From: Todd Vierling (no email)
Date: Sun Dec 04 2005 - 23:29:38 EST
On Sun, 4 Dec 2005, Church, Chuck wrote:
> What about all the viruses out there that don't forge addresses?
Not that there are nearly as many -- the main scourge is sender-forging
worms by a better than 90%/10% margin -- but I very specifically mentioned:
> > > (Virus "warnings" to forged addresses are UBE, plain and simple.)
I think that was pretty clear.
> Sending a warning message makes sense for these. Unless someone has
> done the research to determine the majority of viruses forge addresses,
Are you living on Earth in 2005? Unless your filters are VERY strict, no
research should be necessary; look at your own mailbox[es]. If you don't
know that most worm-viruses forge senders these days, you haven't been using
Internet e-mail long enough. 8-)
That said, it takes only a cursory glance through the worms listed on
Symantec's or F-Secure's or Sophos's web sites in reverse chronological
order to see, very clearly, that *nearly every* worm in recent history
forges sender addresses. Finding three or more worms in the past two years
that don't forge is a challenge for the bored reader.
Some do it for a very good reason -- in the eyes of the worm's writer, mind
you. A worm is more likely to get through if the user in envelope-FROM has
some sort of relationship with the recipient, because so many sites use
weighted scoring that includes auto-whitelist bias. To a worm writer, just
using the address in the luser's settings isn't enough, as folks are
starting to understand "don't click on any random attachment." So, gambling
on the luser having a circle of friends close enough to know each other, the
worm forges many different combinations. (If you want more details on this
reasoning, take it off-list.)
> Calling vendors 'clueless' because a default doesn't match your needs is
> a little extreme, don't you think?
The vendors sending worm-virus "warning" UBE are indeed clueless now,
because they aren't paying attention to (often their own!) virus statistics
showing that the majority of worm-viruses forge sender addresses today.
Let me repeat myself:
> > > (Virus "warnings" to forged addresses are UBE, plain and simple.)
Not sending UBE is not just "my needs"; I think we can both agree on that.
To extend that concept, virus "warnings" triggered by worm-viruses for which
the forgery status is unknown is either UBE or very close to it.
With the massive amount if spew that is forged, any warning option that is
not absolutely confined to trigger on problem mail *known* not to be forged
is a part of the problem, not part of the solution. The option for warning
on forged senders shouldn't just be off -- it should not exist.
> The ideal solution would be for the scanning software to send a warning
> only if the virus detected is known to use real addresses, otherwise it
> won't warn.
Symantec reportedly did this at long last in one of their products recently
(see archives for details). I truly hope others
follow suit. However, unless the option to warn forged senders is removed
entirely from their products, anti-malware vendors still have a large amount
of fault on their shoulders.
Things like clamav have had the option properly separated for some time, but
I'm mainly counting the slow-moving, commercial anti-malware products in the
prior pragraph.
-- -- Todd Vierling <> <> <>
|
|
|