Slashdot Mirror
Virus Scanner Auto-Replies - A Good Thing or Obsolete?
Moryath writes "Used to be, everyone put an auto-responder in their email server's virus scanner. That way, some dingus sends in a virus, you're protected, and they get notified so they scan and fix their system. Of course, all these stupid things ever do is reply to the From: field, and possibly to Abuse@domain, webmaster@domain, etc... as well. Enter viruses like Sobig. We've had them for years in various forms, they spoof the From: field with another email from another victim's contact book, and all of a sudden random people are getting bounces of emails they've never sent. I have actually gotten more bounces today than actual Sobig attachments. So what does the Slashdot crowd think? Is it time for the people running these mail servers to take down those autoresponders? Are they guilty for part of the damage things like SoBig have caused, since their ill-configured mail servers are doubling, tripling, or even quadrupling the amount of traffic one Sobig infection produces?"
They need to inspect the header and only send a response when they can have some reasonable confidence that it is in fact from a user. If the hosts used to send the mail don't match the email address, it probably didn't come from that person.
If you aren't smart enough to automate the replies intelegently (based on wether the worm type spoofs emails for example) then don't send anything. Simple as that. Use it right, or don't use it at all.
There is no tangible benefit to having these notices. The user receiving the notice either knows what it means or doesn't know what it means and either way receiving the notice wouldn't change their behavior regardless.
Now that my Inbox is overflowing and my ISP's mail server is rejecting emails because I'm over the account size limit, I'm a little more wary of these supposed "user friendly" helping hands that virus scanner companies are building into their products.
To those who admin Windows networks... Please put an exit filter for TCP port 25 on your firewall so only your mail server can send SMTP and not infected workstations.
I've been getting tons of bounces and antivirus messages that are a result of someone else with my e-mail address having the virus. Of course, the whole e-mail infrastructure is obsolete: What do you mean someone else can easily send an e-mail as me! Perhaps if they fixed that however antivirus messages would once again be useful. Could someone with modpoints please mod up my post two posts earlier that erroneously got modded 'Troll'?
I doubt these email replies are doing any good at all.
.pif file (thankfully automatically deleted by my company's email server.) I know where the mails are coming from, and have contacted the abuse@[nameofispdeleted] address with the details.
Case in point: Every twenty minutes ago, as of first thing this morning, I have received an email with an evil
As of this writing, I have received no reply, the emails are still coming, the user's account is still active, and I don't even know if they got my email, as there is no mention of an abuse department or a means of contacting them on their web site (this is a HUGE corporate ISP, too) -- abuse@[nameofispdeleted] was just my first best guess.
So, let's be honest -- if a big, well-staffed company like this isn't going to respond to a personal request to stop a one-man-virus-festival, automated emails will most likely be ignored, too.
The coolest part of the autoreplies is when a virus spoofs your employees address, the autoreply complains to them... and includes a copy of the virus with it! Self-fufilling prophecy!
I have a similar problem but in this case it is because of spam mail. Some spammer sends spam and puts in the From: the address of some other victim. Then the reply from the spam filter arrives to someone who did not send the mail. I have received several mails lately from Yahoo indicating that my email could not be delivered to several users that don't exist anymore, attached is a spam mail which I didn't send. I contacted yahoo but their support is awful.
How can one protect from this?
How do you know where the e-mails are coming from since the addresses are spoofed?
I am in the same boat you are; I think I received about 50 bounce messages today at work, but maybe one or two copies of the Sobig Trojan. Just tonight I received two copies of the Trojan in my home mail account out of 24 new messages.
That's the same number of Nigerian money laundering scam emails I received! I had one erroneous bounce tonight.
Until IPv6 is implemented you will never be able to ID and prosecute the people who generate these types of attacks/viruses/worms/etc.
Anything short of IPv6 is simply silly symptom slaying -- as pointless as it is fruitless as it is less-than-effective.
As was discovered in the "old" BBS days: anonymity is an unnecessary evil: Make folks ID themselves properly and most of your problems (in that regard) go away.
Everything in the Universe sucks: It's the law!
As far as I am aware, mailscanner (http://mailscanner.info/) has a list of viruses it quietly deletes, and notifies for other viruses. Wouldn't it make sense to spread this usage to other antivirus platforms? i.e. to reserve the reporting of viruses for viruses whose origin can be predicted with some confidence?
