VIRUS ALERT

DaveGateway

Yesterday afternoon I received an email from someone that is well known here on the wall.
Our only possible connection was here on the wall!
Its topic was re. your picture it had an attachment your_picture.pif
When I scanned it, it contained a virus W32.Netsky.D@mm
I don't know how this was done, but lookout!!!!!!
Bill Patrick

DanHolohan

A virus moves

through address books. Many of the Wallies have each other's email addreses in their books. Good virus protection is the best solution.

Robert O'Connor_7

Virus??

Any names Bill? I know the sweepers stole my E-Mail before Dan had them all removed. I got about 20 back as undeliverable. I know that I never E-Mailed these people. Since then I personally haven't had a problem. Keep us updated. ...Robert O'Connor/NJ p.s. Thanks Dan, for having the foresite and recognizing this was a potential problem..RSO

DaveGateway

VIRUS ALERT

I don't know if it would be appropriate to mention a name prior to him responding to my email that I sent right away yesterday. But he is one of my heros here!
Bill Patrick

Mark J Strawcutter

probably wasn't him

most new viruses also pick a random address from the address book to use as the "from" address on the mail they send.

So, the virus probably didn't come from who you think.

Mark

Guy_5

virus

I have been getting slammed with that virus as well. At least I can recognize (sp?) it when it arrives, as it is always 19KB in size, and is RE: something that I never sent out.

Billy_3

I got the same email

Same thing and that's why I never will put my email in any of my threads again

DanHolohan

We're

masking all the email addresses.

Constantin

Ditto

Virii now forge all sorts of things, including the sender. When the MyDoom virus went around last year, I must have "gotten back" 1,500+ e-mails from other systems as undeliverable. Naturally, I hadn't sent any of them, but someone on the net that I had e-mailed did...

That's the trouble with e-mail, none of the current e-mail servers seem to bother looking up where e-mail is coming from. If an e-mail is sent with a "from" address or "reply-to" address at domain abc is sent out but it's originating IP address is system xyz, most servers simply send the stuff back to the official "from" address (which is easy to forge) as opposed to the ISP where the stuff actually originated.

Simply cross-checking the origin (claimed address vs. actual IP address) would eliminate most spam, IMHO. The vast numbers of clueless XP owners have made it amply clear that homeowners should not be allowed the privilege of running an SMTP server unless they expressly get permission to do so. However, until an ISP actually gets sued for gross negligence re: policing its flock, not much is going to happen.

Mark J Strawcutter

viruses don't harvest web pages

they harvest address books.

Avoiding your address on wall postings will help cut down on spam, but it won't make any difference with regard to viruses.

Mark

Mark J Strawcutter

nice in theory

sender verification is impossible without changes to the SMTP protocol.

me sending mail as from mjstraw@iup.edu but using the smtp server at mail.verizon.net is a perfectly reasonable thing to do.

very few homeowners run smtp servers. SMTP is used to send mail from their client (outlook express) to their ISP's server, but that's not running a server themselves.

Mark

lchmb

it helps

It will help you and all your friend's if you change your password's on a normal basis. I have found that every other week work's good. It help's to slow down spammer's from using your address and also virus attack's. There are virus's that will attach under file's and go to another system through friendly email's... I doubt someone would willingly attack your system from here...IMHO....

Constantin

Allow me to disagree

me sending mail as from mjstraw@iup.edu but using the smtp server at mail.verizon.net is a perfectly reasonable thing to do.

I disagree. Instead of allowing e-mail addresses on e-mails that have nothing to do with the system they originated from, ISPs should force folks to only use SMTP servers associated with the return address. If you want SMTP access with a particular system and you are a valid user there, then simply establish a secure connection (SSH), which is good business practice anyway.

Is this measure draconian? Some folks would say so. However, if we don't start policing ourselves, the government will do it for us. Considering the respect that folks like Ashcroft seem to have for our civil liberties, etc. I'd rather have a choice.

very few homeowners run smtp servers. SMTP is used to send mail from their client (outlook express) to their ISP's server, but that's not running a server themselves.

Mark, you're missing the point. It is my understanting that the reason that most Windows virii these days propagate as quickly as they do is because they have a built-in SMTP server! For example, that's one of the means MyDoom used to spread itself all over the net.

Furthermore, the current implementation of Windows XP allows raw IP access straight out of the box, so the bad guys don't even have to write their own tools to do it. Now, hackers can spoof with impunity at the packet level. See GRC.com for more info and technical detail. It's pretty scary what the folks in Redmont have unleashed on us.

In closing, if user machines cannot be trusted regarding SMTP servers (because a virus might turn an innocent home PC into spam central), user machines should not be allowed to act as SMTP servers w/o express permission, and a opt-in system (i.e. where the ISP gives explicit permission to allow SMTP transfers from a home machine). Period.

