anti-virus. If not, go to
PriceWatch.com and buy yourself a copy of Panda or Trend anti-virus for
$4-$6. The money argument is totally bogus so why don't you stop whining
about the cost. If you're running an ISP, the cost of implementing an
anti-virus SMTP gateway is negligible when spread across all the users. I
never get a single virus from my free MSN account since they've implemented
anti-virus at the gateway. ISPs shouldn't be permitted to operate email
service if they refuse to implement gateway scanning. I can't believe we're
even debating this at this point. It would be so cheap to mandate this at
the ISP level.
Post by Hallam-Baker, Phillip
I think that the idea of exchanging executables via email is
clueless, it should never have been possible in the first place.
That is why most people will never buy software from you, and certainly
would hate to have you as an Email administrator. I would dare say 9 out of
10 CIOs or IT directors would listen to me.
Post by Hallam-Baker, Phillip
Unix folk don't seem to feel the need to send executables about
via email.
Some of these Unix folks are elitists that need to get their head out of the
80s. You ever wonder why Unix users make up less than 5% of the population?
Post by Hallam-Baker, Phillip
There is no way that a fingerprint product is going to be of use if
you are the target of a trojan attack.
If signature based protection mechanisms protect you over 99.9% of the time,
you don't give up on it because of the .1% it can't cover. Additionally,
strict Authenticode policies or XP SP2 will solve this. XP SP2 is very
relevant since the vast majority of computers in the world run Windows XP.
Windows 2000 has local or domain level group policy capability that can
enforce Authenticode. If you're running Win9x or ME, get yourself a free
firewall and a $4 anti-virus package. Outlook and Outlook Express already
block EXEs on those OSes anyways.
Post by Hallam-Baker, Phillip
Post by George Ou
It is a fact that the bulk of these zombies came
from Comcast users who were connected 24x7 with zero protection.
I can't get a national cybersecurity policy in place that forces
comcast to subscribe to a virus fingerprint service, blocking
dangerous MIME types on the other hand is a much more tractable
proposition.
Getting a cybersecurity policy that mandates ISPs to implement transparent
anti-virus HTTP, FTP, and SMTP gateways would make eminent sense. Another
side benefit to these FTP and HTTP scanners is that they cache too, and can
save an ISP a lot of bandwidth on the backhaul. Licensing on this stuff is
not based on the number of users and is cost negligible. Mandating a
minimum of free inbound firewalls on all broadband enabled computers would
make eminent sense. As far as I'm concerned, the industry should not wait
until the federal government gets involved. If an ISP doesn't participate,
the rest of the industry should block all traffic from them until they
comply.
Post by Hallam-Baker, Phillip
Post by George Ou
Because people don't always use them, they don't implement a
comprehensive
solution or they implemented a lousy solution.
I don't thinkI am going to change these people, so after ten years
its time to look at a different solution.
You're not going to get anywhere telling people to stop using anti-virus or
banning attachments.
Post by Hallam-Baker, Phillip
Post by George Ou
XP SP2 trusted/untrusted executables resolves this. I've
explained this enough times, go look this up.
Go look up the number of papers and specs i have co-authored
with Microsoft in the past three years.
If you know, why do you come up with these cockamamie suggestions.
Post by Hallam-Baker, Phillip
XP SP2 will only work for people running XP. I want to stop
the W2K and W95 platforms being co-opted into botnets.
See above.
Post by Hallam-Baker, Phillip
Post by George Ou
I would take the code signing machines a step further. Make
sure that they
are using HSMs so that their private keys can't be harvested
by worms or
viruses. Many new computers have embedded TPMs (Trusted
Platform Modules)
in them, and that is a step in the right direction.
_______________________________________________
Asrg mailing list
https://www1.ietf.org/mailman/listinfo/asrg
George Ou
Peter Bowyer
2004-07-21 09:22:28 UTC
Permalink
Post by George Ou
In the real world, most people already run Windows XP
For what definition of 'most people'? What's your source for this?

Peter
Larry Seltzer
2004-07-21 10:16:55 UTC
Permalink
Post by Peter Bowyer
Post by George Ou
In the real world, most people already run Windows XP
For what definition of 'most people'? What's your source for this?
I don't want to speak for George Ou, but according to Google Zeitgeist
(http://www.google.com/press/zeitgeist.html) for June '04, 51% of the systems used to
access Google were Windows XP.

51% Windows XP
18% Windows 2000
16% Windows 98
3% Windows ME
3% Mac
2% Windows NT
1% Windows 95
1% Linux
5% Other

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
***@ziffdavis.com
Devdas Bhagat
2004-07-21 15:28:00 UTC
Permalink
On 20/07/04 22:59 -0700, George Ou wrote:
<snip>
Post by George Ou
Key phrase here is "IETF'ers or Sysops". I'm talking about mere mortals.
Mime a very convenient mechanism for mere mortals, if one can provide a save
environment with modern anti-virus measures for a few thousand dollars, then
most corporations will not penny pinch. It's a hell of a lot more expensive
in man-hours if you have more than 20 users. The maintenance license is
really not that expensive.
Speak for yourself. I deal with environments where the cost of the
antivirus is more than the cost of downtime associated with a major
virus hit. And this is in networks with 300+ users.

Man hours are dirt cheap. Software is expensive. Hardware is expensive.
(I could hire a *good* developer for a year for 5000 USD. The same 5000
USD would buy three entry level servers). Hardware costs are still too
high as compared to man hours.
Post by George Ou
Post by Hallam-Baker, Phillip
The vast majority of net users do not run executables that
don't come off a CDROM or a Web site.
What about S/MIME and PGP messages? What about encrypted ZIP files? Are
you going to make exceptions for those?
Post by Hallam-Baker, Phillip
Post by George Ou
The
rest of the world needs to be able to transmit files to each
other and don't
live in the stone age. If it can't go through email, then an
ftp link or
and http link sent within the email will suffice and your EXE blocking
policy is totally useless.
You sound like someone who argues that we should not bother with
seatbelts because they don't protect you against rocket propelled
grenades.
Why don't you stick to the topic and answer the question? HTTP and FTP
links are a reality except it's a little more difficult for most people to
use. The reality is, any organization should implement anti-virus
technology at the HTTP, FTP, and SMTP gateways for that large umbrella of
Why? Why not use a platform that is not riddled with holes? That is
known to be stable and usable. If you MUST use an insecure platform, why
connect it to the public Internet?

