[SURBL-Discuss] JPEG flaw in Windows - URLs in emails

David Hooton david.hooton at gmail.com
Wed Sep 22 19:02:56 CEST 2004


On Wed, 22 Sep 2004 10:32:47 -0500, Matthew Wilson <matthew at boomer.com> wrote:
> Since proof-of-concept code for the JPEG flaw in Windows has been posted
> online, we can surely expect at least one mass mailing exploit soon.
> The form will likely take the form of either:

<snip>

> And so on to my question: if I (or anyone else for that matter) submit a
> domain name that hosts an infected JPEG file, how quickly will the SURBL
> databases be updated to reflect this infection?

As quickly as we update it :)

> Also, what if the exploit is multi-stage, and tries to infect actual
> http servers with infected JPEGs, and thousands of websites become
> infected...?  Would it then be necessary to create a separate SURBL list
> for these infected domains, or could they be listed in, say, the
> phishing list?

I don't quite follow your logic here, however the phishing list is
designed to stop phishing attacks, not exploits.  I think I would
consider listing a mass mailed URL if it were only a once off but that
is just not likely to be the case.

I think there is definately scope for an "xbl.spamhaus.org" styled
surbl but who the heck could keep up with that volume of data?  And
given that the exploits are so new we really don't know how to track
it in an automated manner yet.

Me thinks this may be something that a third party might pickup as was
discussed over the last week or so with outher list ideas, it's a good
idea though :)
-- 
Regards,

David Hooton


More information about the Discuss mailing list