Constantin

Or avoid using MS products

Most of the vulnerabilities only affect Windows systems or systems which use MS products, though, to be fair, all OS' have their vulnerabilities.

For example, the only real virii to affect modern Mac OS' are of the Macro variety found in MS Office, Visual-Basic vulnerabilities usually affect users dumb enough to use MS Outlook, etc. Though I use MS Office a lot, the last time a Mac in my household was infected with a virus was 1989.

Anyway, another option to consider is using different passwords and logins for everything on the net. I use an encrypted application on my Palm Pilot to keep track of all my passwords and logins. Thus, one site compromise won't expose me elsewhere.

Another thing to do, if you can, is to use secured mail connections. The trouble with POP and regular SMTP connections (to receive and send mail) is that the passwords are sent in the clear! Inquire with your ISP if they allow SSL-type connections for mail, that makes snooping pretty much impossible.

Mark J Strawcutter

learn about SMTP

Multiple servers can be and often are associated with a given domain. And a single server can be associated with multiple domains (can you say "domain hosting")? If your simple proposal to do a reverse lookup on the sending SMTP host and match that with the from: address were tenable it would have been done long ago. The fact remains that without a major redesign of SMTP, it isn't.

You also need to learn the difference between a client and a server. XP systems do _not_ have a built-in SMTP server.

Trojans that turn your machine into a spam-distributor carry along their own smtp server as part of the trojan.

GRC.com has been quite vocal about their dislike of some of the architectural changes to the XP IP stack. I agree with many of their objections, but it really has nothing to do with spam - w2k systems are just as vulnerable.

I am no fan of Microsoft. But I have been managing high-volume e-mail for 20+ years and feel obliged to correct inaccurate statements posted as authoritative.

Mark

Mark J Strawcutter

authentication vs security

SLS/TLS, SSH, SSL are all security related. The issue here is authentication which is quite different.

Mark

Mark J Strawcutter

I'm curioius

how changing your password at frequent intervals will cut down on spam and viruses?

Mark

Mark J Strawcutter

cleartext passwords

If you're on a cable modem connection, authentication using password encryption is a smart thing since cable access is shared and subject to sniffing. Full encryption of the connection to your smtp server is only useful if your message content is sensitive.

Virus writers write viruses to infect machines. They want the largest potential audience for their creations. There aren't enough Macs out there for them to bother.

Mark

Constantin

One more time

Mark, perhaps I'm dense, but a SMTP server has to make a connection to another machine to send it mail to the next hop, right? Now, if you do not allow SMTP-SMTP server connections from home user machines, then what happens? Hence my statement that home machines should not be allowed to make SMTP server-server connections. With few exceptions, there is no justification for the ISP to pass on such messages.

As for reverse lookups, I'd like to see a good justification why it cannot be done. You state that the SMTP protocol would have to be re-written for reverse-lookups and like IP4 vs IP6 I imagine a number of folks are looking at that right now. However, I bow to your omniscient knowledge in all things e-mail since you've declared yourself an authority and I have not.

In the meantime, let's have a look at the filters and blocks employed by ISPs. As you and I know, many ISPs have blocked port 25 to prevent folks from using SMTP servers outside the domain of the ISP. Why, because of abuse... the workaround? Tunnels like SSH that allow secure port-forwarding connections to your server. In my opinion, such encryption should be mandatory to ensure that users logins + passwords aren't sniffed by any number of machines along the way (consider a cable-modem pool, for example).

As I see it, encryption and security go hand in hand. If you don't set up a secure means of communicating with your server, then you shouldn't be surprised that your accounts, etc. get hacked. Users who resist securing their systems should simply be cut off

Constantin

Question:

Considering how easy it is to encrypt the whole e-mail, why wouldn't I? Give me one good reason that all e-mail traffic should not enjoy the same security as (allegedly) our US mail system promises?

Additional server resources? Less snooping capacity for the government? Bigger headache for lonely system administrators who like to read their users loveletters?

Not encrypting the whole message allows any two-bit hacker on the same pool of modems to sniff out who you send messages to (sell addresses to spammers), read your messages, etc. Unlike you, my desire for privacy extends beyond authentication to the actual message itself.

This desire for privacy also extends to my web-hoster since they've got TLS enabled. Thus, it is perfectly possible for my e-mail to make it to another home user without ever being un-encrypted while in transit. This is as it should be.

Mark J Strawcutter

various

At the risk of over-simplifying, a server accepts connections, a client initiates them. Software like OE, Eudora, Pine, etc act as smtp clients and forward the message along to an smtp server host for delivery. That host will act as an smtp client and connect to the next server if necessary (not necessary if recipient's mailbox is on that host).

Mail client software, using smtp to submit messages, has been around since the DOS days. Nothing new or special about XP in that regard.