Doing so is actually cheaper than using all those technologies you
mention.
Post by George Ou
protection. Exchange or Notes anti-virus and Desktop level protection are
the last line of defense. Windows XP SP2 trusted and untrusted executables
takes this to the next level and protects against Trojans and viruses that
don't have any known signature.
Post by Hallam-Baker, Phillip
Post by George Ou
What they do is flag the file as untrusted so that it cannot be
launched by the user period.
Why not just delete it?
Stupid question. You should know better than that. Let me give you a clue,
it's the same reason you quarantine questionable spam instead of deleting
it.
Sorry, I don't quarantine spam. I reject the crap I can, and then LART
the rest. Then delete it. My time is probably worth much less than
yours. My bandwidth costs, on the other hand are far higher.
Post by George Ou
Post by Hallam-Baker, Phillip
What I am arguing for here is that the default config of a
mail server should be to block incomming executables, if there
are people who really want to send executables by mail then they
can finance the anti-virus companies to make that possible. But
I believe that 98% of the market would be happy to accept a
situation where executables were supressed by default.
No rules, no updates, no subscriptions.
What I'm getting at is that it's penny wise and a pound foolish for any
email system serving more than 25 people.
No. You are wrong. I know a whole lot of people that run without
antivirus software. That is because the platforms they use aren't
vulnerable to that crap.
Post by George Ou
Post by Hallam-Baker, Phillip
I don't want to create a product here, I want to stop people
hijacking PCs and then using botnets of zombies to spam, phish
and DDoS my customers. I don't think the anti-virus companies
are likely to offer that technology for free so I am looking for
a strategy that can be deployed at no cost.
There are free basic firewalls out there for any OS. Anti-virus usually
come bundled with most PCs and even many motherboards. Downloading new
definitions don't cost a thing. Since the majority of computers in the
world run Windows XP, upgrading to SP2 is free. You get a default on
You mean the majority of computers in the developed world. Not around
here.
Post by George Ou
firewall, recompiled OS with a buffer overflow checking compiler, an OS that
refuses to execute untrusted binaries. Cost is not much of a concern here.
Cost is a huge concern.
Post by George Ou
Post by Hallam-Baker, Phillip
Post by George Ou
Within the next few
months, I'm going to mandate that our IT department upgrades
everyone to
SP2. Once that is done, executables won't launch even if
they don't match
an existing virus signature.
In the real world we can't force everyone to upgrade to XP.
In the real world, most people already run Windows XP, and that number will
only rise. If you don't run XP, get yourself a free firewall. ISPs should
mandate these free downloads to customers when they sign them up or they
But then they had better make sure they run on my OS of choice. On my
hardware platform. And they should not affect my online activities.
Post by George Ou
should provide inbound protection for their users. Users who refuse to
protect themselves should be disconnected. There is no excuse for not
running inbound firewall protection.
Why? I run a few public services on this host. Those are all the open
ports I have.
Post by George Ou
Post by Hallam-Baker, Phillip
Post by George Ou
Nonsense, comprehensive Anti-virus solutions are over 99.9%
effective when implemented properly.
Not unless people pay for them.
Most computers and motherboards come with anti-virus. If not, go to
PriceWatch.com and buy yourself a copy of Panda or Trend anti-virus for
$4-$6. The money argument is totally bogus so why don't you stop whining
The argument is not bogus. Not when the price of an entry level system
is more than a months salary.
Post by George Ou
about the cost. If you're running an ISP, the cost of implementing an
anti-virus SMTP gateway is negligible when spread across all the users. I
Much cheaper to bill the user for all the viral traffic they generate.
Post by George Ou
never get a single virus from my free MSN account since they've implemented
anti-virus at the gateway. ISPs shouldn't be permitted to operate email
service if they refuse to implement gateway scanning. I can't believe we're
even debating this at this point. It would be so cheap to mandate this at
the ISP level.
What makes you think I trust my ISP to run a mailserver properly?
Post by George Ou
Post by Hallam-Baker, Phillip
I think that the idea of exchanging executables via email is
clueless, it should never have been possible in the first place.
That is why most people will never buy software from you, and certainly
would hate to have you as an Email administrator. I would dare say 9 out of
10 CIOs or IT directors would listen to me.
Heres a pointer:
http://honor.trusecure.com/pipermail/firewall-wizards/2004-May/016467.html

Read that entire thread. Understand what the participants are saying.

Follow up with this one:
http://honor.trusecure.com/pipermail/firewall-wizards/2004-May/016479.html
Post by George Ou
Post by Hallam-Baker, Phillip
Unix folk don't seem to feel the need to send executables about
via email.
Some of these Unix folks are elitists that need to get their head out of the
80s. You ever wonder why Unix users make up less than 5% of the population?
Because 95% of the population are morons? <duck>
Post by George Ou
Post by Hallam-Baker, Phillip
There is no way that a fingerprint product is going to be of use if
you are the target of a trojan attack.
If signature based protection mechanisms protect you over 99.9% of the time,
you don't give up on it because of the .1% it can't cover. Additionally,
Signature based protection is reactive. What we need is proactive
protection. Heuristics try to achieve that.
Post by George Ou
strict Authenticode policies or XP SP2 will solve this. XP SP2 is very
relevant since the vast majority of computers in the world run Windows XP.
Windows 2000 has local or domain level group policy capability that can
enforce Authenticode. If you're running Win9x or ME, get yourself a free
firewall and a $4 anti-virus package. Outlook and Outlook Express already
block EXEs on those OSes anyways.
I think you sorely miss the point. People do not pay for virus
subscriptions. People do not have group policies (or any policies) on
their home systems.
Post by George Ou
Post by Hallam-Baker, Phillip
Post by George Ou
It is a fact that the bulk of these zombies came
from Comcast users who were connected 24x7 with zero protection.
I can't get a national cybersecurity policy in place that forces
comcast to subscribe to a virus fingerprint service, blocking
dangerous MIME types on the other hand is a much more tractable
proposition.
Getting a cybersecurity policy that mandates ISPs to implement transparent
anti-virus HTTP, FTP, and SMTP gateways would make eminent sense. Another
Which ISPs? In what country? And who pays for them?
Post by George Ou
side benefit to these FTP and HTTP scanners is that they cache too, and can
save an ISP a lot of bandwidth on the backhaul. Licensing on this stuff is
not based on the number of users and is cost negligible. Mandating a
My ISP just firewalls off inbound connections until you request them not
to do so.
Post by George Ou
minimum of free inbound firewalls on all broadband enabled computers would
make eminent sense. As far as I'm concerned, the industry should not wait
until the federal government gets involved. If an ISP doesn't participate,
the rest of the industry should block all traffic from them until they
comply.
Like *that* will ever happen. Are you blocking UUnet for hosting
spammers yet?
Post by George Ou
Post by Hallam-Baker, Phillip
Post by George Ou
Because people don't always use them, they don't implement a
comprehensive
solution or they implemented a lousy solution.
I don't thinkI am going to change these people, so after ten years
its time to look at a different solution.
You're not going to get anywhere telling people to stop using anti-virus or
banning attachments.
I didn't see where attachments were banned. Just executable content.
Post by George Ou
Post by Hallam-Baker, Phillip
Post by George Ou
XP SP2 trusted/untrusted executables resolves this. I've
explained this enough times, go look this up.
Trusted by whom? And why should I trust them? Why should I trust a third
party?

<snip>

Devdas Bhagat
Roger B.A. Klorese
2004-07-21 16:44:36 UTC
Permalink
Post by Devdas Bhagat
Man hours are dirt cheap. Software is expensive. Hardware is expensive.
(I could hire a *good* developer for a year for 5000 USD. The same 5000
USD would buy three entry level servers). Hardware costs are still too
high as compared to man hours.
Actually, your labor costs are slave wages.
George Ou
2004-07-21 17:24:01 UTC
Permalink
----- Original Message -----
From: "Devdas Bhagat" <***@dvb.homelinux.org>
To: <***@ietf.org>
Sent: Wednesday, July 21, 2004 8:28 AM
Subject: Re: [Asrg] Zombie spam
Post by Devdas Bhagat
<snip>
Post by George Ou
Key phrase here is "IETF'ers or Sysops". I'm talking about mere mortals.
Mime a very convenient mechanism for mere mortals, if one can provide a save
environment with modern anti-virus measures for a few thousand dollars, then
most corporations will not penny pinch. It's a hell of a lot more expensive
in man-hours if you have more than 20 users. The maintenance license is
really not that expensive.
Speak for yourself. I deal with environments where the cost of the
antivirus is more than the cost of downtime associated with a major
virus hit. And this is in networks with 300+ users.
Where do you live? Some 3rd world country where people make $5 a day?
Post by Devdas Bhagat
Man hours are dirt cheap. Software is expensive. Hardware is expensive.
(I could hire a *good* developer for a year for 5000 USD. The same 5000
USD would buy three entry level servers). Hardware costs are still too
high as compared to man hours.
I guess you do live in some 3rd world country.
Post by Devdas Bhagat
Why? Why not use a platform that is not riddled with holes? That is
known to be stable and usable. If you MUST use an insecure platform, why
connect it to the public Internet?
Same reason why we don't we rip out their ethernet cards and cut their T1
connections?
Post by Devdas Bhagat
Sorry, I don't quarantine spam. I reject the crap I can, and then LART
the rest. Then delete it. My time is probably worth much less than
yours. My bandwidth costs, on the other hand are far higher.
Sorry to break this to you, but your bandwidth was already lost once you've
analyzed that email as spam. I'm not talking about obvious stuff, I'm
talking about not throwing away border line stuff.
Post by Devdas Bhagat
No. You are wrong. I know a whole lot of people that run without
antivirus software. That is because the platforms they use aren't
vulnerable to that crap.
Ah, sorry I forgot the third world. I was talking about first world.
Post by Devdas Bhagat
Post by George Ou
firewall, recompiled OS with a buffer overflow checking compiler, an OS that
refuses to execute untrusted binaries. Cost is not much of a concern here.
Cost is a huge concern.
You're telling me free personal firewalls are too expensive? Upgrading to
SP2 when you're already running XP like 51% of the world is too expensive?
Post by Devdas Bhagat
Post by George Ou
In the real world, most people already run Windows XP, and that number will
only rise. If you don't run XP, get yourself a free firewall. ISPs should
mandate these free downloads to customers when they sign them up or they
But then they had better make sure they run on my OS of choice. On my
hardware platform. And they should not affect my online activities.
All the Linux OSes have native firewall capability. What's wrong with
enforcing network access policy?
Post by Devdas Bhagat
Why? I run a few public services on this host. Those are all the open
ports I have.
You're one of the few percentage of users who don't run windows. I'm
talking about 90% of the world that does and how to address those people.
Post by Devdas Bhagat
Post by George Ou
Most computers and motherboards come with anti-virus. If not, go to
PriceWatch.com and buy yourself a copy of Panda or Trend anti-virus for
$4-$6. The money argument is totally bogus so why don't you stop whining
The argument is not bogus. Not when the price of an entry level system
is more than a months salary.
Around here, we make more than $4 a month, more than $4 an hour, and some
fortunate ones make more than $4 a minute.
Post by Devdas Bhagat
Post by George Ou
about the cost. If you're running an ISP, the cost of implementing an
anti-virus SMTP gateway is negligible when spread across all the users.
I
Post by Devdas Bhagat
Much cheaper to bill the user for all the viral traffic they generate.
That won't fly. Preventing all the infections in the first place is the
only realistic solution.
Post by Devdas Bhagat
Post by George Ou
never get a single virus from my free MSN account since they've implemented
anti-virus at the gateway. ISPs shouldn't be permitted to operate email
service if they refuse to implement gateway scanning. I can't believe we're
even debating this at this point. It would be so cheap to mandate this at
the ISP level.
What makes you think I trust my ISP to run a mailserver properly?
Again, you don't represent the masses. Most peole DO use their ISP's
mailserver.
Post by Devdas Bhagat
Because 95% of the population are morons? <duck>
You're not being very productive with comments like these. It's obvious I
shouldn't take you seriously any more.


