[VIM] Bogus RFI Reports Getting Out of Hand

dm at securityfocus.com dm at securityfocus.com
Mon Jan 8 15:42:16 EST 2007


On Mon, Jan 08, 2007 at 02:18:26AM -0500, security curmudgeon wrote:
> 
> : > I swear, Bugtraq moderators should seriously consider blocking any RFI 
> : > disclosure from hotmail.com. Would save us a lot of time.
> : 
> : Should the moderators be performing analysis of each post in detail 
> : before allowing it to post? I'm thinking this would drag out the 
> : postings to the point of being lagged weeks behind the other lists. Have 
> 
> I don't. The moderation is already a bit slow at times, especially on 
> holidays or anytime there is a transition between moderators. 
> Unfortunately, they really can't even take my suggestion to heart because 
> it would likely block a handful of legitimate disclosures, and that 
> doesn't fly.

Yeah, I vetted/code audited some of these reports myself for about a
week once it was apparent that we were under "grep and gripe" attack, but this ended
up being a DoS to the rest of the list traffic, not the mention all of
my other non-Bugtraq related work. We do vet a lot of these internally before they go to
the SecurityFocus database and watch VIM as well for other bogus
reports. For awhile, I was holding up the suspect posts long enough to
be analyzed, but with all of the legit vulns coming in for analysis
and all of the legit list traffic, this was not
optimal. Crowd-sourcing the list has worked a little bit and I'll
approve posts that debunk these reports when I see them but there's
gotta be a better way. 

I don't like the idea of blacklisting specific posters because a) they
make get lucky, or even more unlikely, b) may eventually beat their
heads against the wall enough to clue in to what a real RFI looks
like. But after awhile we've begun to learn who has a
track record for reporting bogus RFIs and treat those reports with an
air of suspicion. A list of repeat offenders would be helpful to us
all in this capacity. We can also be more pro-active about forwarding
analysis of bogus reports to VIM if that at all helps.

> : you considered making a list of bogus vuln authors and forwarding them 
> : to the list moderators?
> 
> Yes. OSVDB is adding all of these bogus reports to our database and 
> tracking creditee with the intent of being able to easily generate such a 
> list for many purposes, including that.
> 
> Call me a bastard, but i'd like to see the people *repeatedly* posting 
> bogus RFI bugs get harassed more so they stop posting without validating 
> their findings.

-- 
Dave McKinney
Symantec

keyID: BF919DD7
key fingerprint = 494D 6B7D 4611 7A7A 5DBB  3B29 4D89 3A70 BF91 9DD7



More information about the VIM mailing list