SMTP is SMTP - there is no distinction between a mail client submitting a message and and two intermediate systems passing a message along.

Passing a message along to another intermediate system is called "relay". Properly configured mail servers only relay for mail that comes from clients on their own IP network or those who authenticate.

Port 25 blocking is common and reasonable (we do it here) and together with the relay prohibitions above helps keep rogue hosts from blasting out spam. If they decide to authenticate and spam thru the mail server, then forensic evidence is readily available to identify them.

Port 25 blocking and authenticated relay are also what allows (as it should) me to initiate mail from my @iup.edu address via my isp's server.

As for reverse mappings - I suspect you're still under the impression that each domain will have a unique IP address for it's mail server. Not so. We have a host xxx.iup.edu that provides mailboxes for several domains. Those domains all have mx records that point to xxx.iup.edu. If you do a reverse look-up on it's IP address you get a PTR record for xxx.iup.edu. The other domains are nowhere to be seen.

Outgoing mail uses an entirely different mail server host yyy.iup.edu. It only receives mail from mail clients in the domains we serve. No MX records point to it. It has a single IP address. Reverse lookup gives a PTR with it's IP address. The other domains are nowhere to be seen.

Routers don't do application layer 7 filtering - they can detected spoofed packets and even unsolicited response packets but they can't check 'false' return address on email.

Encryption is a good thing as long as you know what it's getting you. An it doesn't get you authentication. It only guarantees that the message isn't snooped and/or modified during transit.

Mark

Mark J Strawcutter

encryption vs authentication

encryption doesn't guarantee to a recipient that the message is really from you.

Authentication is not privacy, it's authentication. Encryption is not authentication, it's encryption (loosly, privacy)

If you submit a message to your ISP's mail server using TLS, that does not mean it will travel encrypted to my mail server.

You are correct that other cable modem users on your segment can hack the modem and sniff segment traffic. Not so with dial-up.

Mark

Constantin

Digital signatures...

Authentication is easy enough via PGP or other encryption systems that allow digital signatures. Not only does it guarantee that a particular sender sent a message, it also guarantees that the message was not changed in transit. Of course this only holds as long as the private key of the sender remains confidential.

When I referred to TLS, I only thought of it being used between servers, not client to server. Hence my reference re: my hosting company having this feature enabled. I use SSH to port forward my mail connections to my server. The server then attempts TLS connections to wherever the mail is going and defaults back to the unencrypted variety if that fails. For some reason I thought that TLS refers to SSL-type connections, not SSH tunnels? Oh well.

As I see it, encryption is a very important tool to ensure proper authentication (though no system is foolproof). PGP and other systems have allowed folks for many years to be reasonably sure that whoever signed and sent something is who he/she says he/she is. Hence, the more advanced e-mail systems use algorithms like the RSA technology (Lotus Notes, etc.) to ensure authentication and privacy.

Constantin

Are you saying...

that your mail servers (not routers) cannot check messages for particular attributes before passing them on? I'm confused here because there I thought this was possible. Or is it simply not implemented yet?

Besides blocking port 25 to prevent open-relay spamming, I would also make any e-mail submit to several tests or reject it outright and send it back as undeliverable. Those tests would include having a valid IP address to originate from (i.e. within the domain), a proper e-mail address (i.e. one that is authenticated), etc. Furthermore, a statistical approach would simply cut off folks who exceed a certain amount of mail in a given time period. Exceptions can be made as needed (list maintainers, etc.).

Considering the vast capabilities of sendmail and other mail server software, it's hopefully only a matter of time before e-mails get the same cursory inspection before being passed on as many packets do already at the router level. Isn't this what MS, AOL, and others are allegedly working on?

As for the organization of your mail servers, that's totally over my head. I still see no reason why your organization cannot filter outgoing e-mail before it's relayed to the rest of the Internet. That is, I don't expect outside mail servers to be able to go through the RFC header and verify that all IP#'s, mail servers, e-mail addresses, etc. are kosher. However, I do expect your outgoing gateway mail server to be able to do so.

As I see it, the scourge of Spam has to be stopped at the source. Those who do not elect to secure their systems can then enjoy being on the blackhole list. It's not the most elegant solution... and its inherent vigilantism is something I shy away from. However, blackhole lists have forced lax ISPs to tighten up their security via the only means possible: irate customers who are having legitimate mail bounce back and who're threatening to leave the ISP.

The trouble as I see it is that ISPs and hosting companies do not seem to take a hard line on bad customers. A recent article at Tufts mentioned a kid who was sending millions of spam messages a day for an outfit that paid him $50/month. The student in question should not have received a slap on the wrist, he should have been suspended for knowingly allowing the IT infrastructure at the university to be undermined. Similarly, ISPs have to learn to fire customers who are unwilling to learn to protect their systems from virii, spamware, malware, etc.