Mobile code security (was Re: rr style scanning of non-customers)
Jared Mauch
jared at puck.Nether.net
Mon Jun 16 15:04:33 UTC 2003
On Mon, Jun 16, 2003 at 03:43:41PM +0100, Brandon Butterworth wrote:
>
> > the thing that actually burns my hash, is when my spam
> > complaints or noc correspondance are robotically bounced because they
> > contain dangerous mime attachments of type "message/rfc822" (spam
> > examples) or "text/plain" (traceroute or tcpdump output). if your noc
> > or abusedesk has such a robot protecting it, you ought to be ashamed.
>
> Or they may be happy thinking their NOC is more 0day virus proof rather
> than hoping a 3rd party will update their scanner in time
>
> Who'd want to risk the NOC falling to the same problem that's just
> taken out the network they're trying to fix?
I think pauls point may be:
If they use text based mailers (eg: mutt, pine, elm, /bin/Mail,
mh, etc..) they won't risk being infected except by the rare buffer
overflow that might be out there. The risk-reward comparison that I
can easily see here is that if I were to be running an abuse desk and
my people were using a fully integrated click-open or click-execute
mailer on the desktop, the chances of getting infected are a lot higher
than if I give someone an xterm, tell them to use pine/mutt and some
additional ticketing system (RT for example, or other systems i've seen
that can aggregate the abuse complaints based on headers, etc..).
It's a lot harder to open up a microsoft executable on a *nix
machine than a windows machine.
If your abuse desk can't take the complaint, you can't do anything
about it. The abuse/security desks are in most cases small, understaffed
and hidden to prevent them from being overworked yet do enough that
you're not called a spam/abuse harborer.
- Jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the NANOG
mailing list