George Ou
Devdas Bhagat
2004-07-21 17:40:11 UTC
Permalink
On 21/07/04 10:24 -0700, George Ou wrote:
<snip>
Post by George Ou
Post by Devdas Bhagat
Speak for yourself. I deal with environments where the cost of the
antivirus is more than the cost of downtime associated with a major
virus hit. And this is in networks with 300+ users.
Where do you live? Some 3rd world country where people make $5 a day?
India actually.
Post by George Ou
Post by Devdas Bhagat
Man hours are dirt cheap. Software is expensive. Hardware is expensive.
(I could hire a *good* developer for a year for 5000 USD. The same 5000
USD would buy three entry level servers). Hardware costs are still too
high as compared to man hours.
I guess you do live in some 3rd world country.
Post by Devdas Bhagat
Why? Why not use a platform that is not riddled with holes? That is
known to be stable and usable. If you MUST use an insecure platform, why
connect it to the public Internet?
Same reason why we don't we rip out their ethernet cards and cut their T1
connections?
Post by Devdas Bhagat
Sorry, I don't quarantine spam. I reject the crap I can, and then LART
the rest. Then delete it. My time is probably worth much less than
yours. My bandwidth costs, on the other hand are far higher.
Sorry to break this to you, but your bandwidth was already lost once you've
analyzed that email as spam. I'm not talking about obvious stuff, I'm
talking about not throwing away border line stuff.
What made you think I accepted it in the first place? I reject at the
time the sending systems sends RCPT TO:. Lots of local blocks, a caching
nameserver and a few good DNSBLs do wonders in blocking spam.
Post by George Ou
Post by Devdas Bhagat
No. You are wrong. I know a whole lot of people that run without
antivirus software. That is because the platforms they use aren't
vulnerable to that crap.
Ah, sorry I forgot the third world. I was talking about first world.
Post by Devdas Bhagat
Post by George Ou
firewall, recompiled OS with a buffer overflow checking compiler, an OS
that
Post by Devdas Bhagat
Post by George Ou
refuses to execute untrusted binaries. Cost is not much of a concern
here.
Post by Devdas Bhagat
Cost is a huge concern.
You're telling me free personal firewalls are too expensive? Upgrading to
SP2 when you're already running XP like 51% of the world is too expensive?
When SP2 implies that you need to actually purchase the OS, as opposed
to run a pirated copy, yes.
Post by George Ou
Post by Devdas Bhagat
Post by George Ou
In the real world, most people already run Windows XP, and that number
will
Post by Devdas Bhagat
Post by George Ou
only rise. If you don't run XP, get yourself a free firewall. ISPs
should
Post by Devdas Bhagat
Post by George Ou
mandate these free downloads to customers when they sign them up or they
But then they had better make sure they run on my OS of choice. On my
hardware platform. And they should not affect my online activities.
All the Linux OSes have native firewall capability. What's wrong with
enforcing network access policy?
Nothing, I was just objecting to your point on mandating downloads, or
disconnections. Mandating and enforcing a network access policy is a
good thing.
Post by George Ou
Post by Devdas Bhagat
Why? I run a few public services on this host. Those are all the open
ports I have.
You're one of the few percentage of users who don't run windows. I'm
talking about 90% of the world that does and how to address those people.
Post by Devdas Bhagat
Post by George Ou
Most computers and motherboards come with anti-virus. If not, go to
PriceWatch.com and buy yourself a copy of Panda or Trend anti-virus for
$4-$6. The money argument is totally bogus so why don't you stop
whining
Post by Devdas Bhagat
The argument is not bogus. Not when the price of an entry level system
is more than a months salary.
Around here, we make more than $4 a month, more than $4 an hour, and some
fortunate ones make more than $4 a minute.
Which is actually irrelevant to my point. That 4 USD/mth is a
significant number to a significant number of computer users.
Post by George Ou
Post by Devdas Bhagat
Post by George Ou
about the cost. If you're running an ISP, the cost of implementing an
anti-virus SMTP gateway is negligible when spread across all the users.
I
Post by Devdas Bhagat
Much cheaper to bill the user for all the viral traffic they generate.
That won't fly. Preventing all the infections in the first place is the
only realistic solution.
Join the club on *that* point. You want bandages around the Windows
problem. I don't want to have to deal with that problem at all.
MJR has a nice little rant on one of the firewall-wizards threads.
Post by George Ou
Post by Devdas Bhagat
Post by George Ou
never get a single virus from my free MSN account since they've
implemented
Post by Devdas Bhagat
Post by George Ou
anti-virus at the gateway. ISPs shouldn't be permitted to operate email
service if they refuse to implement gateway scanning. I can't believe
we're
Post by Devdas Bhagat
Post by George Ou
even debating this at this point. It would be so cheap to mandate this
at
Post by Devdas Bhagat
Post by George Ou
the ISP level.
What makes you think I trust my ISP to run a mailserver properly?
Again, you don't represent the masses. Most peole DO use their ISP's
mailserver.
As they should. Lets just say I use a different ISP for mail service
than for network connectivity. What drove me to smarting hosting through
a different host was the fact that the ISP couldn't upgrade its email
servers in three days. Took them two attempts of three days each to get
the upgrade working.
Post by George Ou
Post by Devdas Bhagat
Because 95% of the population are morons? <duck>
You're not being very productive with comments like these. It's obvious I
shouldn't take you seriously any more.
Ref: Sturgeon's law. 90% of anything is crud.

