[sanesecurity] Re: Sanesecurity.Jurlbl.5624.UNOFFICIAL matches "com"
- From: sanesecurity@xxxxxxxxxxxx
- To: sanesecurity@xxxxxxxxxxxxx
- Date: Tue, 14 Jul 2009 15:36:46 +0100
Tom Shaw wrote:
This also protects against malicious updates to signature files, by
their maintainer, or by an enterprising hacker.
I find your comment "malicious updates to signature files, by their
maintainer," insulting.
Why do you find it insulting? At no point did I state anything even
approaching what might be considered an accusation against anybody about
anything.
As for your comment about checking against ham I am not sure that is as
good as you think. If we checked our DB against our ham I doubt it
would help a european site.
SpamAssassin run their new rules against large quantities of HAM. That's
proof enough of its value to me.
We wash all our signatures now against the uribls whitelists, local
whitelists, bondedsenders, Fortune 1000, etc and we require a minimum
signature length.
Good.
Since we started this we have had only one issue and that was with a new
domain in use by Microsoft that hadn't yet showed up in uribls
whitelists. Thus, not only was that signature in use temporarily in our
DB until we locally whitelisted it but it was in all URIbls and I doubt
it would have made it into your local ham.
So? The vast majority of domain names wont find their way into my local
HAM. What's that got to do with the purpose behind the HAM scanning
method? It's to stop "some," "obviously bad," signatures from being
distributed.
And I can't help remind people again that certain signatures, such a
jurbls, should only be used with scoring. We score and did not lose any
mail because of that signature.
The "com" signature was in the "jurlbl.ndb" list which is classified as
a Low FP risk signature file and is enabled by default in the default
download script.
I agree that ideally this would be used in a scoring system, but that
would require more re-engineering than many people are able to do with
their systems presently. Personally, I've just removed all of the jurlbl
signatures.
As for malicious changes, Steve pushes all files out signed and if you
are paranoid enough to be worried about the backend you might have also
mentioned that your own mailserver is at a certain level of risk as
well. You could also write a rechecking routine for your local use or
not use the signatures at all.
I don't get what you're saying here? Are you saying that closing one
attack vector isn't a good idea because there is another attack vector
as well?
Lastly, talking about the script writers/maintainers. I think they do a
great job. After all, script writers/maintainers and signature guys are
all doing this for free.
You say this as if you're offering a different point of view to my own.
You're not.
So if you don't like the system you are free to use/do something else or
in the spirit of the community you might offer something back.
Just because I don't like the way certain things work, and offer up
suggestions of how they could be improved, doesn't mean that, I "don't
like the system."
I don't mean to say "my way or hiway" but you have previously discussed
this a number of times; Bill gave his response; others chimed in; its
time to stand down.
Stand down from what?
PS Thanks for the contrib to the community provided in a later post.
np.
--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Other related posts:
