[Dshield] Mail AV software

Shawn Cox shawn.cox at pcca.com
Tue Apr 13 16:23:20 GMT 2004


Here's the problem...  The people on this list and others like it have
already done what you suggest.  The people who need to do what you are
suggesting do not subscribe to lists such as this one and don't care(or are
unaware of) about the consequences which you describe.  SMTP E-mail is
broken beyond repair there is no easy fix.

--Shawn



----- Original Message ----- 
From: "Stephane Grobety" <security at admin.fulgan.com>
To: <list at dshield.org>
Sent: Tuesday, April 13, 2004 8:03 AM
Subject: [Dshield] Mail AV software


> Hello everyone,
>
> As everyone that is running a mail server I would guess, I'm crumbling
> under "virus notifications" sent by AV software running on mail
> gateway and "notifying me that I have sent a virus". Today, someone
> apparently brought this to a new all-time ridicule by also sending
> a notice to the "postmaster" address of the domain found in the "from"
> Email header field.
>
> Now for the content: I have two remarks:
>
> First, could those of you that are managing mail server that integrate
> a virus scanner please DISABLE these notifications ? It's actually
> rather important to do so: please read on why.
>
> Second, it has come to my mind that this could be used for a DoS. You
> see, if you send the EICAR test file (small false virus file) to these
> mail servers, they will generate between one and four new mails: one
> to the intended recipient, one to the mail admin of the server, one to
> the perceived sender and one to the postmaster address of the
> perceived sender.
>
> Of these 4 mails, you can ignore the first two ones: after all, if an
> admin is willing to mail-bomb himself with notifications, it's none of
> my business. the last two, however, concerns me. You see, I am the one
> paying for the bandwidth and storage space used by these useless
> mails.
>
> Now comes the first part: take an EICAR test file
> (http://www.eicar.org/download/eicar.com it WILL trigger an AV warning
> if you download it). It's 68 bytes long and you don't need to attach
> it to your mail: just copy and paste the text content of it will
> trigger the AV software. Standard mail headers can be trimmed down to
> a few hundred bytes and the SMTP part of the transaction is very
> small. Now spoof the "from" header to looks like they are coming from
> the victim's mail server and send it to the AV-filtered gateway. Bham:
> with a single SMTP transaction of a less than a kilobyte of traffic,
> you've generated two TCP connections to the target mail server and
> forced it to accept at least one mail which will be much larger than
> your original one. That's called bandwidth amplification attack in my
> book, combined by a rather difficult to avoid mail bombing attack.
>
> The beauty of it is that you don't even need to scan for server to use
> in such an attack: if you have a mail address (or better, if you're
> reading the "postmaster" mailbox of a domain), then you probably
> already have a large database of exploitable hosts. And if you combine
> this with one of the large number of open proxy out there (your spam
> drop mailbox should be full of it), you can even hide your source IP
> very efficiently.
>
> So, I urge the mail admins among you that haven't already done so to
> disable these notifications. If someone finds a flaw in my reasoning,
> please feel free to comment on or off-list.
>
> Good luck,
> Stephane
>
>
>
>
> _______________________________________________
> list mailing list
> list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list