Is your PC sending viruses without your knowledge?

[The_Borg]

Take al look at this site for a project started a couple of weeks ago in the
Netherlands.

http://virbl.bit.nl/
--
Greetz,
The Borg
(Replies are always appreciated...)
(e-mail address removed)
(remove ".geenspam" in order to reply properly)
http://computer.clubs.nl/antivirus
Bet my floppy's bigger than yours.

 

[null]

Take al look at this site for a project started a couple of weeks ago in the
Netherlands.

http://virbl.bit.nl/

Who or what agencies would be interested in blacklisting IPs? If
someone who wants to send me a email is blacklisted because he or she
is infested with a worm, the sender would be blocked from any
communication with me until 24 hours (at least) after his PC is
cleaned. Is that right?

It seems better for the sender's ISP to strip the known worm
attackment, forward the message, and notify the sender. Doesn't it?


Art
http://www.epix.net/~artnpeg

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

(e-mail address removed) wrote in

Who or what agencies would be interested in blacklisting IPs?

I'd guess mailserver operators, to reduce loads. I see the top IP
on the list has sent almost 15000 copies of Sober.G.

If someone who wants to send me a email is blacklisted because he
or she is infested with a worm, the sender would be blocked from
any communication with me until 24 hours (at least) after his PC
is cleaned. Is that right?

I dunno. It's certainly a trade-off.

It seems better for the sender's ISP to strip the known worm
attackment, forward the message, and notify the sender. Doesn't
it?

If his ISP does that, the sender's IP will never get on the list. MXes
that let spam flow get blacklisted as well, and I don't see much
difference between that and this.

 

[null]

If his ISP does that, the sender's IP will never get on the list. MXes
that let spam flow get blacklisted as well, and I don't see much
difference between that and this.

My ISP once banned an entire ISP assigned block of IPs because of
spam. For a long time I couldn't receive emails from a individual in
Germany on account of it. I wonder if because of dynamic IP #
assignments, you might wind up with something approaching that where
eventually almost entire domains are blacklisted (in the spam problem
case). There have to be better ways of dealing with the spam and worm
problems than shutting down the internet


Art
http://www.epix.net/~artnpeg

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

(e-mail address removed) wrote in

My ISP once banned an entire ISP assigned block of IPs because of
spam. For a long time I couldn't receive emails from a individual
in Germany on account of it. I wonder if because of dynamic IP #
assignments, you might wind up with something approaching that
where eventually almost entire domains are blacklisted (in the
spam problem case). There have to be better ways of dealing with
the spam and worm problems than shutting down the internet

In anti-spam groups, this stuff has been endlessly debated. Proponents
of blacklisting claim that with some ISPs, the only way to get them to
take action to block spam from their users' machines is to force their
own innocent users to complain about being blacklisted. Opponents
cite, as you do, the inconvenience imposed on innocent users. I'd like
to think there's a better way of dealing with spam and worm problems
too, but I don't have any great suggestions.

In the case of this particular worm blacklist, only the infected users
and the people with whom they correspond will be affected, which is
better for non-infected users but puts no pressure on the ISP to more
effectively block worms.

I also see that it's possible for Dutch MXes to be whitelisted, so that
their users are never inconvenienced. I don't understand why only
Dutch ISPs can be whitelisted.

 

[null]

(e-mail address removed) wrote in


In anti-spam groups, this stuff has been endlessly debated.

Haven't followed any of it at all
..

Proponents
of blacklisting claim that with some ISPs, the only way to get them to
take action to block spam from their users' machines is to force their
own innocent users to complain about being blacklisted. Opponents
cite, as you do, the inconvenience imposed on innocent users. I'd like
to think there's a better way of dealing with spam and worm problems
too, but I don't have any great suggestions.

When I was researching computer crime laws in the USA, I found no
pending or proposed legislation (concerning the "virus" or malware
problem) but there were numerous items on the Federal agenda
concerning spam. Which makes me wonder about their content and details
since it's a wordwide problem, of course (as is malware).


Art
http://www.epix.net/~artnpeg

 

[Gabriele Neukam]

On that special day, , ([email protected]) said...

It seems better for the sender's ISP to strip the known worm
attackment, forward the message, and notify the sender. Doesn't it?

Only if they can identify the *real* sender, instead of what has been
faked by the worm as a "From:" field entry.

Also, some worms do deliver directly to the other ISP's MX, without
asking the originating ISP's mail server to do the "service" for them,
so there is little chance for the ISP of the infected machine, to know
about its existence, if the recipient doesn't tell the ISP about this
infection. A blacklisting might result in less traffic, but the machine
won't be cleaned, if nobody on the originating side is notified.

The blacklisting might be necessary in those lost cases of ISP's which
won't listen to the umpteenth complaint being sent, like Videotron or
Wanadoo. But it won't always be that effective, as I will explain.

Currently, a German regular in the de.admin.net-abuse.mail group is
suffering from a T-Com user, that has been swamping him with worms by
the dozens of thousands, over several weeks. T-Com is the largest of all
ISPs in Germany; and normaly they do their job properly. The regular is
of course annoyed and wondering why his complaints don't stop the
floods.

I am afraid that this customer is in fact warned, but constantly re-
infecting. Maybe there is a small network behind that DSL account (which
is forbidden for private accounts), and he/she/it is incapable to detach
*all* machines at the same time from the net, and clean them all at the
same time, or just doesn't care.

As the IP number is changing after 24 hours (a German specialty), you
cannot block him by the ISP number, without blocking an innocent user
who's being assigned the number as the next one,too. In this case, the
blacklisting will fail. We are still trying to figure out how to put an
end to this situation.


