Generating complaints (including RBL additions)?

I know, you were asking about something more pro-active, before one
has to respond to complaints etc.

It might however seem like a good service for someone like the DCC
folks to sell. Pay them to keep your ISP's mail servers in a watch
list so you can be alerted by them when some threshold is exceeded.

It might be difficult to distinguish from forwarding hosts.

We see problems where hosts which are primarily forward-only (like
those college-alumni or professional organization sites) get
interpreted (I won't quite say mistaken) to be spam sources since all
their boxes get hit, often in a fairly short period of time, and they
just forward it all on.

Oh let's just admit it, we're seriously f*****d.

There, I said it.

Apparently, they work well enough. The more the number of people using
them, the more effective they are. The open relay blacklists were
successful enough to get spammers to move to zombies instead.

Lists like the CBL are having an effect.

What is not working is filtering. The spammers response to filters is to
send more spam.
Works for me, and for my employer.

Devdas Bhagat

Heck, check for:

/^((Content-(Disposition: attachment;|Type:).*|\ +)| *)(file)?name\ *=\ *"?.*\.(lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wmf)"?\ *$/ REJECT attachment type not allowed

If you really think that users will be sending non-virus EXE's to
each other on a regular basis, and you really care about their
unfettered access to the net, route those messages through a slow
machine. Rate-limit it's sending capability, and limit it's storage
space for messages. Small numbers of non-virus files can get through,
but a large virus load will overwhelm the machine, and cause most
traffic to be discarded/rejected.

Alan DeKok.

Doesn't help with zombies - they don't (or almost never) go thru relays.
They have their own clients and go direct to the victim's MX. Thus, A-V
on your outbounds won't do a thing.

We do something like that as well, but there have been viruses
recently which occupy zip files (which we can't block because of past
recommendations to our users which painted us into a corner) and at
least one which uses an exploit that requires no attachment at all.

Tony.

Viruses often propagate within the organization, or get sent through the
relays because of a .forward file. So scanning all email is definitely
useful.

Tony.

RE: [Asrg] Zombie spamThis is a Band-Aid. I noticed you were not blocking *.zip files or *.* files since users will manually rename their files to anything. Many viruses will come through as encrypted zip files. For example, an encrypted zip called "KillMySystem.zip" will come through with the password "IAmSuchAnIdiot" and there will be users that will still go and open up the attachment. Ultimately, the only thing that will keep unwanted executables from launching is strict Authenticode policies. Windows XP SP2 is a huge step in that direction.
----- Original Message -----
From: Alan Monaghan
To: '***@ietf.org'
Sent: Monday, July 19, 2004 12:07 PM
Subject: RE: [Asrg] Zombie spam


Here is our list of extensions that we block from our world, in case it helps anyone. We are a windows shop w/ Exchange and Anti-Gen on our front end...

*.386
*.acm
*.ade
*.adp
*.adt
*.aif
*.aifc
*.aiff
*.app
*.asd
*.asf
*.asp
*.asx
*.au
*.avi
*.ax
*.bas
*.bat
*.bin
*.bxd
*.cda
*.cdr
*.chm
*.cla
*.cmd
*.cnt
*.cnv
*.com
*.cpl
*.crt
*.css
*.dev
*.dll
*.drv
*.exe
*.gms
*.grp
*.hlp
*.hta
*.hto
*.inf
*.ini
*.ins
*.isp
*.ivf
*.js
*.jse
*.lnk
*.m3u
*.mdb
*.mde
*.mid
*.midi
*.mlv
*.mov
*.mp2
*.mp3
*.mpa
*.mpd
*.mpe
*.mpeg
*.mpg
*.mpp
*.mpt
*.mpv2
*.msc
*.msi
*.mso
*.msp
*.mst
*.nws
*.obd
*.obt
*.ocx
*.ole
*.pcd
*.pci
*.pif
*.pot
*.prc
*.pwz
*.qlb
*.qpw
*.qt
*.reg
*.rmi
*.sbf
*.scr
*.sct
*.shb
*.shs
*.smm
*.snd
*.sys
*.td0
*.tlb
*.tsp
*.tty
*.vb
*.vbe
*.vbs
*.vwp
*.wav
*.wax
*.wbt
*.wiz
*.wma
*.wml
*.wmp
*.wms
*.wmv
*.wmx
*.wmz
*.wpc
*.wpd
*.wsc
*.wsf
*.wsh
*.wvx
*.xml
*.xsl
*.xtp