Devdas Bhagat
George Ou
2004-07-21 19:09:39 UTC
Permalink
----- Original Message -----
From: "Devdas Bhagat" <***@dvb.homelinux.org>
To: <***@ietf.org>
Sent: Wednesday, July 21, 2004 10:40 AM
Subject: Re: [Asrg] Zombie spam
Post by Devdas Bhagat
Post by George Ou
You're telling me free personal firewalls are too expensive? Upgrading to
SP2 when you're already running XP like 51% of the world is too expensive?
When SP2 implies that you need to actually purchase the OS, as opposed
to run a pirated copy, yes.
And you somehow find honor in this? Even so, at least do yourself a favor
and get a free personal firewall.
Post by Devdas Bhagat
Post by George Ou
All the Linux OSes have native firewall capability. What's wrong with
enforcing network access policy?
Nothing, I was just objecting to your point on mandating downloads, or
disconnections. Mandating and enforcing a network access policy is a
good thing.
No one is mandating downloads. You can implement any form of inbound
firewall security you want, including a $30 NAT router that you probably
need to share your broadband connection anyways. You can download or buy
your own firewall. The point in a network access policy is that you enforce
a minimum security level. Most broadband users would not complain if this
is marketed correctly as something that protects the end user. People are
simply ignorant of security and this will only serve to enlighten them.
What I'm suggesting is that ISPs should quarantine these ignorant users and
redirect them to a simple help page that offers them free downloads to
protect themselves so that they can get access to the Internet. This
doesn't apply if you're already an advance user who has already implemented
some sane security measures.
Post by Devdas Bhagat
Post by George Ou
Around here, we make more than $4 a month, more than $4 an hour, and some
fortunate ones make more than $4 a minute.
Which is actually irrelevant to my point. That 4 USD/mth is a
significant number to a significant number of computer users.
Who said it was $4 a month. That is a one time cost for an anti-virus
package. Virus definition updates are free the last time I checked.
Post by Devdas Bhagat
Post by George Ou
That won't fly. Preventing all the infections in the first place is the
only realistic solution.
Join the club on *that* point. You want bandages around the Windows
problem. I don't want to have to deal with that problem at all.
MJR has a nice little rant on one of the firewall-wizards threads.
I'm not talking about bandages, I'm talking about things that have very
significant impact on better security.
Post by Devdas Bhagat
Ref: Sturgeon's law. 90% of anything is crud.
Devdas Bhagat
What's crud is your ridiculous and arrogant arguments.
George Ou
2004-07-21 06:47:06 UTC
Permalink
----- Original Message -----
From: "Hallam-Baker, Phillip" <***@verisign.com>
To: "'George Ou'" <***@netzero.com>; "Hallam-Baker, Phillip"
<***@verisign.com>; "'Peter Smith'" <***@onlinecounsellors.co.uk>;
"'Larry Seltzer'" <***@larryseltzer.com>; "'Chris Lewis'"
<***@nortelnetworks.com>
Cc: <***@ietf.org>
Sent: Tuesday, July 20, 2004 7:27 PM
Subject: RE: [Asrg] Zombie spam
Post by Hallam-Baker, Phillip
Go look up the number of papers and specs i have co-authored
with Microsoft in the past three years.
Also look up who the main issuer of authenticode certs is.
I don't rely on one strategy alone and I don't think it is
exactly going to be well received if I start plugging my own
products as the panacea.
It's obvious from your position that you are very intelligent.
Unfortunately, guys like you have a tendency to be elitist and you tend to
ignore the needs of the common user. Your attacks on binary attachments is
simply a case of being a penny wise and a pound foolish, it's simple as
that. People have been declaring the death of signature based systems for
years and they've been made fools over and over again. I don't care if
someone invents some fancy new "behavior" based system for anti-virus or
IDS, it will always make sense to scan for signatures because it's a quick
and dirty sanity check. Any new mechanism will always complement, not
replace signature based systems.

I'm glad you mentioned the cost of anti-virus systems and others have even
mentioned the ethics of them. It would seem to me that $4 for an anti-virus
package or a few thousand dollars for an anti-virus gateway is a hell of a
lot more reasonable than paying $500 a year for a few signed bits. As for
ethics, it would seem to me that your own employer has a pretty bad
reputation as far as ethics are concerned within the Internet community.
When I say Authenticode, there is no reason that it has to be signed by a
$500 a year digital certificate. In house PKIs will suffice for most
internal applications. I can't wait for the day that PKI is delegated like
DNS with something like DNSSEC. This business of paying through the nose
for a few signed bits is ludicrous.


George Ou
Hallam-Baker, Phillip
2004-07-21 13:42:34 UTC
Permalink
I actually pipe all bounce mail straight to /dev/null.
[...] I feel
quite comfortable telling everyone who wants to continue to send
email reliably to deploy a standards compliant mail system.
Does anyone else find it as ironic as I do that someone who is willing
to take a strict standards-compliance stance with _others_ is content
to do something as egregious and mail-system-breaking as discarding
bounces without even looking at them?
I take standards seriously when they are serious standards.

The IETF has no internal accountability, the standards are poorly
presented and poorly maintained. There is no maintenance procedure.
A real standards process is a negotiation between the interested
parties - i.e. people who are going to write code that is going to
be used.

I am proposing that we need strong, respected email standards. That
does not equate to mandating compliance with a set of 20 year old
suggestions that are clearly broken.

If the market is not respecting standards there is usually a reason.
I want the major vendors, the major OSS projects and the major
operators to move to a consistent and coherent standard.

I understand that the IETF is quite probably incapable of this task,
there are other forums.
Hallam-Baker, Phillip
2004-07-21 16:09:12 UTC
Permalink
Post by George Ou
That is why most people will never buy software from you, and
certainly
would hate to have you as an Email administrator. I would
dare say 9 out of
10 CIOs or IT directors would listen to me.
How many Fortune 50 CIOs regularly ask you for advice?

I am working with a lot of CIOs who are very concerned about phishing
spam. They do not have the slightest concern for making sure that
it is still possible to send executable attachments.

Sure proposals like deep code signing will pay dividends in the future.
I take a much more extreeme view on this front than you are advocating,
but I also know that it takes time for such changes to propagate, more
time than I have.


The reason I made the proposal to block all executable content is that
I have been talking to real CIOs and CSOs and it is clear to me that
current strategies are allowing the bad guys far too many opportunities
to create zombies.

We have tried fingerprints for twenty years, they have not solved the
problem. It is time to think of new approaches.

I am completely unconvinced by your argument that real users want to
exchange code via email. Even my programmers report that this is pretty
unusual and that they tend to be blocked in any case. Real people want
their PC to behave predictably and not be attacked by Zombies. Most real
users do not write programs or share them in any form.

I am not saying that fingerprinting is a bad strategy, but it is
certainly a more expensive strategy than blanket blocking and it is
also less effective since it can only protect after the virus has
been identified and fingerprinted.

I will accept that virus scanning may be an acceptable protection model
as an alternative to a blanket block, but the blanket block should be
the default.


Phill
Roger B.A. Klorese
2004-07-21 16:52:26 UTC
Permalink
Post by Hallam-Baker, Phillip
I am working with a lot of CIOs who are very concerned about phishing
spam. They do not have the slightest concern for making sure that
it is still possible to send executable attachments.
That's because they don't participate in the day-to-day business of the
people on the front lines of the company's business, but rather, seek to
straitjacket them by simple-minded approaches to problems.
Post by Hallam-Baker, Phillip
The reason I made the proposal to block all executable content is that
I have been talking to real CIOs and CSOs and it is clear to me that
current strategies are allowing the bad guys far too many opportunities
to create zombies.
It matters at least as much to me what's easiest for the sales force,
help-desk staff, etc. -- the people who do the real work of the company
-- than the edict of a CIO or CSO. Many have tried to put up secure
shared folders, secure file access portals, etc... but the troops
understand email, and email alone, so email has to rise to the
challenge. People are too busy doing real work to bother with new tools
only to meet some else's agenda.
Alan DeKok
2004-07-21 18:13:11 UTC
Permalink
Many have tried to put up secure shared folders, secure file access
portals, etc... but the troops understand email, and email alone, so
email has to rise to the challenge.
If your "troops" can't understand secure file access, then maybe you
need to get new "troops".

This is also known as "don't blame the car when the drunk driver
runs it off of a cliff."
People are too busy doing real work to bother with new tools only
to meet some else's agenda.
Which means *you* are part of the problem.