They're nothing but spam promoting a hackney fix to a broken security model. Virus scanners aren't the right answer, switching OS's is. Just treat them as spam.
Help us build a better map!
I mean if their autoresponder is working overtime you'd think they would notice and shut it down for a while.
Otherwise they are contributing to the problem.
I am getting more unwanted 'virus notifications' from this virus than any spam to date.
Here's my question:
Why doesn't a spammer use these auto-notify ISP (like AOL) and send spam that way?
ie. I send my advert (with known virus attached) with faked header
To: whocares@aol.com
From: victem@real.address.com
The victem reads the email because (a) it is a legit email and (b) looks important.
They win the pleasure of reading -- bounced adverts.
Please stop doing this!!!
PLEASE!!
Seriously. All it does is spam unaffected individuals, considering that in the post Klez days, all e-mail viruses spoof the sending address, clogging up e-mail servers and causing more annoyances than spam!
When you start getting these, you can get at least 200 a day. It's not a good thing.
I also tried to contact ISP to get one user who's infected computer was sending love messages every 10 mins to my email.
Looks like too many people are sending in notifications.
Check out this bounced email error:
host mx11.mindspring.com[207.69.200.82] said:
554 Quota violation for junkmail@mindspring.com
Sobig greets the other server with the netbios name of the infected computer. This does not conform to rfc2821 which requires a fully qualified domain name. My mailserver does not accept connections from hosts that do not properly identify themselves as the RFC requires. Haven't seen a single Sobig here - the server rejected them all.
Now bounced messages from other mailservers...that's another issue.
If mail admins simply set their servers to require FQDN greetings then Sobig would be stopped dead. By rejecting the message my mailserver expects the connecting MTA to generate any necessary bounce which Sobig, of course, does not do. No delivery. No bounce messages. No problem.
So how about it all you mail admins out there. How about demanding a bit of RFC compliance from connecting MTAs. Perhaps this virus will provide the moral authority you need to tighten up your servers.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
There is absolutely no excuse for this after the publicity this trojan has been given. If nothing else, the AV software should be programmed to skip the sending of these emails if it's known the addresses are spoofed. Very simple:
Yeah, I like Pascal, so shoot me.
To date, I've gotten ZERO soBig or other new and currently hot virus's/trojans. On the otherhand I have gotten no less than 8 bogus bounce messages (averaging 50 percent aol related) every 30-40 minutes.
I don't know whats worse the actual messages that we are getting or having to explain to scared, confused, or otherwise ignorant users why they keep getting messages regarding e-mails they never sent. I really wonder...
Which consumes more time, cleaning a infected users computer? Or explaining to a user (so that they understand) why they continue to get this "new" spam?
These are absolutely useless as you can't figure out what machine originally sent out the message without the full Received headers. I've not seen one virus auto-responder include the full Received headers. The right thing to do would be to include the entire message as an RFC 2047 MIME attachment.
My reasoning is that these auto-reply messages occasionally get to the right person: namely, me. I then look at the infected IP address and if it's one of ours, send someone out to fix it. This is what I do for messages that get sent to undeliverable addresses where the remote site sends a bounce containing the full original message. A lot of these end up coming to one of my addresses since my addresses are widely advertised within our organization and are likely in many people's web cache and address books.
Past this, I don't see any reason for the auto-replies. They'll never get back to the person whose machine was infected, but they might get to me. It's easier to find out about the problem from some bounce and fix it immediately than it is to have some end-user from some other organization complain to you and then having to explain to this person how to send a message containing full headers (which is actually difficult and non-intuitive in most Windows MUAs).
I manage the catch-all computer account for my University's domain (help@, postmaster@, root@, abuse@, webmaster@, etc). Since Monday we've been getting 50-100 of these damn virus scanner replies per hour, as well as questions from many users asking who the hell sent this from their account? Its annoying, frustrating, and a complete waste of time and bandwidth. Our mail server virus scanners will only reply to the *to:* address of an infected message to let them know it was cleaned/deleted, as it should be.
Makes me wonder... the antivirus companies are knowingly and willfully causing a DDoS of spam to our accounts. Can they be sued at $50/message for that?