Be like water my friend ...
Alan G. Monaghan
[ MCSE+I - Win4.0/ MCSE - Win2k/ BJCP # C0389(Recognized) Ò¿Ó¬ ]
Systems Administrator
Gardner Publications, Inc.

*Phone ...... 1-513-527-8867
*Fax ........ 1-513-527-8801
*Car ........ 1-513-520-6866
*Cell ....... 1-513-378-0919
*E-mail ..... ***@Gardnerweb.com
*URL ........ http://Bullwinkle.GardnerWeb.Com/

They are worms that propagate by spamming a trojan or an exploit.
Hahahahaha. People are so determined to infect themselves that they'll
unpack a password-protected zip from a stranger without the slightest idea
of what is in it.
http://vil.nai.com/vil/
http://www.f-secure.com/weblog/

etc. etc.

Tony.

Windows XP Service Pack 2 has deployed what is probably the most practical
solution to this problem. You can't really "block" EXEs since people will
simply rename the file to something else. XP SP2 will flag the attachment
(even after it is saved to the HD in some folder) as untrusted and will
refuse to execute. I'm assuming they must using Authenticode here to
determine the validity or trustworthiness of a file. You can't stop people
from sending or receiving executable files, so the best thing to do is to
make sure that the EXE has not been tampered with and is from a trusted
source such as a major software publisher or your IT department.

George Ou


----- Original Message -----
From: "Hallam-Baker, Phillip" <***@verisign.com>
To: "Hallam-Baker, Phillip" <***@verisign.com>; "'Tony Finch'"
<***@dotat.at>; <***@ietf.org>
Sent: Monday, July 19, 2004 5:24 PM
Subject: RE: [Asrg] Zombie spam

Hallam-Baker, Phillip wrote:

Strictly speaking most of these things are trojans, however, using the
.scr/.pif trick (amongst others), you can make self-extracting zips launch.

While you'd think people would be suspicious of such things, when you're
talking medium to large populations, at least some always fall for it.
Even after the Mydoom explosion, we had people falling for beagle.

Some of these things are getting quite good at human engineering. Not
quite as good as some of the phishing attempts we see, but close.

It's relatively easy to stop executables, either bare attachments, or
zipped ones, regardless of suffix. Body scan for the executable "magic
strings". There's one for .exes and one for .coms: 2. Then generate all
three base64 rotations of those: 6. Then, split each in half, so that
line wrap in a base64 zip file won't break the string in an inopportune
time: 12 patterns in total. This is essentially 100% on Mydoom/Netsky
and a host of others, and is partially effective on Bagel/Beagle.

For the encrypted variants of Bagel/Beagle, there's two approaches:
simply catch everything that's an encrypted zip regardless of suffix
(which is what we're doing now), or, realize that encrypted zips don't
encrypt file names, and look for "suspicious" file names.

As for notification: not only is bouncing virus warnings a bad idea
(because the sender is always forged), in the large scale, forwarding
notices (or even eviscerated viruses like Antigen does) is bad. The
latter is particularly obnoxious because it _looks_ like a virus and
panics people (help line calls etc). The volume is just way too high -
we have one user whose averaging 8000 viruses per _day_. God knows how
that happened (I've tried to analyze it to see if it's possible to get
them nuked at source, but aside from a few IPs being responsible for
about a quarter of it, the rest are from all over). I hate to think of
what it would be like if we were forwarding notices...

is very important to differentiate between a trojan that is spammed and a virus that is
replicating by nearest neighbor contact.

This is actually very well understood, at least for the average mass-mailing worm. A
spammed trojan is probably seeded through regular e-mail from a zombied system or some
other similar technique for covering tracks.