Other people run secure systems, and are getting overwhelmed with
spam from people who "want to do real work", and therefore don't care
about getting their systems *right*. Believe it or not, it's
*cheaper* to run secure systems, it's *cheaper* to get systems right
the first time, rather than applying endless patches.

Can I send you a bill for all of the spam I'm receiving from
insecure systems run by people like you? If not, why would I care
about your opinion? Your business model obviously includes pushing
the cost of your non-security onto innocent bystanders like me.

That's a fraudulent business model, and it *will* die.

Alan DeKok.
George Ou
2004-07-21 18:55:53 UTC
Permalink
----- Original Message -----
From: "Alan DeKok" <***@ox.org>
To: <***@ietf.org>
Sent: Wednesday, July 21, 2004 11:13 AM
Subject: Re: [Asrg] Zombie spam
Post by Alan DeKok
Many have tried to put up secure shared folders, secure file access
portals, etc... but the troops understand email, and email alone, so
email has to rise to the challenge.
If your "troops" can't understand secure file access, then maybe you
need to get new "troops".
You're not living in the real world.
Post by Alan DeKok
This is also known as "don't blame the car when the drunk driver
runs it off of a cliff."
No one is suggesting that you run an insecure environment. All we're saying
is that you handle security on the infrastructure end and let the users do
their jobs and not worry about if something is safe to click on. Believe
me, we would all love to have a user base that is as intelligent as most of
the people in this group, but we're talking about mere mortals here and
that's reality.
Post by Alan DeKok
People are too busy doing real work to bother with new tools only
to meet some else's agenda.
Which means *you* are part of the problem.
Not if the proper security mechanisms are implemented. We are not part of
the problem The vast majority of the problem comes from broadband connected
users who have little or no protection. My DSL provider will go as far as
shutting you down if you dare run a vulnerability scan on someone, and that
is a step in the right direction. Some form of network access control
should be implemented at the ISP level so that users must meet a minimum
security standard such as operating a free inbound blocking firewall or else
they get no quaranteened. In that case, any web request will be redirected
to a friendly help page with free firewall downloads. Having all ISPs
implement anti-virus at the HTTP, FTP, and SMTP gateways for both inbound
and outbound traffic will go a long way to clean up the internet. Demanding
more intelligence from the user base is a fools errand. Complaining that
"if only people were smarter" doesn't get you anywhere, so the practical way
of solving this problem is to work with the assumption that the average
person is dumb.
Post by Alan DeKok
Other people run secure systems, and are getting overwhelmed with
spam from people who "want to do real work", and therefore don't care
about getting their systems *right*. Believe it or not, it's
*cheaper* to run secure systems, it's *cheaper* to get systems right
the first time, rather than applying endless patches.
Can I send you a bill for all of the spam I'm receiving from
insecure systems run by people like you? If not, why would I care
about your opinion? Your business model obviously includes pushing
the cost of your non-security onto innocent bystanders like me.
Now you're being unreasonable with that accusation. You know damn well that
we're not suggesting that we operate an insecure environment, only that we
spend a little money on the infrastructure which is infinitely cheaper than
social engineering. We operate an email environment where we even scan
outbound SMTP so we never send out a single virus. All users have personal
firewalls that are set from a central policy. These mechanisms do work, and
you're barking up the wrong tree. Getting the ISPs to implement same sane
network access control policy and a large anti-virus umbrella is infinitely
more effective and cheaper.
Post by Alan DeKok
That's a fraudulent business model, and it *will* die.
Alan DeKok.
The only thing fraudulent is your bogus arguments.


George Ou
Alan DeKok
2004-07-22 15:36:25 UTC
Permalink
Some form of network access control should be implemented at the ISP
level so that users must meet a minimum security standard such as
operating a free inbound blocking firewall or else they get no
quaranteened. In that case, any web request will be redirected to a
friendly help page with free firewall downloads. Having all ISPs
implement anti-virus at the HTTP, FTP, and SMTP gateways for both
inbound and outbound traffic will go a long way to clean up the
internet.
Ah, yes. You don't/can't educate your "troops", so you want to
impose filtering for everyone, including people who don't have idiot
problems... like me. Ask me why I'm not impressed.

To repeat: It's *your* problem, not mine. I don't want such
filters, and I don't need them. Many people, in fact, don't need
them. The fact that *you* do speaks of your issues, not everyone
elses.
Demanding more intelligence from the user base is a fools errand.
Demanding that people should know how to use a tool properly, or not
use it at all is a good idea. The alternative is for Big Brother to
"protect" them from everything, "for their own good".
Complaining that "if only people were smarter" doesn't get you
anywhere,
Which is why I didn't say that. Did you read my message?
Getting the ISPs to implement same sane network access control
policy and a large anti-virus umbrella is infinitely more effective
and cheaper.
It's more expensive than having people use tools that *work*.

I understand the fascination with applying patches on top of patches
on top of fixes on top of hacks. There's a great business model for
many people to supply the fixes, and everyone gets to feel good about
being busy and industrious. But it's a fools game. People who
*don't* have those problems avoid the busy-work nonsense, and get on
with their lives. In the long run, they're more productive.

Alan DeKok.
Roger B.A. Klorese
2004-07-22 15:45:01 UTC
Permalink
Post by Alan DeKok
Demanding that people should know how to use a tool properly, or not
use it at all is a good idea. The alternative is for Big Brother to
"protect" them from everything, "for their own good".
Are you ready to remove the brakes from your car, or just the airbags
and seatbelts?
der Mouse
2004-07-22 16:51:19 UTC
Permalink
Post by Roger B.A. Klorese
Post by Alan DeKok
Demanding that people should know how to use a tool properly, or not
use it at all is a good idea. The alternative is for Big Brother to
"protect" them from everything, "for their own good".
Are you ready to remove the brakes from your car, or just the airbags
and seatbelts?
If you really want to draw specious analogies, at least draw good ones.
Here, the argument is that the governments who control access to roads
should require that drivers should learn how to drive rather than
requiring that their cars be capable of protecting them if they can't.

Oddly enough, that's exactly what those governments do.

/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
william(at)elan.net
2004-07-22 17:11:58 UTC
Permalink
Post by der Mouse
Post by Roger B.A. Klorese
Post by Alan DeKok
Demanding that people should know how to use a tool properly, or not
use it at all is a good idea. The alternative is for Big Brother to
"protect" them from everything, "for their own good".
Are you ready to remove the brakes from your car, or just the airbags
and seatbelts?
If you really want to draw specious analogies, at least draw good ones.
Here, the argument is that the governments who control access to roads
should require that drivers should learn how to drive rather than
requiring that their cars be capable of protecting them if they can't.
Oddly enough, that's exactly what those governments do.
Its kind of a mix really. They do require you to learn how to drive, but
also require you to protect yourself in case somebody else did not learn.
--
William Leibzon
Elan Networks
***@elan.net
George Ou
2004-07-22 17:39:29 UTC
Permalink
I'll have to apologize to you my lord for the rest of the world that
aren't as smart as you, who don't want to stop using Microsoft, who
don't know how to lock down their computers, who rely on email
attachments, who don't know how to implement firewalls.

I suppose in your world, you'd just take away peoples computers if they
are not as smart as you.

-----Original Message-----
From: asrg-***@ietf.org [mailto:asrg-***@ietf.org] On Behalf Of
Alan DeKok
Sent: Thursday, July 22, 2004 8:36 AM
To: ***@ietf.org
Subject: Re: [Asrg] Zombie spam


Ah, yes. You don't/can't educate your "troops", so you want to impose
filtering for everyone, including people who don't have idiot
problems... like me. Ask me why I'm not impressed.

To repeat: It's *your* problem, not mine. I don't want such filters,
and I don't need them. Many people, in fact, don't need them. The fact
that *you* do speaks of your issues, not everyone elses.
Demanding more intelligence from the user base is a fools errand.
Demanding that people should know how to use a tool properly, or not
use it at all is a good idea. The alternative is for Big Brother to
"protect" them from everything, "for their own good".
Complaining that "if only people were smarter" doesn't get you
anywhere,
Which is why I didn't say that. Did you read my message?
Getting the ISPs to implement same sane network access control policy
and a large anti-virus umbrella is infinitely more effective and
cheaper.
It's more expensive than having people use tools that *work*.