Gabriele Neukam

(e-mail address removed)

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Also, some worms do deliver directly to the other ISP's MX,
without asking the originating ISP's mail server to do the
"service" for them, so there is little chance for the ISP of the
infected machine, to know about its existence, if the recipient
doesn't tell the ISP about this infection.

I wonder if greylisting is effective against worms that connect
directly to the recipient's MX rather than mailing through a smarthost.

A blacklisting might result in less traffic, but the machine won't
be cleaned, if nobody on the originating side is notified.

Greylisting would not get anyone notified either, but it's should let
any legit mail through, even from an infected machine.

<http://projects.puremagic.com/greylisting/whitepaper.html> has an
overview of greylisting as well as more implementation details than I
care to read.

 

[Conor]

It seems better for the sender's ISP to strip the known worm
attackment, forward the message, and notify the sender. Doesn't it?

No. There is as much traffic generated by "bounce" messages sa there is
by the worm/trojan/virus itself.

 

[null]

No. There is as much traffic generated by "bounce" messages sa there is
by the worm/trojan/virus itself.

The sender's ISP should know the IP # of _his_ customer's PC sending
the message, no? Who better to notify his customer that his PC is
sending out worms? Now, it's the forwarding of the message or plain
mail part to the intended recipient that I goofed on since, in the
case of a worm, it's not a legit communication from the sender ...
it's garbage ... and shouldn't be passed on to the recipient.

The thing I had in the back of my mind was that legit message
transmissions from the sender shouldn't be blocked. His ISP might put
a time limit on him ... cut off his service if he doesn't get the worm
problem taken care of ... but that's a different matter.


Art
http://www.epix.net/~artnpeg

 

[Nick FitzGerald]

In the case of this particular worm blacklist, only the infected users
and the people with whom they correspond will be affected, ...

....assuming an IP sending viruses actually gets listed _and_ that the
recipient's mail service chooses to block mail from virbl'ed IPs.

... which is
better for non-infected users but puts no pressure on the ISP to more
effectively block worms.

Except, folk on dynamic IPs are likely to be wrongly virbl'ed for 24
hours as they pick up IPs that have been seen posting viruses in the
last 24 hours. This _was not_ such a large problem with spam when
the spam blacklists started as spamming tended to be very static --
sure, they moved servers much faster than anyone else on the planet,
but still at a rate measured in weeks to months. The blacklists
probably helped puch that down into the days to weeks range...

But mass-mailing viruses are different, as their distribution points
have always been much more widely dispersed _and_ they tend to be
concentrated in dynamic IP address space (well, originally they were
concentrated in corporate and institutional America, but that has
largely been fixed now).

Note that spammers have noticed and are now building and using "bot
armies" for spam relaying and direct spam sending.

Given recent trends and developments in virus distribution patterns
and in spam techniques, the mid-term usefulness of such lists, for
both spam and virus reduction is close to nil. This is obvious to
anyone with two functioning brain cells who works closely in either
industry, but I guess running this project is a nice little hobby for
somebody who will pat themselves on the back, happy in the misguided
belief that they are doing something useful and helpful.

I also see that it's possible for Dutch MXes to be whitelisted, so that
their users are never inconvenienced. I don't understand why only
Dutch ISPs can be whitelisted.

You misread that question in the FAQ. Dutch ISPs can get their _mail
servers_ (aka "MX boxes" -- that is, IPs that are listed in the DNS as
having mail delivery responsibility for a domain) whitelisted. I see
nothing on the virbl site suggesting an ISP (Dutch or otherwise) can
have whole IP blocks excepted. The virbl site says that it attempts
to determine the originating IP of the virus-carrying messages that
"inform" its blacklisting, so a customer of a Ducth ISP with a virus
that happens that to send its outgoing mail via the ISP's mail server
would still get listed as the client's IP, not the ISps mail server IP
should be the one seen as the originating IP.

Of course, this raises one of the problems of non-authentication of
SMTP -- it is trivial to programmatically forge an extra Received:
header into a virus' outgoing Email messages, pointing the finger
somewhere else.

And the virbl page says nothing useful about how it handles messages
with originating IPs in private IP address space...

Think carefully (well, maybe not -- it took me about a microsecond to
realize this the first time I heard a hare-brained suggestion along
much the same lines as what virbl.bit.nl has implemented) about those
last two for a clear and obvious flaw in the whole shebang. Something
that will be trivially exploited to entirely sidestep virbl in future
_IF_, in the _very unlikely_ circumstance, virbl actually does start
to make any noticeable impact on the self-mailing virus problem...

In short, virbl is a solution loking for a problem, because it is
clearly never going to be a useful piece of the solution to the
problem that it is claimed to be a solution for. (In this, it is much
like SPF and all the other non-anti-spam techniques that are being
seriously oversold as anti-spam "solutions" at the moment...)

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

You misread that question in the FAQ. Dutch ISPs can get their
_mail servers_ (aka "MX boxes" -- that is, IPs that are listed in
the DNS as having mail delivery responsibility for a domain)
whitelisted. I see nothing on the virbl site suggesting an ISP
(Dutch or otherwise) can have whole IP blocks excepted.

I had got this part. I should have typed "Dutch ISPs' MXes" in my
second sentence above. Sorry.

The virbl site says that it attempts to determine the originating
IP of the virus-carrying messages that "inform" its blacklisting,

Ugh. Despite it being at the top of their page, I missed their
statement "If an infected e-mail is found, the originating IP address
is fethed [sic] from the headers and an entry is inserted in a
database". I had just assumed that the list was created by logging IPs
that connect directly to MXes under the control of virbl to send worms.
Using headers is a horrible idea, as you pointed out clearly.