But for several years mass-mailing worms have used pretty much the same technique for
gathering e-mail addresses: They scan certain files in the user's file system for
addresses. They use this list both for the destination and the spoofed from: address.
The files they scan include the raw address book files of e-mail clients, txt and doc
files and, most importantly, .htm* files, especially those in the user's browser cache.
(According to Symantec, the latest Bagle variant that we're talking about searches for
these files: .adb, .asp, .cfg, .cgi, .dbx, .dhtm, .eml, .htm, .jsp, .mbx, .mdx, .mht,
.mmf, .msg, .nch, .ods, .oft, .php, .pl, .sht, .shtm, .stm, .tbb, .txt, .uin, .wab,
.wsh, .xls, .xml ) It would be interesting to see how many addresses one can get from
the average system this way.

Many years ago in the Melissa/LoveLetter era, worms used MAPI calls to access the
address book, but Microsoft put a stop to this for non-stupid users. The Outlook E-mail
Security Update, released over 4 years ago, blocked programmatic access to the address
book without explicit user permission (this is why you get that dialog box when you try
to synch your Palm with Outlook). It also blocked all directly-executable attachments. A
similar update for Outlook Express came later. So, IOW, all users still getting and
executing these worms - apart from the ones who actually extract the password-protected
ZIP file - are using either non-Microsoft e-mail clients or clients that have not been
updated in several years.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
***@ziffdavis.com

Self-extracting ZIP files are executables, typically .EXE files. Any system that blocks
executables blocks them. Nothing to see here folks, move on.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
***@ziffdavis.com

I've tried it. It works pretty well, but there are some seriously
broken MTAs that manage to send real bounces that will fail any
signature check. I agree that you won't get any blowback with valid
signatures.

Is a precise statement possible? It seems to me that there are many
different 'bad guys' out there with many different motivations and
consequently, there are many different forms of attack.
With regards to what we 'know', if you take any one form of attack you can
make a strong case for changing your security to counter it, but to use it
as an argument for removing or ignoring other measures as they do not seem
to apply in this instance seems a little questionable.


Peter Smith

The end of that paragraph provides the answer.

What would anti-virus companies sell if they were successful?

Seth

----- Original Message -----
From: "Hallam-Baker, Phillip" <***@verisign.com>
To: "'Peter Smith'" <***@onlinecounsellors.co.uk>; "Hallam-Baker, Phillip"
<***@verisign.com>; "'Larry Seltzer'" <***@larryseltzer.com>; "'Chris
Lewis'" <***@nortelnetworks.com>
Cc: <***@ietf.org>
Sent: Tuesday, July 20, 2004 12:45 PM
Subject: RE: [Asrg] Zombie spam
Yes it works, but at what cost? You're telling people to cut their arm off
to stop an infection at the finger when that finger can be treated
effectively at well over 99.9% of the time using existing and proven
technology. It's like telling people to take a knife to their T1 link to
the internet if they don't want to get hacked from the network. Why bother
with anti-virus or firewalls at all? Just rip out your Ethernet adapter and
you'll never have to worry about getting infected again.

When you say "executable", there is a list of over 30 file extensions that
are executable or contain executable capability. People need to transmit
some form of these files to one another at some point, including the ability
to transmit PGP or S/MIME emails with sensitive attachments such as
financial data. Breaking functionality for the sake of security is not a
solution for most of us. We are not going to an era of clear text files
only with zero attachments.

The fact of the matter is, signature based scanning system DO WORK. There
is a very small statistical chance that you will get infected by a day zero
virus. In the 3 years of anti-virus SMTP gateway operation in our company,
a day zero outbreak happened only once for a 1 hour period before it was
contained in my 1000 user environment. The fact of the matter is, email
viruses are largely a non-issue for organizations with anti-virus SMTP
gateways. It provides a massive umbrella for 99.9% of the issues. 99.9% of
the problems are from people with no SMTP gateway protection and no firewall
protection. Recently, the encrypted zip files have provided a challenge to
the anti-virus SMTP gateway, but that is why we have desktop level
anti-virus protection. Ultimately, the OS must not permit executables to
run regardless of where it came from if it isn't from a trusted source and
if it has been tampered with. Strict Authenticode policies will soon be the
norm on the desktop. Windows XP SP2 is a huge step in the direction for the
better.