My numbers in the last 24 hours:
2018 Sobig.F-infected messages. ClamAV+Amavis recognized all of them and sent them straight to the Spam.SobigF folder. I never even saw them. Beautiful.
On the other hand, I've had to wade through and delete 100+ erroneous messages telling me that I sent out a virus infected mail. The hell I did. I'm being buried in these warnings and -- because there's no standard way of generating warnings -- I can't filter them!
So, yeah, if you're sending virus warnings for inbound mail, you're essentially spamming people. ME. Cut it out. Only send virus warnings to your internal users if at all.
Thank you.
I used to work at the local electronics retailer doing computer upgrades/repairs. Customers would bring in their computers and pay $40 to get rid of a nasty virus that had infected their computer. After checking their system and doing a full virus scan many times the system would come up clean. Customers would get these e-mails and with good reason, think that they had a virus on their system. Of course, when they do their virus scan and it comes up clean they panic because they still receive the messages daily. I remember many occasions where I stood behind the counter or on the phone for a good twenty minutes to a half hour trying to explain why they were getting e-mails telling them they had a virus when they really didn't. Many of the conversations ended with the customer still clueless. I was never surprised either. This was one of the many dreadful things about working at this place. I'm glad I found a real job. :-P
pat o.
Recently, in the past few days, I've especially been getting pounded with virus bounces, virus emails, and virus notices. I really don't care. I automatically delete all of those along with all spam that gets past my filters. Then, I get right on to working. I'm sure many people are the same. Heck, I'm using pine on a remove Linux machine to check my mail. There's no way that my home machine can possibly even be infected. Furthermore, like the post suggests is the headers are usually forged these days anyway. It's really quite pointless to reply to the "sender" of the virus. I personally think it's best to turn off the auto-responders. I feel like it's really treated more like spam and not as a useful tool.
Parent needs to be modded UP. I suppose the original intent was benevolent, as it would be a useful service if only the message could be bounced to the actual infectee, not an innocent third party.
I guess one can argue that these misdirected bounce messages qualify as spam, except they are not mass-mailed (as the AV software makers would claim), they're supposedly "targeted". However, they are incontrovertible evidence of bugs in the AV software that generates them, and as such could be forwarded to the software vendor, wrapped in short and informative bug reports.
"Only the small secrets need to be protected. The big ones are kept secret by public incredulity." - Marshall McLuhan
My point was that they should err on the side of caution, and only send responses to email addresses that looked fairly legit. Yes, some people have legit addresses going through different routes. Great for them. But they wouldn't get a response if they're sending out infected email.
I'd be happy to help in this, but I'm not entirely sure how to do this in exim4.
Help us build a better map!
Here's what we need:
...
A very * SIMPLE * to understand guide on the web:
"Idiots guide to email viruses that used a spoofed From: field"
This way, we can kindly send the URL to this guide to the mail admins who have not yet shut off the fscking auto-responders!
The problem I'm facing is explaining to the admins that I *REALLY* do not have a virus on my computer and that it is a SPOOFED "From:" address!
Optimally, this guide should have (again VERY simple) language-neutral diagrams which explain the process CLEARLY, sort of like those guides you get on the airlines which explain what to do in the case of an emergency.
I got home tonight, and my mailbox was 174% full, and I'm very upset that a good sizeable amount of that is these brain-dead autoresponders.
Please consider making an automatic monthly recurring donation to the EFF
Even though I disagree with the statement about anonymity, I do agree with this post's second part: As was discovered in the "old" BBS days: anonymity is an unnecessary evil: Make folks ID themselves properly and most of your problems (in that regard) go away.
[Fuck Beta]
o0t!
Check the relay domains in the message headers.
If they don't match the 'From:' domain, don't bother with the autoresponder.
That way a from of "foo@foo.com" and a relay header of "mailserver.bar.com" is pretty likely a spoofed address.
Caveat: I've not recieved the new variant of the SoBig virus yet, so I can't tell about the headers.
The procmail scanner / html sanitiser I have installed from impsec.org does this automatically (and weeds out a lot of that obnoxious html crap as well).
