No security system works 100% of the time. However server-based
scanning of email attachments probably works better than many other
options like relying on end-users to not run unsafe attachments. I vote
that we keep it.

Richard

-----Original Message-----
From: David F. Skoll [mailto:dfsroaringpenguin.com]
Sent: Monday, March 04, 2002 5:07 PM
To: bugtraqsecurityfocus.com
Subject: On the ultimate futility of server-based mail scanning

Several postings on Bugtraq recently talked about DoS attacks against
server-based mail-scanners. Compress four gigabytes of zeros and
debilitate mail scanners which uncompress .gz files, for example.

Several mail scanners try to be clever and examine .zip files, .tar.gz
files, .arc files, etc. to look inside for viruses.

This is ultimately futile.

I gave one scenario:

(cat small_x86_jmp_code; \
 dd if=/dev/zero bs=1k count=400k; \
 cat virus_payload) | gzip > virus.attach.gz

This DoS's virus-scanners which do not limit scanning-size, and sneaks
past those which do.

There's an even better method, and one which is very amenable to
social-engineering:

"HEY! NUDE pictures of Pamela Anderson in the attachment nudie.zip.
Just unzip and then run pam.exe. Oh, heh, heh, heh -- to keep your
boss from seeing this, we've password-protected the zip file. The
unzip password is z3kr3t. Enjoy!"

Zip encryption is pathetic. But I don't think anyone's seriously
suggesting server-based scanners should brute-force encrypted zip files
to check for viruses, or perform AI analysis of messages to extract
passwords.

Ultimately, the responsibility falls on the MUA and the end-user's OS
vendor. We either put secure end-user software onto the desktop, or we
admit defeat.

--
David F. Skoll
Roaring Penguin Software Inc. | http://www.roaringpenguin.com GPG
fingerprint: C523 771C 3710 0F54 B2D2 4B0D C6EF 6991 34AB 95BA GPG
public key:  http://www.roaringpenguin.com/dskoll-key-2002.txt ID:
34AB95BA

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]