W32/Sobig.F virus header

John Rudd jrudd at UCSC.EDU
Thu Aug 21 20:16:06 IST 2003 

Francois Caen wrote:
>
> -----Original Message-----
> From: John Rudd [mailto:jrudd at UCSC.EDU]
>
> > Frankly, if you're using that as your header, you deserve to get
> blocked by random hosts out on the net.
> > Customize your headers.
>
> OK, call me stupid, but please give me a valid response.
> I never felt a need to customize the "X-MailScanner: Found to be clean"
> header. It seems perfectly appropriate to me!
>


1) if you've got multiple departments within one larger entity, each
with their own mailscanners, each doing their own thresholds and
configurations, how does a user know which one marked their message in
which way, if everyone just uses "X-MailScanner"?

1a) now exand that to having multiple servers within one organization
(test servers, for example).

2) now apply that same logic to multiple independent entities.

3) there are ways to mitigate some of that, by having MS append or
replace existing headers when it finds them, but that doesn't give the
user any choices.  And, again, the user still wont have a way of knowing
who was the source of a particular "append" value.

4) If you're debugging your own install, and you're not sure whether
messages are propperly being processed ... it's much easier to track it
if you've got your own header to track instead of trying to guess
whether that X-MailScanner header came from somewhere else.

5) outside organizations who do mailscanning wont have any sort of
collision with your scanning.  Users can see both results, and even
develop rules around how much they trust each sites results.

6) if you use your own, then attacks directed at the MS community as a
whole have to know all of the local header configs.  Attacks aimed at
one segment of the community will have to use their specific header and
thus wont affect anyone who doesn't use that header.  If no one uses the
default header, then attacks aimed at the default header (the only one
EVERYONE knows, and the one being targeted by Sobig-F) wont work.


By not using your own headers, you're basically saying you defer your
MailScanner results to _anyone_ who wants to throw an X-MailScanner
header into the message.  You trust anyone sending any message that if
they say "this has already been scanned", it has been.  If you use your
own header, then you're looking for/at something that is particular to
your organization and your configuration.


I will admit that the quote above has me making a rather extreme
statement, but it was intended to be as extreme as the person I was
replying to (about the people who are blocking the default header are
"idiots" ... my first response was to say "anyone who is using the
default header is similarly an idiot", but I decided to be a little more
polite than that).

Let me turn the question back to you: what are good reasons for using
X-MailScanner instead of using a locally customized header?

I can think of lots of good reaons to use your own, I can't think of any
good reasons to stick to the default.  The only reason I can think of
for why you'd want to use the default is laziness.  And lazy sysadmins
are a liability to us all (because lazy sysadmins tend to have machines
which don't keep up with vulnerability fixes and such).  Thus, my
statement that such systems deserve to be blocked.

More information about the MailScanner mailing list