[iwar] [fc:On.the.ultimate.futility.of.server-based.mail.scanning]

From: Fred Cohen (fc@all.net)
Date: 2002-03-06 06:46:53


Return-Path: <sentto-279987-4567-1015425967-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Wed, 06 Mar 2002 06:48:08 -0800 (PST)
Received: (qmail 12419 invoked by uid 510); 6 Mar 2002 14:46:26 -0000
Received: from n14.groups.yahoo.com (216.115.96.64) by all.net with SMTP; 6 Mar 2002 14:46:26 -0000
X-eGroups-Return: sentto-279987-4567-1015425967-fc=all.net@returns.groups.yahoo.com
Received: from [216.115.97.162] by n14.groups.yahoo.com with NNFMP; 06 Mar 2002 14:48:12 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: unknown); 6 Mar 2002 14:46:07 -0000
Received: (qmail 41779 invoked from network); 6 Mar 2002 14:46:06 -0000
Received: from unknown (216.115.97.167) by m8.grp.snv.yahoo.com with QMQP; 6 Mar 2002 14:46:06 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.snv.yahoo.com with SMTP; 6 Mar 2002 14:46:06 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g26EkrY19464 for iwar@onelist.com; Wed, 6 Mar 2002 06:46:53 -0800
Message-Id: <200203061446.g26EkrY19464@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Wed, 6 Mar 2002 06:46:53 -0800 (PST)
Subject: [iwar] [fc:On.the.ultimate.futility.of.server-based.mail.scanning]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Several postings on Bugtraq recently talked about DoS attacks against
server-based mail-scanners.  Compress four gigabytes of zeros and
debilitate mail scanners which uncompress .gz files, for example.

Several mail scanners try to be clever and examine .zip files, .tar.gz
files, .arc files, etc. to look inside for viruses.

This is ultimately futile.

I gave one scenario:

(cat small_x86_jmp_code; \
 dd if=/dev/zero bs=1k count=400k; \
 cat virus_payload) | gzip  virus.attach.gz

This DoS's virus-scanners which do not limit scanning-size, and sneaks past
those which do.

There's an even better method, and one which is very amenable to
social-engineering:

"HEY!  NUDE pictures of Pamela Anderson in the attachment nudie.zip.  Just
 unzip and then run pam.exe.  Oh, heh, heh, heh -- to keep your boss from
 seeing this, we've password-protected the zip file.  The unzip password
 is z3kr3t.  Enjoy!"

Zip encryption is pathetic.  But I don't think anyone's seriously suggesting
server-based scanners should brute-force encrypted zip files to check for
viruses, or perform AI analysis of messages to extract passwords.

Ultimately, the responsibility falls on the MUA and the end-user's OS
vendor.  We either put secure end-user software onto the desktop, or
we admit defeat.

--
David F. Skoll

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/nuyOHD/7.PDAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:04 PST