doc_strange: (Agamotto sleeping)
[personal profile] doc_strange
With the recent surge in mass email "worms" that spoof sender addresses, I (and many others, of course) have been seeing a ton of messages like:

 Your email could not be delivered because it contained the virus 
   [mass-email virus or worm here] and has been blocked by the [brandname here] 
   oh-so-31337 antivirus gateway about which you can get more information at 
   [slimeball website here]. 


Ok, look: When I test security-related systems, one area I examine is automated response mechanisms. Auto blocking, responsive probes, fingering, whois lookups, email responses, even logging: things an attacker can use with light-weight effort to create larger effects. The accelerant effect, which used to be the key to major DDoS efforts (now it's more doable with botnets), is still key to making someone's life hell. Calling 10 pizza joints and ordering 5 pizzas from each to the victim's house. Sending 1000 small packets to a sucker subnet and getting 200,000 much larger responses sent to the victim. Beating the crap out of victim's DNS server because one 64byte UDP packet spoofed to look like it came from victim and sent to sucker's network generates several DNS requests from sucker to victim for each one little packet you have to send to the sucker...

The idea is simple: attacker does X effort and gets X times Y effect on victim. SO, given a nice long antivirus response, and simple, scripted SMTP attacks that inject, over and over, spoofed letters reporting to be from [victim], with simple, small antivirus triggers (like the EICAR test signature-trigger, even)... one can merrily have a disproportionate impact.

Not to mention that it makes these fricking worm outbreaks that much more of a pain in the ass.

Antivirus vendors, take heed:
Only internal users should be notified when their own, outbound mail is blocked for having a virus. Oh, and the local admins can get the info from the console if someone wonders whether a letter went missing. There are millions of emails PER HOUR being spoofed by worms now; no need to make things worse by sending along your "blocked!" message to some poor person who is already a victim because their address has been used by some slimy mass mailing worm.

Or does your marketing department consider these messages to be good advertising? Hint: If so, it's spam.

Profile

doc_strange: (Default)doc_strange

April 2025

S M T W T F S
  12345
67891011 12
13141516171819
20212223242526
27282930   

Style Credit

Expand Cut Tags

No cut tags
Page generated Aug. 13th, 2025 12:12 pm
Powered by Dreamwidth Studios