[extropy-chat] META: viral spam

Eugen Leitl eugen at leitl.org
Tue Apr 6 21:23:10 UTC 2004 

On Tue, Apr 06, 2004 at 02:46:20PM -0600, Alan Eliasen wrote:

>    Can't members simply be put on "probation" and have their posts moderated
> until they've proven that they're real humans?  This is a common feature in
> most mailing list software.

Really? Mailman can do that? Wasn't aware of that feature. Cool.
Yahoogroups has recently switched to use OCR-proof image one-time tokens to prove
there's a human on the other end. Of course one can pay (cheap) humans to
bio-OCR the tokens, or at some point devise machine vision algorithms good
enough to cut through the distortion, and background noise. The race is on...
 
>    The way most e-mail viruses spread is to pick random addresses from an
> address book (or more commonly these days, from HTML files, text files, and
> other files you may have on your system) and send messages both to and from
> these random addresses, thus attempting to obscure their origin.

Roight. Which is why I sign all my outgoing mail, so that anybody verify it's
not a (malware) forgery. I know it's annoying to repeat that all the time,
but there are new users, and sometimes old users don't get it the first time
round.
 
>    It's not necessary to spread unfounded panic.  Unless you have a criminally
> insecure mail client, you *can't* be infected with a virus by displaying an
> e-mail on the screen.  Outlook is the only client I know that's ever allowed a

Outlook doesn't take a message to be *displayed* to become infected. There a
Windows bug (now patched) which activates system upon *mere mail reception*. Anything
which uses IE rendering engine for preview is vulnerable, whether patched or
not patched. Many other MUA (that's be mail clients, for yer dirty furriners)
have other triggerable bugs, known and unknown. This lousy mutt here can be
remotely exploited via an engineered MIME message.

The richer the content, the more lines of code to render. The more code, the
larger the number of bugs (and less code review, because rich content is
targeted for simians, which can't tell either way, and don't care). Hence,
rich content is evil. Am I preaching to the choir? At times I do wonder.

> hole that bad.  No other e-mail client will allow infection just from
> *viewing* the text of any e-mail (opening an attachment, yes, but that's
> something you should always do with extreme care with any e-mail client, and
> only after scrutinizing the attachment type.)

No, this is not correct. The smarter worms are rare, though, so in 99% of all
cases you're correct. Just don't assume you're safe, because "you never click
on attachements". 

I have no mouse, and I must click.
 
>    I've written secure, spam-filtering e-mail clients myself, and I know you'd

Wow. This is a pretty strong claim. I'm not being ironic here, but how do you
know these clients *are* secure? Much user base? Much hacker eyeballs?
Written in inherently safe (buffer overrun/stack overflow-proof languages)?

> actually have to go out of your way to intentionally make an e-mail client as
> insecure as Outlook is.  It's actually surprising the lengths they went to to
> make their client infectable.  If anyone's still using it, and you value your
> data and time and reputation, and that of your friends and contacts, change now.

Absolutely. Whoever is still using Outlook/Outlook Express is probably
playing russian roulette in the midday break, too. Another favor to do to yourself: download
Mozilla, and use it for most browsing. Only use Internet Explorer when you
come across this braindead "designed for" and "upgrade to most recent" web
sites (do you need their business that badly, though?).

Better, get an OS X Mac. And keep it auto-updated. (Windows ditto, but it's
not nearly as efficacious; though a *really good* IT guy can keep a Windows
box secure -- I'm not nearly *that good*, though, and I usually have
something else to do with my afternoons).
 
>    I dislike having my name on the e-mail list of someone who doesn't protect
> that information, and allows their system to forge my identity, send viruses
> that purport to be from me, and make me look bad, so I want to get this fixed.

Too late already. SMTP wasn't designed with facultative strong authentication
in mind, so it doesn't provide it. Use digital signatures, that's at least a
hook for further functionality, and at least provides plausible deniability.
There's much other patchery forthcoming, but it's all in terrible disarray,
and failing as we speak, in multiple and interesting way.

-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.extropy.org/pipermail/extropy-chat/attachments/20040406/26dd2d93/attachment.bin>

More information about the extropy-chat mailing list