That's Bagle.B - jsut in case. best regards, Rainer Link
-----Original Message----- From: poeml@suse.de [mailto:poeml@suse.de] Sent: Dienstag, 17. Februar 2004 16:46 To: suse-security@suse.com Subject: [suse-security] ID wwywxugwisi... thanks
Yours ID kqniv -- Thank
Hi, A pretty dumb idea to send virus mails to a Linux security list, isn't it? :-) Am Di, den 17.02.2004 schrieb Rainer_Link@trendmicro.de um 16:52:
That's Bagle.B - jsut in case.
best regards, Rainer Link
cheers, Tobias
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I agree that it's a dumb idea, but these virii don't know and don't care what the purpose of this list is. Someday some nitwit will stumble onto a piece of code that exploits an as-yet undiscovered flaw in one or more linux email clients, and we'll have a small disaster. It's just plain naive to think this will never happen. Perhaps later than sooner, but there is a lot more likelyhood that it will than it won't. Since it does no good to complain without offering a solution, here's an idea: Why not require all messages posted to this list to be signed with the users's gpg key? Building functionality into the list daemon to verify signatures would be easy task and would also help cut back on the spam that invades this list from time to time. Users can supply their public key at subscription time or it can be pulled from a keyserver when the users posts. It's really not a huge inconvenience... I'm signing this post to show how easy it is. Just my modest input... On Tue, 17 Feb 2004, Tobias Weisserth wrote:
Hi,
A pretty dumb idea to send virus mails to a Linux security list, isn't it? :-)
Am Di, den 17.02.2004 schrieb Rainer_Link@trendmicro.de um 16:52:
That's Bagle.B - jsut in case.
best regards, Rainer Link
cheers, Tobias
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
- -- - -linux_lad public key on request -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFAMlRdwHqKF2/3fvYRAhClAJ9sy5vHirwqRh6LKsF14flsF0InOACgmLFQ ZGZurdgH7viyxoHn3MnmwIY= =LjfI -----END PGP SIGNATURE-----
On Tue, Feb 17, 2004 at 09:50:21AM -0800, john@linuxlad.org wrote:
I agree that it's a dumb idea, but these virii don't know and don't care what the purpose of this list is. Someday some nitwit will stumble onto a piece of code that exploits an as-yet undiscovered flaw in one or more linux email clients, and we'll have a small disaster. It's just plain naive to think this will never happen. Perhaps later than sooner, but there is a lot more likelyhood that it will than it won't.
Since it does no good to complain without offering a solution, here's an idea:
Why not require all messages posted to this list to be signed with the users's gpg key? Building functionality into the list daemon to verify signatures would be easy task and would also help cut back on the spam that invades this list from time to time. Users can supply their public key at subscription time or it can be pulled from a keyserver when the users posts. It's really not a huge inconvenience...
But this makes posting to the list much more inconvenient that do not use PGP regularly. And finally it does not help that much. If someone builds such an exploit, he could as well generate a random PGP key and register it for the mailing list. --- In principile this could also be done automatically by a virus itself, although most viruses are far from that complexity nowadays. BTW: Your PGP key is of no cryptographic use as long as you don't let sign it by trustworthy people. But I think no trustworthy person would sign a key with ID "-linux_lad (This key supersedes all older keys)", thus you might want to add a real name. Robert -- Robert Schiele Tel.: +49-621-181-2517 Dipl.-Wirtsch.informatiker mailto:rschiele@uni-mannheim.de
On Tuesday 17 February 2004 19:04, Robert Schiele wrote:
But this makes posting to the list much more inconvenient that do not use PGP regularly. And finally it does not help that much. If someone builds such an exploit, he could as well generate a random PGP key and register it for the mailing list. --- In principile this could also be done automatically by a virus itself, although most viruses are far from that complexity nowadays.
Maybe it is an idea to ditch all mail with certain attachments (.pif, .exe and a few other commond Windows executables come to mind). Since we're all running SuSE Linux in one way or the other, there is only a remote chance that there is any good in a message if it contains such an attachment. In fact, I'm rejecting these kinds of attachments on incoming e-mail for a while (so I missed the e-mail starting this thread). Most of the recent virus outbreaks didn't even reach the virusscanner... Best regards, Arjen
Hi, On Tue, Feb 17, 2004 at 11:38:41PM +0100, Sjag Steensma wrote:
... fact, I'm rejecting these kinds of attachments on incoming e-mail for a while (so I missed the e-mail starting this thread).
Good, how did you do that?
personally I use this little procmail rule to get rid of this lad. # get everything exept pgp signatures :0 HB * ^Content-Type: application * !^Content-Type: application/pgp-signature virus-ml # another possible rule maybe this one :0 HB * ^Content-Disposition.*filename=".*\.(bat|chm|cmd|cnm|com|exe|hta|\ jse?|lnk|pif|reg|scr|shb|shs|vb[esx]|vdx|zip|xls|doc|ppt|ws[fh])" virus-ml Greetings Daniel -- #!/usr/bin/perl use Fcntl;$s=$ENV{"HOME"}."/.sigs";sysopen(S,"$s",O_RDONLY)||die; $p[0]=0;while(<S>){$p[$#p+1]=tell if /^$/;}seek(S,$p[int rand($#p\ +.9999)],seek_set)||die;while(<S>){last if /^$/;$z.=$_;}close S; print"$z";# by Janto Trappe
On Tue, Feb 17, 2004 at 09:50:21AM -0800, john@linuxlad.org wrote:
Why not require all messages posted to this list to be signed with the users's gpg key?
Because there are certainly many subscribers having problems using gpg/pgp. A better idea is to enforce the list policy and remove attachments from all messages to the list. Beside reducing the confusion about infected subscribers it avoids the problem that some mail archives preserve such infected attachments for a long time. -- Michel Messerschmidt lists@michel-messerschmidt.de antiVirusTestCenter, Computer Science, University of Hamburg
Michel Messerschmidt wrote:
A better idea is to enforce the list policy and remove attachments from all messages to the list. Beside reducing the confusion about infected subscribers it avoids the problem that some mail archives preserve such infected attachments for a long time.
i would not like to remove all attachments, sometimes ppl post configs etc. or maybe a png about a network topology. Such things should not get removed. Besides from that, i would more like if ppl would learn not to click on every shit in an email. As this is a securty list (and for linux!) ppl should be able to see that such messages are not harmful. It also makes it possible to 'early detect' new virus and you can take care of your users. I know that not all ppl reading this lists are security professionals, but, i love you etc. is more than 5 years old, isn't it? and the same shit still works? nah, ppl really should start to learn. If ppl wanna do security, then this is one of the first things to learn (and learn to teach others not to do). Archiving such things is probably bad, yeah, but afaik most archivers drop attachments which are bigger than x. If you really want to drop attachments, then maybe just the well known windows executables like com exe bat pif scr etc. just my 2eurocents. Sven
participants (9)
-
Arjen de Korte
-
Daniel Lord
-
john@linuxlad.org
-
Michel Messerschmidt
-
Rainer_Link@trendmicro.de
-
Robert Schiele
-
Sjag Steensma
-
Sven 'Darkman' Michels
-
Tobias Weisserth