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
I've had quite a few bounces where the spoofed address has been mine but remarkably few actual copies of the virus hitting my antivirus and the bounces are if anything more annoying as at least the viruses themselves are delt with. I know quite a few people who could quite possibly be infected (but live sufficiently far away that I can't check myself) and there is a limit to how much instruction they can be given (they've been provided with the URLs to the relevent Symantec pages).
Tim
The virus checker should verify if the virus spoofs from addresses.
If not, send a warning to the 'from' address.
Otherwise, check the first "received" header and use whois to find the admin of that IP range and notify him/her.
Also, we're in despearate need of an RFC for returned mail messages so they could be easily filtered.
Make even shorter URLs - 8LN.org
My domain mailservers have been overwhelmed the last few days with bounces from the sobig worm. All those obsolete and fucking annoying auto-replies are being generated because someone with a windoze infected PC has my email in thier address book, more like several hundred people, clients, losers, friends, etc.
With several M$ worms now spoofing the From: header, its time to target anyone who still uses an AV scanner which sends out auto-replies. Treat them like spammers, complain to their upstream ISPs about violating their AUPs, contact their legal department and threaten legal action, or just blackhole them. When their clueless admins and legal department finally turn off that stupid auto-responder, then they can be let back on the internet.
I'm just a little bitter because this morning I had over 30,000 messages from anti-virus scanners telling me someone with a windoze virus had sent them an infected email, often dozens of times per minute. There were a few hundred in my inbox which required 30 minutes of my time to write some new filter rules. Since I deleted those bounces about 2 hours ago, I have received another 2000, in the same time 4717 copies of sobig.f (and 4 klez) caught by Amavis. My MRTG graphs look like my domain has been fairly active the last few days, roughly 20-40 Kbps, and almost all of that traffic is due to lack of security in M$ products (pings, copies of worms, auto-responder shit, blaster probes).
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Considering I submitted the thing 48 hours before the mods finally approved it... F* you AC.
...with bogus "bounced mail" messages, I'd say, yes, it's time for a change.
I've yet to receive Sobig.F in a direct mail from another person (i.e. the people who send me email apparently have clean systems).
But I've now received between fifty and a hundred copies of the Sobig.F, all in bounce messages from servers. So apparently I've sent email a lot of people who a) have the Sobig.F virus, and b) have a lot of bad email addresses in their address books.
Each of these messages is about 100K in size. That can fill up a mailbox quickly.
But why should any server include the attachments when they bounce a message. Why? Why? Even in the absense of viruses, all I need to know is enough to identify the message that didn't get through.
"How to Do Nothing," kids activities, back in print!
Sure, they probably mean well but if you have no breans and mean well, you are most likely part of the problem.
:->
A few of these dumbo servers even sent me the virus attachment, thinking it was sending it back.
So not only are they creating a huge extra load and therewith helping the virus create havoc, they are also helping it distribute!!!.
How dumb can you get?
Just imagine this doom scenario:
Two such servers have the same moronic settings/programs and start sending eachother's attachments back
Server FIGHT!!!
Who knows, it might already be happening. But who would know about it?
Thank you virus writers for showing us the error of their ways..
Thank you God for creating these numb skulls so we can rant about them..
Sadly, they learn slowly.
It is our civic duty to educate the people, or someday one lonely person will find himself standing on the ruins of what once was our world saying "So, I guess that was a wrong thing to do then?"
Really, if there were a way to run MailScanner (e.g.) straight out of Sendmail (e.g.), instead of after Sendmail is done with it, we could give an error to the person who actually sent the mail during SMTP, instead of having something down the line try to send errors to whatever might be in the From: header.
I'm not sure which if any MTA's have hooks for this (though I suspect the answer is Postfix) but SoBig, Klez, et. al., have proven that doing it in the MDA is a flawed model.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The companies that make virus scanners have detailed definitions of each virus. They need to include in that a flag "spoofs from address". If it does, sending autoreplies only adds to the problem, if not, returning a message to the sender is probably ok. They are just too lazy to add a flag to the definitions they send out, and put a simple "if()" around the mail code. It's stupid.
Incidentally, anything that bounces a message should return the entire message header. Most of these mail bounces don't return enough info to identify the real source.
Whatever they're running on the SMTP server side at my ISP seems to be doing appropriate things. I can't tell whose software it is, they may prefer to keep it obscure.
