![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
doc_strangeWith the recent surge in mass email "worms" that spoof sender addresses, I (and many others, of course) have been seeing a ton of messages like:
Ok, look: When I test security-related systems, one area I examine is automated response mechanisms. Auto blocking, responsive probes, fingering, whois lookups, email responses, even logging: things an attacker can use with light-weight effort to create larger effects. The accelerant effect, which used to be the key to major DDoS efforts (now it's more doable with botnets), is still key to making someone's life hell. Calling 10 pizza joints and ordering 5 pizzas from each to the victim's house. Sending 1000 small packets to a sucker subnet and getting 200,000 much larger responses sent to the victim. Beating the crap out of victim's DNS server because one 64byte UDP packet spoofed to look like it came from victim and sent to sucker's network generates several DNS requests from sucker to victim for each one little packet you have to send to the sucker...
The idea is simple: attacker does X effort and gets X times Y effect on victim. SO, given a nice long antivirus response, and simple, scripted SMTP attacks that inject, over and over, spoofed letters reporting to be from [victim], with simple, small antivirus triggers (like the EICAR test signature-trigger, even)... one can merrily have a disproportionate impact.
Not to mention that it makes these fricking worm outbreaks that much more of a pain in the ass.
Antivirus vendors, take heed:
Only internal users should be notified when their own, outbound mail is blocked for having a virus. Oh, and the local admins can get the info from the console if someone wonders whether a letter went missing. There are millions of emails PER HOUR being spoofed by worms now; no need to make things worse by sending along your "blocked!" message to some poor person who is already a victim because their address has been used by some slimy mass mailing worm.
Or does your marketing department consider these messages to be good advertising? Hint: If so, it's spam.
Your email could not be delivered because it contained the virus [mass-email virus or worm here] and has been blocked by the [brandname here] oh-so-31337 antivirus gateway about which you can get more information at [slimeball website here].
Ok, look: When I test security-related systems, one area I examine is automated response mechanisms. Auto blocking, responsive probes, fingering, whois lookups, email responses, even logging: things an attacker can use with light-weight effort to create larger effects. The accelerant effect, which used to be the key to major DDoS efforts (now it's more doable with botnets), is still key to making someone's life hell. Calling 10 pizza joints and ordering 5 pizzas from each to the victim's house. Sending 1000 small packets to a sucker subnet and getting 200,000 much larger responses sent to the victim. Beating the crap out of victim's DNS server because one 64byte UDP packet spoofed to look like it came from victim and sent to sucker's network generates several DNS requests from sucker to victim for each one little packet you have to send to the sucker...
The idea is simple: attacker does X effort and gets X times Y effect on victim. SO, given a nice long antivirus response, and simple, scripted SMTP attacks that inject, over and over, spoofed letters reporting to be from [victim], with simple, small antivirus triggers (like the EICAR test signature-trigger, even)... one can merrily have a disproportionate impact.
Not to mention that it makes these fricking worm outbreaks that much more of a pain in the ass.
Antivirus vendors, take heed:
Only internal users should be notified when their own, outbound mail is blocked for having a virus. Oh, and the local admins can get the info from the console if someone wonders whether a letter went missing. There are millions of emails PER HOUR being spoofed by worms now; no need to make things worse by sending along your "blocked!" message to some poor person who is already a victim because their address has been used by some slimy mass mailing worm.
Or does your marketing department consider these messages to be good advertising? Hint: If so, it's spam.