Some of these threads are just getting plain silly.


George Ou

On 20/07/04 12:45 -0700, Hallam-Baker, Phillip wrote:
<snip>
The Default Deny vs Default allow debate again?
Convenience against security?
Marketing?

Take your pick of the reasons. People for some reason do want to send
executables around. There are better methods, but they don't want to use
them. After all, email is so easy to use. Just drag the file onto the
mail client icon. Or right click and choose "send to email recipient" or
whatever it says.

Being able to say we block n signatures and then n+K allows for selling
virus signature updates. As opposed to a secure system which can be
sold once, but then never again.

As far as the encrypted content goes, I *like* being able to encrypt
stuff and then send it. Encryption has its place. So does compression.

Let me ask the question the other way, why do we have to deal with
platforms that allow for such easy infection?
Ask any good firewall administrator. Then figure out why there are so
many misconfigured firewalls out there.

Devdas Bhagat

Surely you know the answer: because then they'd lose their update
subscription revenue.

My copy of qmail uses a patch from Russ Nelson that rejects EXE and a
few other type of attachments at SMTP time, based on the first few
bytes of the attached file, not on what the MIME metadata claims. It
works great. I don't remember the last time I saw a virus.

Regards,
John Levine, ***@taugh.com, Taughannock Networks, Trumansburg NY
http://www.taugh.com

Excellent point. I'm speaking to the Open Group, which does a lot of
interop testing and best practices, on Thursday and will be sure to
mention it.

Regards,
John Levine, ***@taugh.com, Taughannock Networks, Trumansburg NY
http://www.taugh.com

Does anyone else find it as ironic as I do that someone who is willing
to take a strict standards-compliance stance with _others_ is content
to do something as egregious and mail-system-breaking as discarding
bounces without even looking at them? Even if it's, strictly,
standards compliant (which I'm not sure it is; I'm just not sure it's
not), that's a great way to break email.

Not that that detracts from the point that ignoring standards is a
large part of what's keeping us in the mess we're in.
I suppose actually understanding what they're working with (the
standards and the software) is out of the question?

/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

Bounces should *never* have used SMTP for their delivery. Control
signalling should always be out of band with respect to the data.
e.g. TCP to non-open ports returns ICMP "port unreachable", not a
return TCP connection to the originating host.

Alan DeKok.

they are a plague.

The problem here is people running no antivirus software at all or old protection. These
things wouldn't spread very far, even the new ones, if everyone had antivirus
protection.
Ditto
What virus filters are you running? Did you buy the house brand at Pathmark?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
***@ziffdavis.com