I understand the fascination with applying patches on top of patches
on top of fixes on top of hacks. There's a great business model for
many people to supply the fixes, and everyone gets to feel good about
being busy and industrious. But it's a fools game. People who
*don't* have those problems avoid the busy-work nonsense, and get on
with their lives. In the long run, they're more productive.

Alan DeKok.
David Maxwell
2004-07-22 18:52:02 UTC
Permalink
Post by George Ou
I'll have to apologize to you my lord for the rest of the world that
aren't as smart as you, who don't want to stop using Microsoft, who
don't know how to lock down their computers, who rely on email
attachments, who don't know how to implement firewalls.
I suppose in your world, you'd just take away peoples computers if they
are not as smart as you.
Do you give knives, or nuclear weapons to toddlers? No, you protect
them for a time.

Microsoft insists on giving naive people tools which facilitate epidemic
viruses and ease the efforts of spammers to bury society in junkmail,
and degrade the value of the Internet, and email in particular.

Folks at Microsoft must never have read Marvel comics - "With great
power, comes great responsibility." When you let people spread viruses
with a single click on an attachment...

Of course, people who persist in using those tools who don't understand
the damage they cause, shouldn't be blamed any more than the toddler
with the knife.
--
David Maxwell, ***@vex.net|***@maxwell.net -->
All this stuff in twice the space would only look half as bad!
- me
David Wall
2004-07-22 19:25:41 UTC
Permalink
Post by David Maxwell
Do you give knives, or nuclear weapons to toddlers? No, you protect
them for a time.
Who'd have thought that a computer was a weapon?
Post by David Maxwell
Microsoft insists on giving naive people tools which facilitate epidemic
viruses and ease the efforts of spammers to bury society in junkmail,
and degrade the value of the Internet, and email in particular.
While I'd never defend MSFT on this matter -- I still don't know why they'd
allow email to be executable (data never should be) or why they needed to
allow for scripting beyond that allowed by standard javascript/DOM that
would have precluded many of the pains we all suffer -- MSFT may sell
software, but their software is not causing the crimes themselves. It's
still criminals who are using them against people.

In this regard, it's like saying that people who sell knives should be
responsible for instances in which people use them to rob someone. The
knife did not rob people, and the knife has perfectly good uses besides
robbing people with them. In the end, only the law and education will
reduce such activities to a suitably low level -- just like we still have
crime, but for many, it's not epidemic.
Post by David Maxwell
Of course, people who persist in using those tools who don't understand
the damage they cause, shouldn't be blamed any more than the toddler
with the knife.
But you do think the knife manufacturer should be blamed?

It's unfortuate, but as long as people insist on using a lowest common
denominator tool like "free" email for real business activities, the more
troubles we'll have. If businesses used door-to-door sales still, we'd find
more people being robbed by fake salesmen. But most people don't accept
such solicitations anymore (even if knocking on a door didn't incur a
special fee). If businesses stopped using FedEx/postal mail and switched to
sliding letters under your door or putting packages by your door, you'd find
people would use that for terrorist activities and such. Smart businesses
need to move away from email as a means of communicating with their
customers in order to reduce people's assumption that bogus email might be
real email. Social engineering attacks will continue as long as businesses
allow such an insecure, untrusted, non-private form a cheap communications
to carry on real business. There are alternatives out there today, but you
won't find a solution in CB radios or bulletin boards in the mall, and you
won't find it in email.

David
Seth Breidbart
2004-07-22 19:39:28 UTC
Permalink
Post by David Wall
Who'd have thought that a computer was a weapon?
The US Government, for one, when it banned their export as weapons.
Post by David Wall
While I'd never defend MSFT on this matter -- I still don't know why
they'd allow email to be executable (data never should be)
von Neumann won that argument a long time ago. But have fun with your
punched-by-hand paper-tape Aiken IBM Automatic Sequential Digital
Calculator.
Post by David Wall
or why they needed to allow for scripting beyond that allowed by
standard javascript
Compare the dates on javascript and executable email.
Post by David Wall
MSFT may sell software, but their software is not causing the crimes
themselves. It's still criminals who are using them against people.
Their software is allowing the crimes, and making them easier.
Post by David Wall
In this regard, it's like saying that people who sell knives should be
responsible for instances in which people use them to rob someone.
More like people who sell airplanes (in a world where the government
didn't regulate them or license pilots) having some responsibility for
their use.
Post by David Wall
It's unfortuate, but as long as people insist on using a lowest
common denominator tool like "free" email for real business
activities, the more troubles we'll have.
Free email like emacs RMAIL (which I've used in business for decades
now)? Strange, it has never had a problem with worms, viruses, etc.
Post by David Wall
Smart businesses need to move away from email as a means of
communicating with their customers in order to reduce people's
assumption that bogus email might be real email.
Smart businesses don't operate in your universe, they operate in this
one, in which inexpensive communication with customers is very useful
to them.
Post by David Wall
Social engineering attacks will continue as long as businesses
allow such an insecure, untrusted, non-private form a cheap
communications to carry on real business.
So now you're blaming businesses for the problem? Even if businesses
stopped sending email, people would still send it; I get a lot more
spam claiming to be from a person (like a woman's first name) than
from a business.

Seth
David Maxwell
2004-07-22 19:45:03 UTC
Permalink
Post by David Wall
Post by David Maxwell
Do you give knives, or nuclear weapons to toddlers? No, you protect
them for a time.
Who'd have thought that a computer was a weapon?
Pick 'plastic bag' if you prefer. Most of those are now labelled 'not a
toy, do not alow children to use - suffocation hazzard'.
Post by David Wall
Post by David Maxwell
Microsoft insists on giving naive people tools which facilitate epidemic
[...]
Post by David Wall
-- MSFT may sell
software, but their software is not causing the crimes themselves. It's
still criminals who are using them against people.
In this regard, it's like saying that people who sell knives should be
responsible for instances in which people use them to rob someone. The
No, but stores are responsible for who they sell to. Right or wrong,
that's the approach taken with firearms, tobacco, and alcohol. Stores
may not sell such to end-users that the law defines as (not of the age
of majority) unable to make an educated choice. It's a shame software
isn't sold the same way. :-)

[...]
Post by David Wall
But you do think the knife manufacturer should be blamed?
Not for creating the dangerous product, only for marketing it to people
who don't understand that it's dangerous, and for providing sales
channels that put it in the hands of uneducated customers.

Of course, in this case, unlike knives, it's probably easier to blunt
the software than educate the user.
Post by David Wall
It's unfortuate, but as long as people insist on using a lowest common
denominator tool like "free" email for real business activities, the more
An interesting suggestion. It's a matter of semantics whether the new
tool ends up being called 'email' of course, and whether or not the
protocol is at all related to today's SMTP - with authentication added,
perhaps.
--
David Maxwell, ***@vex.net|***@maxwell.net --> Mastery of UNIX, like
mastery of language, offers real freedom. The price of freedom is always dear,
but there's no substitute. Personally, I'd rather pay for my freedom than live
in a bitmapped, pop-up-happy dungeon like NT. - Thomas Scoville
George Ou
2004-07-22 20:05:54 UTC
Permalink
----- Original Message -----
From: "David Maxwell" <***@vex.net>
To: "George Ou" <***@netzero.com>
Cc: <***@ietf.org>; "'Alan DeKok'" <***@ox.org>
Sent: Thursday, July 22, 2004 11:52 AM
Subject: Re: [Asrg] Zombie spam
Post by David Maxwell
Post by George Ou
I suppose in your world, you'd just take away peoples computers if they
are not as smart as you.
Do you give knives, or nuclear weapons to toddlers? No, you protect
them for a time.
So what is your solution? Take away their computers if they're not computer
experts like us? All I suggested is that you protect them from the gateway,
and implement some sane network access control policy to make them use a
free firewall at the minimum. If you already have a firewall or a NAT
router in place, this won't affect you. If you're not running Microsoft
Windows, it need not affect you. The ISP simply needs to quarantine them if
they detect that they can access NetBIOS on the user's computer. Once
quarantined, these newbie users would be redirected to a friendly help page
telling them how to download and install a free firewall or turn on their
built in WinXP firewall. Network Access Control technology already exists
and is already implemented by some ISPs. The proven anti-virus
SMTP/HTTP/FTP gateway technology will protect users who have no anti-virus
on their desktops. Do you have a better suggestion than these two
strategies? It's a lot less draconian than demanding user intelligence or
else.