When it finds anything (and it caught all of the Sobig.F stuff) I get a notice email with subject like:
Is there any practical difference between an open relay box that spams you and a virus-compromised box that sends you viruses plus potentially future spam from the compromise?
Should virus-compromised machines that send out undesired emails be RBL'ed like open relays?
In addition to generating tons of traffic that nobody pays attention to, it has the effect of panicking those users who don't understand what the virus is about.
A relative of mine uses AOL on a Macintosh. There is no way his system can be infected with Sobig, but I had to spend nearly a half hour explaining it to him. He kept on pointing to the "your system has a virus" messages in his mailbox as proof that he is infected and that he needs a better virus scanner (because the one he has doesn't say he has it.)
The majority of computer users are like this relative, not like you and me.
Past this, I don't see any reason for the auto-replies.
I've considered the possibility that, even though most modern viruses spoof the from: address, there is some marketing value in saying that Norton AntiVirus Super Gate 5000 found a virus in your message.
After all, Norton says that you sent a virus. Maybe Norton knows something that you don't, huh? Maybe you ought to go out there and buy a copy of Norton AntiVirus yourself just to be sure you're protected. After all, Norton catches all these other viruses, so it must be good, right?
I wouldn't put it past the marketing department to consider something like that.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
As a admin of a domain that usually receives about 10K mail a day, and with the sobig outbreak nearing 200000K emails/day, i would say that i can collect a very nice collection of email addresses that i got virus notifications from (since the sender address is forged to one of my domain) by looking at the logs, and if a was a malicios person, i could use that to spam them, or worse.
The virus notifications disclose your private email address, without telling you about that. This should be the button to push at the antivirus vendors and users so they would disable these notifications
Just treat [virus infected emails] as spam [spamcop.net].
This is against SpamCop's rules, which forbid use of the reporting service on "virus infected emails ... regardless of whether you know the originating party or not."
Will I retire or break 10K?
I've had to allow unresolvable FQDNs in the HELO, because a few of the companies that my employer deals with have morons in their IT department. Those morons have managed to configure mail servers using *internal* names that don't resolve outside of their network.
Then allow only addresses that either 1. are a FQDN or 2. are one of the servers managed by morons working for companies that your employer deals with.
Will I retire or break 10K?
Comment removed based on user account deletion
Comment removed based on user account deletion
1) Exchange virus scanner plugins have GOT to stop blindly sending replies to whatever email address the message loosely appears to come from. This is absurd - viruses that forge email addresses have been the NORM for what, 2? 3 years now?
2) Why can't someone write a virus that DESTROYS Outlook address books and turns off Auto-Learn, so that all the future viruses only have about 1% of the number of potential victims as current viruses?
I have postfix rejected 16,000 viruses a day, and 500-600 "You have a virus" emails, but I still get several hundred "You have a virus" mails per day that sneak by the filters because of unique subjects, content, etc.
Comment removed based on user account deletion
You can actually submit a virus message, get the actual ISP details from it, and not submit the mail.As long as you don't do this for every damn virus email you recieve it can be useful.
Long before Sobig.F hit the net, I configured our mailscanners to skip sending autoreplies to senders of sobig* virii (the asterisk being a wildcard to catch all variants). I also don't autoreply to Klez, Yaha, Bugbear, Braid-A, or WinEvar since they all forge their source mail addresses.
Think about it; Linux can be misconfigured to do bad things (tm) - is this a reason to stop using it? No, it's a reason to identify those who can configure it properly and put them in charge of doing so. It's also a reason to have someone conscientious on the payroll - hiring consultants to configure services that represent security risks is just asking for a reaming.
Same thing with virus scanners. It is appropriate to autorespond to certain virii, and not to others. A more appropriate question might have been "should antivirus products identify mail-spoofing virii in their API?" or "should virus scanners default to not auto-responding, and require additional configuration to implement this feature?".
+ Yes I used the word virii on purpose. I like the distinction between computer virii and biological viruses because it is useful in my work. And I don't give a damn about latin declensions or Tom Christiansen's opinion on the matter.
I set up a block filter using the methods described here. It doesn't tell me how to turn off the autoreply... I just want to filter the messages. Lemme know!