----- Original Message -----
From: "Hallam-Baker, Phillip" <***@verisign.com>
To: "'George Ou'" <***@netzero.com>; "Hallam-Baker, Phillip"
<***@verisign.com>; "'Peter Smith'" <***@onlinecounsellors.co.uk>;
"'Larry Seltzer'" <***@larryseltzer.com>; "'Chris Lewis'"
<***@nortelnetworks.com>
Cc: <***@ietf.org>
Sent: Tuesday, July 20, 2004 3:20 PM
Subject: RE: [Asrg] Zombie spam
The key word here is "I". "I" does not comprise the rest of the world. The
rest of the world needs to be able to transmit files to each other and don't
live in the stone age. If it can't go through email, then an ftp link or
and http link sent within the email will suffice and your EXE blocking
policy is totally useless. Microsoft has attempted to block EXEs in the
past but is shifting their strategy to trusted and untrusted zones. It
doesn't matter if the file is stored as an attachment or as a file in your
HD and it doesn't matter if it came from Sneaker-net, SMB, NFS, HTTP FTP or
MIME. What they do is flag the file as untrusted so that it cannot be
launched by the user period. Blocking executables was a Band-Aid that never
really worked well. It is not a comprehensive solution and it only serves
to make computing more difficult for the average user. Strict Authenticode
policies are the not so distant future.
You must not have read my email. Those of us that have anti-virus SMTP
gateways that automatically update themselves daily with something like
Trend VirusWall virtually never see any infected emails. In the 3 years of
operation, I have only seen a single out break that was contained within an
hour. Recently with the advent of encrypted ZIP files, those have come
through but our desktop antivirus have kicked in. Within the next few
months, I'm going to mandate that our IT department upgrades everyone to
SP2. Once that is done, executables won't launch even if they don't match
an existing virus signature.
Nonsense, comprehensive Anti-virus solutions are over 99.9% effective when
implemented properly. This means you have auto-updating
SMTP/FTP/HTTP/Exchange/Notes anti-virus gateways that provide a large
protective umbrella. Then a centrally managed desktop anti-virus solution
that is centrally patched protects the end-level protection. It is a fact
that these are well over 99.9% effective. Since you're seeing hundreds of
infected emails everyday, you must be using a lousy product or a poor
implementation. It surprises me to no end that some organizations still
don't have a clue how to implement effective anti-virus. The plague of
zombies that you are seeing are from people with out-dated or no anti-virus
protection and/or they're connected to the dirty internet with zero firewall
protection (not even NAT). It is a fact that the bulk of these zombies came
from Comcast users who were connected 24x7 with zero protection.
Still, your recommendation breaks PGP and S/MIME not to mention that it is
totally useless against FTP or HTTP links such as
ftp://test.somedomain.com/binnary.exe. Even if you have an email app that
doesn't make it clickable, you can't stop someone from doing a cut-paste
operation in to their browser.
Ah, I thought you didn't believe in anti-virus or scanning?
Ah, now you're singing my tune. Once XP SP2 is installed and a
comprehensive and strict trust/untrust mechanism is in place, then the
problem is largely mitigated.
Because people don't always use them, they don't implement a comprehensive
solution or they implemented a lousy solution.
You must be using a lousy product. Other than the encrypted ZIP stuff, I
see zero infected emails showing up in any of our user's mail boxes. If
that gets to be a bigger problem, we'll start blocking encrypted ZIPs. One
possible solution is if the anti-virus gateway will send a form letter to
the user asking the user to decipher the password so that the gateway can
decrypt the ZIP and scan it. Ultimately, I'm looking to XP SP2.

What I've noticed on many occasions and installations is that for some
reason, the Unix version of Trend VirusWall would let several infected
attachments through while the Windows version wouldn't.
XP SP2 trusted/untrusted executables resolves this. I've explained this
enough times, go look this up.
I don't see how the two arguments are mutually exclusive. I've been saying
XP SP2 will be a huge factor in mitigating Trojans and viruses for months
including the last few emails. You just appear to be ignoring them or not
reading them.
The latter is not more extreme and it's a hell of a lot more functional and
effective that brute force binary blocking. Microsoft would seem to agree
with their soon to be released XP SP2.

I would take the code signing machines a step further. Make sure that they
are using HSMs so that their private keys can't be harvested by worms or
viruses. Many new computers have embedded TPMs (Trusted Platform Modules)
in them, and that is a step in the right direction.