All I'm suggesting is that you shouldn't be allowed to connect to broadband
with a wide open Microsoft Windows machine because it can be used as a
weapon. What's wrong with that?
Post by David Maxwell
Microsoft insists on giving naive people tools which facilitate epidemic
viruses and ease the efforts of spammers to bury society in junkmail,
and degrade the value of the Internet, and email in particular.
Folks at Microsoft must never have read Marvel comics - "With great
power, comes great responsibility." When you let people spread viruses
with a single click on an attachment...
This is why Microsoft is shipping XP SP2 with a default on firewall and a
ton of other significant security features. We all know MS has more than
their share of sins, but at what point do we move on beyond the anti-MS
rhetoric.

Instead of just complaining about Microsoft, do you offer any real
solutions? Bashing Microsoft and bashing ordinary users who don't share you
degree of computer competence won't change anything, people won't all of a
sudden switch to Linux or MAC which have their own share of problems if
implemented incorrectly.


George Ou
David Maxwell
2004-07-22 20:22:10 UTC
Permalink
Post by George Ou
Post by David Maxwell
Do you give knives, or nuclear weapons to toddlers? No, you protect
them for a time.
So what is your solution? Take away their computers if they're not computer
experts like us? All I suggested is that you protect them from the gateway,
and implement some sane network access control policy to make them use a
free firewall at the minimum. If you already have a firewall or a NAT
Sometimes the first step in finding a solution is admitting that there
is a problem. I don't have a quick fix for the situation - but I think
of lot of people don't yet admit that there is a problem.
Post by George Ou
All I'm suggesting is that you shouldn't be allowed to connect to broadband
with a wide open Microsoft Windows machine because it can be used as a
weapon. What's wrong with that?
Nothing in particular - but your argument with Alan which I jumped into
the middle of was him saying "I don't run Windows, you shouldn't expect
me, on the receiving end to filter spewage from insecure hosts, at the
cost of my time and effort" - you're saying "Windows machines should be
filtered/firewalled/virus-scanned." I doubt Alan would disagree.

Of course, saying it needs doing won't get it done - especially when
many people don't admit there's a problem.
Post by George Ou
Post by David Maxwell
Microsoft insists on giving naive people tools which facilitate epidemic
This is why Microsoft is shipping XP SP2 with a default on firewall and a
ton of other significant security features. We all know MS has more than
their share of sins, but at what point do we move on beyond the anti-MS
rhetoric.
Instead of just complaining about Microsoft, do you offer any real
solutions? Bashing Microsoft and bashing ordinary users who don't share you
degree of computer competence won't change anything, people won't all of a
sudden switch to Linux or MAC which have their own share of problems if
implemented incorrectly.
Microsoft is the only entity situated to change the problem quickly. For
anyone else to fix it requires market forces, which take time.

Microsoft has claimed security is a priority, but haven't delivered, so
the one source of a 'real solution' is not forthcoming.

Let me point out, that I said users should not be blamed (c.f.
"Incompetant and unaware of it"). You should blame those who fail to
protect them.

I involved myself in this exchange because you were exaggerating Alan's
point of view and putting words in his mouth ("Take away their
computers"). I feel I've made my points.
--
David Maxwell, ***@vex.net|***@maxwell.net --> Although some of you out
there might find a microwave oven controlled by a Unix system an attractive
idea, controlling a microwave oven is easily accomplished with the smallest
of microcontrollers. - Russ Hersch - (Microcontroller primer and FAQ)
Dr. Jeffrey Race
2004-07-21 08:13:43 UTC
Permalink
[SNIP]
Post by Alan DeKok
People are too busy doing real work to bother with new tools only
to meet some else's agenda.
Which means *you* are part of the problem.
[SNIP
Post by Alan DeKok
Can I send you a bill for all of the spam I'm receiving from
insecure systems run by people like you? If not, why would I care
about your opinion? Your business model obviously includes pushing
the cost of your non-security onto innocent bystanders like me.
That's a fraudulent business model, and it *will* die.
It's called the "environmental polluter business model"; see

<http://www.camblab.com/nugget/spam_03.pdf>
from which is derived
<http://www.camblab.com/misc/univ_std.txt>

Jeffrey Race
Roger B.A. Klorese
2004-07-21 19:19:11 UTC
Permalink
Post by Alan DeKok
If your "troops" can't understand secure file access, then maybe you
need to get new "troops".
They're sales reps. I expect them to be good at SELLING. I don't care
if they ever learn how to FTP, and certainly if they ever learn to post
on a website.

"Secure file access" as you construct it is an impediment to their
getting their job done.
Post by Alan DeKok
Other people run secure systems, and are getting overwhelmed with
spam from people who "want to do real work", and therefore don't care
about getting their systems *right*. Believe it or not, it's
*cheaper* to run secure systems, it's *cheaper* to get systems right
the first time, rather than applying endless patches.
But running systems is *your* job.

Understanding how to use the hookie-dookie-securi-pookie protocol tool
is not a sales rep or support desk person's job.
Post by Alan DeKok
Can I send you a bill for all of the spam I'm receiving from
insecure systems run by people like you? If not, why would I care
about your opinion? Your business model obviously includes pushing
the cost of your non-security onto innocent bystanders like me.
Actually, it has absolutely nothing at all to do with you. Nobody told
you to accept executables. Well, perhaps your line-of-business people
did, but I'm sure you convinced them that it's of more value for them to
learn how to post to a website than to make a sales call or take a
support call.
Post by Alan DeKok
That's a fraudulent business model, and it *will* die.
Yeah, right along with fossil fuels and licensed software.
Alan DeKok
2004-07-22 15:44:07 UTC
Permalink
Post by Roger B.A. Klorese
They're sales reps. I expect them to be good at SELLING. I don't care
if they ever learn how to FTP, and certainly if they ever learn to post
on a website.
"Secure file access" as you construct it is an impediment to their
getting their job done.
Seeing as I didn't "construct" it, (I just used the term), you're
obviously confusing me with someone else. Please stop inventing
opinions and applying them to me.
Post by Roger B.A. Klorese
Understanding how to use the hookie-dookie-securi-pookie protocol tool
is not a sales rep or support desk person's job.
Sure. If the tools is designed properly, it works, and they don't
even know it works *right*. But most people (include the CEO of a
company I used to work for), don't care. He would get doc files from
head hunters, and open them blindly, not caring if the file contained
macros to steal corporate IP, and mail it outside of the company.
Even when it was explained to him that this could happen, he Just
Didn't Care.

If the tools had been designed right in the first place, this
wouldn't be possible. But many of the people writing the tools report
to individuals like that CEO, and are *ordered* to write
garbage... It's a serious problem, and one we can't solve here.

Alan DeKok.
Roger B.A. Klorese
2004-07-22 15:52:41 UTC
Permalink
Post by Alan DeKok
Post by Roger B.A. Klorese
Understanding how to use the hookie-dookie-securi-pookie protocol tool
is not a sales rep or support desk person's job.
Sure. If the tools is designed properly, it works, and they don't
even know it works *right*.
If it's an additional tool, it's by definition a distraction.
Post by Alan DeKok
But most people (include the CEO of a
company I used to work for), don't care. He would get doc files from
head hunters, and open them blindly, not caring if the file contained
macros to steal corporate IP, and mail it outside of the company.
Even when it was explained to him that this could happen, he Just
Didn't Care.
But it just Doesn't Work That Way. You don't scan snail-mail from that
same headhunter for anthrax before opening it...
Alan DeKok
2004-07-22 16:09:47 UTC
Permalink
Post by Roger B.A. Klorese
Post by Alan DeKok
Sure. If the tools is designed properly, it works, and they don't
even know it works *right*.
If it's an additional tool, it's by definition a distraction.
And if you keep reading things I never said into my posts, this
whole thread is a waste of time.

