Re: Mobile code security (was Re: rr style scanning of non-customers)

the thing that actually burns my hash, is when my spam complaints or noc correspondance are robotically bounced because they contain dangerous mime attachments of type "message/rfc822" (spam examples) or "text/plain" (traceroute or tcpdump output). if your noc or abusedesk has such a robot protecting it, you ought to be ashamed.
Or they may be happy thinking their NOC is more 0day virus proof rather than hoping a 3rd party will update their scanner in time Who'd want to risk the NOC falling to the same problem that's just taken out the network they're trying to fix? brandon

On Mon, Jun 16, 2003 at 03:43:41PM +0100, Brandon Butterworth wrote:
the thing that actually burns my hash, is when my spam complaints or noc correspondance are robotically bounced because they contain dangerous mime attachments of type "message/rfc822" (spam examples) or "text/plain" (traceroute or tcpdump output). if your noc or abusedesk has such a robot protecting it, you ought to be ashamed.
Or they may be happy thinking their NOC is more 0day virus proof rather than hoping a 3rd party will update their scanner in time
Who'd want to risk the NOC falling to the same problem that's just taken out the network they're trying to fix?
I think pauls point may be: If they use text based mailers (eg: mutt, pine, elm, /bin/Mail, mh, etc..) they won't risk being infected except by the rare buffer overflow that might be out there. The risk-reward comparison that I can easily see here is that if I were to be running an abuse desk and my people were using a fully integrated click-open or click-execute mailer on the desktop, the chances of getting infected are a lot higher than if I give someone an xterm, tell them to use pine/mutt and some additional ticketing system (RT for example, or other systems i've seen that can aggregate the abuse complaints based on headers, etc..). It's a lot harder to open up a microsoft executable on a *nix machine than a windows machine. If your abuse desk can't take the complaint, you can't do anything about it. The abuse/security desks are in most cases small, understaffed and hidden to prevent them from being overworked yet do enough that you're not called a spam/abuse harborer. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.

-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Brandon Butterworth
Or they may be happy thinking their NOC is more 0day virus proof rather than hoping a 3rd party will update their scanner in time
Who'd want to risk the NOC falling to the same problem that's just taken out the network they're trying to fix?
brandon
A NOC or abuse desk that figuratively puts its hands over its eyes by blocking a signficant subset of trouble reports is arguably as useless as one that is hit by a virus. The most clueful reports are going to be the ones with some evidence attached or included. I think the point was that there are some other alternatives between the two opposing extremes of bouncing all email with text attachments on the one hand and leaving yourself completely unprotected on the other.
participants (3)
-
Brandon Butterworth
-
Jared Mauch
-
Mark Borchers