George Ou

----- Original Message -----
From: "Hallam-Baker, Phillip" <***@verisign.com>
To: "'George Ou'" <***@netzero.com>; "Hallam-Baker, Phillip"
<***@verisign.com>; "'Peter Smith'" <***@onlinecounsellors.co.uk>;
"'Larry Seltzer'" <***@larryseltzer.com>; "'Chris Lewis'"
<***@nortelnetworks.com>
Cc: <***@ietf.org>
Sent: Tuesday, July 20, 2004 7:27 PM
Subject: RE: [Asrg] Zombie spam
Key phrase here is "IETF'ers or Sysops". I'm talking about mere mortals.
Mime a very convenient mechanism for mere mortals, if one can provide a save
environment with modern anti-virus measures for a few thousand dollars, then
most corporations will not penny pinch. It's a hell of a lot more expensive
in man-hours if you have more than 20 users. The maintenance license is
really not that expensive.
What about S/MIME and PGP messages? What about encrypted ZIP files? Are
you going to make exceptions for those?
Why don't you stick to the topic and answer the question? HTTP and FTP
links are a reality except it's a little more difficult for most people to
use. The reality is, any organization should implement anti-virus
technology at the HTTP, FTP, and SMTP gateways for that large umbrella of
protection. Exchange or Notes anti-virus and Desktop level protection are
the last line of defense. Windows XP SP2 trusted and untrusted executables
takes this to the next level and protects against Trojans and viruses that
don't have any known signature.
Stupid question. You should know better than that. Let me give you a clue,
it's the same reason you quarantine questionable spam instead of deleting
it.
What I'm getting at is that it's penny wise and a pound foolish for any
email system serving more than 25 people.
There are free basic firewalls out there for any OS. Anti-virus usually
come bundled with most PCs and even many motherboards. Downloading new
definitions don't cost a thing. Since the majority of computers in the
world run Windows XP, upgrading to SP2 is free. You get a default on
firewall, recompiled OS with a buffer overflow checking compiler, an OS that
refuses to execute untrusted binaries. Cost is not much of a concern here.
In the real world, most people already run Windows XP, and that number will
only rise. If you don't run XP, get yourself a free firewall. ISPs should
mandate these free downloads to customers when they sign them up or they
should provide inbound protection for their users. Users who refuse to
protect themselves should be disconnected. There is no excuse for not
running inbound firewall protection.
Most computers and motherboards come with anti-virus. If not, go to
PriceWatch.com and buy yourself a copy of Panda or Trend anti-virus for
$4-$6. The money argument is totally bogus so why don't you stop whining
about the cost. If you're running an ISP, the cost of implementing an
anti-virus SMTP gateway is negligible when spread across all the users. I
never get a single virus from my free MSN account since they've implemented
anti-virus at the gateway. ISPs shouldn't be permitted to operate email
service if they refuse to implement gateway scanning. I can't believe we're
even debating this at this point. It would be so cheap to mandate this at
the ISP level.
That is why most people will never buy software from you, and certainly
would hate to have you as an Email administrator. I would dare say 9 out of
10 CIOs or IT directors would listen to me.
Some of these Unix folks are elitists that need to get their head out of the
80s. You ever wonder why Unix users make up less than 5% of the population?
If signature based protection mechanisms protect you over 99.9% of the time,
you don't give up on it because of the .1% it can't cover. Additionally,
strict Authenticode policies or XP SP2 will solve this. XP SP2 is very
relevant since the vast majority of computers in the world run Windows XP.
Windows 2000 has local or domain level group policy capability that can
enforce Authenticode. If you're running Win9x or ME, get yourself a free
firewall and a $4 anti-virus package. Outlook and Outlook Express already
block EXEs on those OSes anyways.
Getting a cybersecurity policy that mandates ISPs to implement transparent
anti-virus HTTP, FTP, and SMTP gateways would make eminent sense. Another
side benefit to these FTP and HTTP scanners is that they cache too, and can
save an ISP a lot of bandwidth on the backhaul. Licensing on this stuff is
not based on the number of users and is cost negligible. Mandating a
minimum of free inbound firewalls on all broadband enabled computers would
make eminent sense. As far as I'm concerned, the industry should not wait
until the federal government gets involved. If an ISP doesn't participate,
the rest of the industry should block all traffic from them until they
comply.
You're not going to get anywhere telling people to stop using anti-virus or
banning attachments.
If you know, why do you come up with these cockamamie suggestions.
See above.
George Ou

