W32/Sobig.F virus header

Thu Aug 21 21:23:37 IST 2003

I think a more appropriate solution would be the implementation of a
requirement making admins change such settings prior to the Mailscanner
process running.  When a sysadmin refuses to change such values,
MailScanner will die upon startup.

Paul

At 02:16 PM 8/21/2003, you wrote:
>Francois Caen wrote:
> >
> > -----Original Message-----
> > From: John Rudd [mailto:jrudd at UCSC.EDU]
> >
> > > Frankly, if you're using that as your header, you deserve to get
> > blocked by random hosts out on the net.
> > > Customize your headers.
> >
> > OK, call me stupid, but please give me a valid response.
> > I never felt a need to customize the "X-MailScanner: Found to be clean"
> > header. It seems perfectly appropriate to me!
> >
>
>
>1) if you've got multiple departments within one larger entity, each
>with their own mailscanners, each doing their own thresholds and
>configurations, how does a user know which one marked their message in
>which way, if everyone just uses "X-MailScanner"?
>
>1a) now exand that to having multiple servers within one organization
>(test servers, for example).
>
>2) now apply that same logic to multiple independent entities.
>
>3) there are ways to mitigate some of that, by having MS append or
>replace existing headers when it finds them, but that doesn't give the
>user any choices.  And, again, the user still wont have a way of knowing
>who was the source of a particular "append" value.
>
>4) If you're debugging your own install, and you're not sure whether
>messages are propperly being processed ... it's much easier to track it
>if you've got your own header to track instead of trying to guess
>whether that X-MailScanner header came from somewhere else.
>
>5) outside organizations who do mailscanning wont have any sort of
>collision with your scanning.  Users can see both results, and even
>develop rules around how much they trust each sites results.
>
>6) if you use your own, then attacks directed at the MS community as a
>whole have to know all of the local header configs.  Attacks aimed at
>one segment of the community will have to use their specific header and
>thus wont affect anyone who doesn't use that header.  If no one uses the
>default header, then attacks aimed at the default header (the only one
>EVERYONE knows, and the one being targeted by Sobig-F) wont work.
>
>
>By not using your own headers, you're basically saying you defer your
>MailScanner results to _anyone_ who wants to throw an X-MailScanner
>header into the message.  You trust anyone sending any message that if
>they say "this has already been scanned", it has been.  If you use your
>own header, then you're looking for/at something that is particular to
>your organization and your configuration.
>
>
>I will admit that the quote above has me making a rather extreme
>statement, but it was intended to be as extreme as the person I was
>replying to (about the people who are blocking the default header are
>"idiots" ... my first response was to say "anyone who is using the
>default header is similarly an idiot", but I decided to be a little more
>polite than that).
>
>Let me turn the question back to you: what are good reasons for using
>X-MailScanner instead of using a locally customized header?
>
>I can think of lots of good reaons to use your own, I can't think of any
>good reasons to stick to the default.  The only reason I can think of
>for why you'd want to use the default is laziness.  And lazy sysadmins
>are a liability to us all (because lazy sysadmins tend to have machines
>which don't keep up with vulnerability fixes and such).  Thus, my
>statement that such systems deserve to be blocked.