Return-Path: <sentto-279987-4567-1015425967-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 06 Mar 2002 06:48:08 -0800 (PST) Received: (qmail 12419 invoked by uid 510); 6 Mar 2002 14:46:26 -0000 Received: from n14.groups.yahoo.com (216.115.96.64) by all.net with SMTP; 6 Mar 2002 14:46:26 -0000 X-eGroups-Return: sentto-279987-4567-1015425967-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.162] by n14.groups.yahoo.com with NNFMP; 06 Mar 2002 14:48:12 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: unknown); 6 Mar 2002 14:46:07 -0000 Received: (qmail 41779 invoked from network); 6 Mar 2002 14:46:06 -0000 Received: from unknown (216.115.97.167) by m8.grp.snv.yahoo.com with QMQP; 6 Mar 2002 14:46:06 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.snv.yahoo.com with SMTP; 6 Mar 2002 14:46:06 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g26EkrY19464 for iwar@onelist.com; Wed, 6 Mar 2002 06:46:53 -0800 Message-Id: <200203061446.g26EkrY19464@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 6 Mar 2002 06:46:53 -0800 (PST) Subject: [iwar] [fc:On.the.ultimate.futility.of.server-based.mail.scanning] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Several postings on Bugtraq recently talked about DoS attacks against server-based mail-scanners. Compress four gigabytes of zeros and debilitate mail scanners which uncompress .gz files, for example. Several mail scanners try to be clever and examine .zip files, .tar.gz files, .arc files, etc. to look inside for viruses. This is ultimately futile. I gave one scenario: (cat small_x86_jmp_code; \ dd if=/dev/zero bs=1k count=400k; \ cat virus_payload) | gzip virus.attach.gz This DoS's virus-scanners which do not limit scanning-size, and sneaks past those which do. There's an even better method, and one which is very amenable to social-engineering: "HEY! NUDE pictures of Pamela Anderson in the attachment nudie.zip. Just unzip and then run pam.exe. Oh, heh, heh, heh -- to keep your boss from seeing this, we've password-protected the zip file. The unzip password is z3kr3t. Enjoy!" Zip encryption is pathetic. But I don't think anyone's seriously suggesting server-based scanners should brute-force encrypted zip files to check for viruses, or perform AI analysis of messages to extract passwords. Ultimately, the responsibility falls on the MUA and the end-user's OS vendor. We either put secure end-user software onto the desktop, or we admit defeat. -- David F. Skoll ------------------------ Yahoo! Groups Sponsor ---------------------~--> Tiny Wireless Camera under $80! Order Now! FREE VCR Commander! Click Here - Only 1 Day Left! http://us.click.yahoo.com/nuyOHD/7.PDAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:04 PST