----- Original Message -----
From: "Hallam-Baker, Phillip" <***@verisign.com>
To: "'George Ou'" <***@netzero.com>; "Hallam-Baker, Phillip"
<***@verisign.com>; "'Peter Smith'" <***@onlinecounsellors.co.uk>;
"'Larry Seltzer'" <***@larryseltzer.com>; "'Chris Lewis'"
<***@nortelnetworks.com>
Cc: <***@ietf.org>
Sent: Tuesday, July 20, 2004 7:27 PM
Subject: RE: [Asrg] Zombie spam
It's obvious from your position that you are very intelligent.
Unfortunately, guys like you have a tendency to be elitist and you tend to
ignore the needs of the common user. Your attacks on binary attachments is
simply a case of being a penny wise and a pound foolish, it's simple as
that. People have been declaring the death of signature based systems for
years and they've been made fools over and over again. I don't care if
someone invents some fancy new "behavior" based system for anti-virus or
IDS, it will always make sense to scan for signatures because it's a quick
and dirty sanity check. Any new mechanism will always complement, not
replace signature based systems.

I'm glad you mentioned the cost of anti-virus systems and others have even
mentioned the ethics of them. It would seem to me that $4 for an anti-virus
package or a few thousand dollars for an anti-virus gateway is a hell of a
lot more reasonable than paying $500 a year for a few signed bits. As for
ethics, it would seem to me that your own employer has a pretty bad
reputation as far as ethics are concerned within the Internet community.
When I say Authenticode, there is no reason that it has to be signed by a
$500 a year digital certificate. In house PKIs will suffice for most
internal applications. I can't wait for the day that PKI is delegated like
DNS with something like DNSSEC. This business of paying through the nose
for a few signed bits is ludicrous.


George Ou

That's because they don't participate in the day-to-day business of the
people on the front lines of the company's business, but rather, seek to
straitjacket them by simple-minded approaches to problems.
It matters at least as much to me what's easiest for the sales force,
help-desk staff, etc. -- the people who do the real work of the company
-- than the edict of a CIO or CSO. Many have tried to put up secure
shared folders, secure file access portals, etc... but the troops
understand email, and email alone, so email has to rise to the
challenge. People are too busy doing real work to bother with new tools
only to meet some else's agenda.

----- Original Message -----
From: "Hallam-Baker, Phillip" <***@verisign.com>
To: "'George Ou'" <***@netzero.com>; "Hallam-Baker, Phillip"
<***@verisign.com>; "'Peter Smith'" <***@onlinecounsellors.co.uk>;
"'Larry Seltzer'" <***@larryseltzer.com>; "'Chris Lewis'"
<***@nortelnetworks.com>
Cc: <***@ietf.org>
Sent: Wednesday, July 21, 2004 9:09 AM
Subject: RE: [Asrg] Zombie spam
I'll leave it at that since we technically agree. I don't have a problem
with telling people to block all executable content by default unless they
have a comprehensive anti-virus infrastructure in place. I just think that
you should not have propogated the idea that anti-virus don't work when in
fact they do when implemented properly.

George Ou

-----Original Message-----
From: asrg-***@ietf.org [mailto:asrg-***@ietf.org] On Behalf Of
Hallam-Baker, Phillip
Sent: Thursday, July 22, 2004 5:06 AM
To: 'George Ou'; Seth Breidbart; ***@ietf.org
Subject: RE: [Asrg] Zombie spam
First of all, you made very specific references to seeing hundreds of
virus infected email while using a filter.

Second, using a poorly implemented or non-implementation example is not
a good argument that a solution is bad. If we start walking down that
road, no methodology or solution is good.
have any form of anti-virus protection of any kind. The >proportion that
have up to date signatures is much less.

And it's those unprotected or outdated PCs that are the problem. That
doesn't me anti-virus solutions don't work, just that people aren't
using it enough. The fact of the matter is, if transparent anti-virus
solutions are implemented at the gateways for SMTP, FTP, and HTTP, it
would benefit 100% of the users behind them. This is exactly why I get
0 infected emails from my MSN account because they scan at the gateway.
gateways is the cheapest, most broadly effective, and pain free
experience for the end-users. This is a known fact in any organization
that chooses to implement such technology, and many ISPs such as MSN or
Yahoo also implement such technology successfully. The end-user who may
or may not have any anti-virus let alone updated definition files will
be protected from the vast majority of viruses from email, HTTP, or FTP
downloads. It's simply a matter of common sense.


George Ou