Alan DeKok.
George Ou
2004-07-21 17:29:07 UTC
Permalink
----- Original Message -----
From: "Hallam-Baker, Phillip" <***@verisign.com>
To: "'George Ou'" <***@netzero.com>; "Hallam-Baker, Phillip"
<***@verisign.com>; "'Peter Smith'" <***@onlinecounsellors.co.uk>;
"'Larry Seltzer'" <***@larryseltzer.com>; "'Chris Lewis'"
<***@nortelnetworks.com>
Cc: <***@ietf.org>
Sent: Wednesday, July 21, 2004 9:09 AM
Subject: RE: [Asrg] Zombie spam
Post by Hallam-Baker, Phillip
I will accept that virus scanning may be an acceptable protection model
as an alternative to a blanket block, but the blanket block should be
the default.
Phill
I'll leave it at that since we technically agree. I don't have a problem
with telling people to block all executable content by default unless they
have a comprehensive anti-virus infrastructure in place. I just think that
you should not have propogated the idea that anti-virus don't work when in
fact they do when implemented properly.

George Ou
Seth Breidbart
2004-07-21 20:08:19 UTC
Permalink
I just think that you should not have propogated the idea that
anti-virus don't work when in fact they do when implemented
properly.
Most of us are interested in this universe, not some ideal one where
people aren't cheap, lazy, forgetful, ignorant, more interested in
avoiding blame than solving problems, . . .

If everybody had an anti-virus implemented properly, then we wouldn't
be getting the number of virus attempts we see. Therefore, it is
clearly not the case that everybody has an anti-virus implemented
properly. Anti-virus programs exist and are not new. Therefore,
unless you have some wonderful method, not yet attempted, of getting
_everybody_ (or some close approximation thereto) to implement them
properly, I don't believe it's going to happen.

Which is greater: the number of people who have a legitimate reason
for receiving runnable executables in email, or the number who are
open to virus propagation?

Seth
George Ou
2004-07-22 01:31:05 UTC
Permalink
----- Original Message -----
From: "Seth Breidbart" <***@panix.com>
To: <***@ietf.org>
Sent: Wednesday, July 21, 2004 1:08 PM
Subject: Re: [Asrg] Zombie spam
Post by Seth Breidbart
I just think that you should not have propogated the idea that
anti-virus don't work when in fact they do when implemented
properly.
Most of us are interested in this universe, not some ideal one where
people aren't cheap, lazy, forgetful, ignorant, more interested in
avoiding blame than solving problems, . . .
If everybody had an anti-virus implemented properly, then we wouldn't
be getting the number of virus attempts we see. Therefore, it is
clearly not the case that everybody has an anti-virus implemented
properly. Anti-virus programs exist and are not new. Therefore,
unless you have some wonderful method, not yet attempted, of getting
_everybody_ (or some close approximation thereto) to implement them
properly, I don't believe it's going to happen.
That wasn't the issue that I took up with Phillip. I took issue when he
claimed that Anti-virus solutions don't work (even when implemented) and
gave specific examples of how porous they are when in fact they do work when
properly implemented. I have no problem with recommending the banning of
executable attachments by default if no proper anti-virus solution is in
place and in fact I agree with it. Cost is not that big an issue here
whether at the gateway level or the desktop level.

Where I disagree however is that the normal user's time is better spent
doing what we paid them to do. For any organization or ISP, it is almost
always cheaper to implement comprehensive anti-virus protection than to
attempt social engineering. Email attachments simply need to work. I know
it's hard for the elite folks in this group to comprehend this but for those
of us in tune with the reality of business, it is simply a fact of life.
Post by Seth Breidbart
Which is greater: the number of people who have a legitimate reason
for receiving runnable executables in email, or the number who are
open to virus propagation?
Seth
The question should be which would more expensive. Implementing a proper
anti-virus gateway umbrella at HTTP, FTP, SMTP, groupware, and desktop, or
trying to teach users to find some crazy work around? For most businesses,
they pay their Sales and Support staff to sell and support, not screw around
with work arounds.

Like I keep saying in all my other messages, it's time we had some basic and
sane network access control from the ISPs that mandate a bare minimum level
of security from their users along with the proper gateway level anti-virus
umbrella I keep mentioning. This will greatly help end-users who don't have
any desktop level protection. It will be the most cost effective and
practical solution to the zombie problem.

George Ou
George Ou
2004-07-22 01:48:13 UTC
Permalink
----- Original Message -----
From: "Seth Breidbart" <***@panix.com>
To: <***@ietf.org>
Sent: Wednesday, July 21, 2004 1:08 PM
Subject: Re: [Asrg] Zombie spam
Post by Seth Breidbart
Most of us are interested in this universe, not some ideal one where
people aren't cheap, lazy, forgetful, ignorant, more interested in
avoiding blame than solving problems, . . .
This would be a valid point if we only had desktop level technology
available to us. An SMTP/FTP/HTTP anti-virus implemented at the
organization or ISP gateway level benefits all users within that
organization regardless of whether or not people were lazy and ignorant.
Gateway level anti-virus for SMTP, FTP, and HTTP can be purchased for as
little as $5000 and deliver clean "filtered" throughput as high as 80 mbps.
Don't tell me an ISP or medium sized organization can't afford this. For
smaller organizations, a $500 NetScreen or Fortinet firewall box will also
do anti-virus gateway filtering. You simply can't name a cheaper, simpler,
and more practical alternative. And no, terminating one's link to the
Internet is not a solution as some have suggested here.


George Ou
Hallam-Baker, Phillip
2004-07-22 12:05:40 UTC
Permalink
Post by George Ou
That wasn't the issue that I took up with Phillip. I took
issue when he
claimed that Anti-virus solutions don't work (even when
implemented) and
I said repeatedly that they do not work when people do not
implement them which is close to a tautology.

I was just speaking to an analyst who said that only a quarter
of PCs have any form of anti-virus protection of any kind. The
proportion that have up to date signatures is much less.
Post by George Ou
From a public health perspective we have to drain the malaria
ponds.
George Ou
2004-07-22 17:35:00 UTC
Permalink
-----Original Message-----
From: asrg-***@ietf.org [mailto:asrg-***@ietf.org] On Behalf Of
Hallam-Baker, Phillip
Sent: Thursday, July 22, 2004 5:06 AM
To: 'George Ou'; Seth Breidbart; ***@ietf.org
Subject: RE: [Asrg] Zombie spam
Post by Hallam-Baker, Phillip
Post by George Ou
That wasn't the issue that I took up with Phillip. I took
issue when he
claimed that Anti-virus solutions don't work (even when
implemented) and
I said repeatedly that they do not work when people do not
implement them which is close to a tautology.
First of all, you made very specific references to seeing hundreds of
virus infected email while using a filter.

Second, using a poorly implemented or non-implementation example is not
a good argument that a solution is bad. If we start walking down that
road, no methodology or solution is good.
Post by Hallam-Baker, Phillip
I was just speaking to an analyst who said that only a quarter >of PCs
have any form of anti-virus protection of any kind. The >proportion that
have up to date signatures is much less.

And it's those unprotected or outdated PCs that are the problem. That
doesn't me anti-virus solutions don't work, just that people aren't
using it enough. The fact of the matter is, if transparent anti-virus
solutions are implemented at the gateways for SMTP, FTP, and HTTP, it
would benefit 100% of the users behind them. This is exactly why I get
0 infected emails from my MSN account because they scan at the gateway.
Post by Hallam-Baker, Phillip
From a public health perspective we have to drain the malaria
ponds.
From a public health perspective, implementing proper anti-virus at the
gateways is the cheapest, most broadly effective, and pain free
experience for the end-users. This is a known fact in any organization
that chooses to implement such technology, and many ISPs such as MSN or
Yahoo also implement such technology successfully. The end-user who may
or may not have any anti-virus let alone updated definition files will
be protected from the vast majority of viruses from email, HTTP, or FTP
downloads. It's simply a matter of common sense.


George Ou
Continue reading on narkive:
Loading...