Virus Scanner Auto-Replies - A Good Thing or Obsolete?

Moryath writes "Used to be, everyone put an auto-responder in their email server's virus scanner. That way, some dingus sends in a virus, you're protected, and they get notified so they scan and fix their system. Of course, all these stupid things ever do is reply to the From: field, and possibly to Abuse@domain, webmaster@domain, etc... as well. Enter viruses like Sobig. We've had them for years in various forms, they spoof the From: field with another email from another victim's contact book, and all of a sudden random people are getting bounces of emails they've never sent. I have actually gotten more bounces today than actual Sobig attachments. So what does the Slashdot crowd think? Is it time for the people running these mail servers to take down those autoresponders? Are they guilty for part of the damage things like SoBig have caused, since their ill-configured mail servers are doubling, tripling, or even quadrupling the amount of traffic one Sobig infection produces?"

It takes brains

[Kelerain]

If you aren't smart enough to automate the replies intelegently (based on wether the worm type spoofs emails for example) then don't send anything. Simple as that. Use it right, or don't use it at all.

Yes and Another Thing...

[sybarite]

To those who admin Windows networks... Please put an exit filter for TCP port 25 on your firewall so only your mail server can send SMTP and not infected workstations.

Re:Yes and Another Thing...

[Blkdeath]

To those who admin Windows networks... Please put an exit filter for TCP port 25 on your firewall so only your mail server can send SMTP and not infected workstations.

That advice should be extended to all end-user networks. Realistically, regular corporate workstations and home DSL/Cable/Dial-Up users should have no reason to talk directly to a foreign SMTP server in the first place.

Obsolete.

[hackwrench]

I've been getting tons of bounces and antivirus messages that are a result of someone else with my e-mail address having the virus. Of course, the whole e-mail infrastructure is obsolete: What do you mean someone else can easily send an e-mail as me! Perhaps if they fixed that however antivirus messages would once again be useful. Could someone with modpoints please mod up my post two posts earlier that erroneously got modded 'Troll'?

Re:Obsolete.

[Blkdeath]

I've been getting tons of bounces and antivirus messages that are a result of someone else with my e-mail address having the virus. Of course, the whole e-mail infrastructure is obsolete: What do you mean someone else can easily send an e-mail as me!

For the same reason someone can mail a letter as you or send a fax as you or communicate in any interpersonal forum as you.

Enter digital cryptography. Sign your messages and never worry again.

Emails to abuse@ rarely stop infected users

[DaveJay]

I doubt these email replies are doing any good at all.

Case in point: Every twenty minutes ago, as of first thing this morning, I have received an email with an evil .pif file (thankfully automatically deleted by my company's email server.) I know where the mails are coming from, and have contacted the abuse@[nameofispdeleted] address with the details.

As of this writing, I have received no reply, the emails are still coming, the user's account is still active, and I don't even know if they got my email, as there is no mention of an abuse department or a means of contacting them on their web site (this is a HUGE corporate ISP, too) -- abuse@[nameofispdeleted] was just my first best guess.

So, let's be honest -- if a big, well-staffed company like this isn't going to respond to a personal request to stop a one-man-virus-festival, automated emails will most likely be ignored, too.

Merely "addressing" symptoms

[eyepeepackets]

Until IPv6 is implemented you will never be able to ID and prosecute the people who generate these types of attacks/viruses/worms/etc.

Anything short of IPv6 is simply silly symptom slaying -- as pointless as it is fruitless as it is less-than-effective.

As was discovered in the "old" BBS days: anonymity is an unnecessary evil: Make folks ID themselves properly and most of your problems (in that regard) go away.

Re:Merely "addressing" symptoms

[Paul+Jakma]

How so?

If you look at the 6Bone list archives you'll see there was a recent thread on how spammers are already exploiting IPv6 open relays.

IPv6 is no panacea.

Re:What they need are SMART replies

[babbage]

They need to inspect the header and only send a response when they can have some reasonable confidence that it is in fact from a user. If the hosts used to send the mail don't match the email address, it probably didn't come from that person.

But that doesn't work either. I use a pobox.com mail forwarding address. My outgoing mail never has their servers in the headers, but it is a legit "From:" line, and mail delivered there does make it back to me.

On the other hand, for the last company I worked at there were a number of mail aliases for directing mail to different teams or departments. Some of these were easy to guess, others were pretty obscure. None of them were, as far as I know, ever used as the From: line on an outgoing email: of the handful of people that knew how to munge their mail headers to spoof this, I can't picture anyone bothering to do this.

Nonetheless, all of these mail aliases got a steady stream of spam, and as far as I could tell, they must have been in somebody's Outlook address book, because we'd regularly get "helpful" messages like:

Dear systemadministratorteam,
A message you sent has been determined to have the WhatEver.F virus. Please update your virus scanners. Thank you.

Signed,
The SuperExpensive Mail Scanner at Whatsamatta U

But the thing is, we weren't an Outlook company, so [a] there was no question that it was someone internal that had the virus, and [b] there was almost no possibility that one of these internal addresses should have been out in the public unless an employee deliberately forwarded something (which, I suppose, must be exactly what happened).

In any case, the point is, spoofing the From: line is trivial if you have the right tools, and determining if a spoofed address is legit is impossible without manual verification by sending a message to the recipient. My pobox.com address is legit, but may not appear to be so; allstaff@widgets.com is probably never legit, but it doesn't look any different than the pobox.com address.

Moreover, covering your tracks is easy -- just choose a random From: line and tack on some random Received: headers to make it appear as if the message really did come from where it claims. Such a message might be detectable by a human scanning the headers, but the whole "store & forward" architecture of the internet mail system demands that each receiving server has to trust what another host claims about prior headers -- so the whole system is vulnerable to anybody running a maliciously configured server.

So to give my opinion on the original article's question, no, I don't think auto-responses for mail viruses make sense anymore. The current wave has generated at least as much bandwidth waste from the "helpful" replies as from the virus itself -- as anyone on a gnu.org mailing list (to pick a random example) would have noticed lately. (Really, of all people to be feeling the side effects of a Windows issue -- GNU.org?)

It might arguably be okay to send mail to abuse@..., etc, but even then, [a] the spoofing problem is still there, so you don't know which of the Received: lines is legit, and [b] contacting these addresses won't necessarily do any good. Most of the people propagating the current worm seem to be home users, and so are connected via one or another ISP; what ISP is going to take on the tech support expense of walking all their users through how to patch their systems? Few, if any have the resources to do this.

For better or worse, the only solution I see is mandatory updates from the software vendor. As long as people continue to use Outlook but refuse to update it, the proposal from Microsoft to possibly force home users to install patches is the only solution I can think of that seems to have any chance of helping. It'll be interesting to see if & how they do that.

It's not a mistake, it's SPAM

[menscher]

Obviously any half-decent virus-scanner can tell that this is sobig.f, and they know that it spoofs the headers. Why auto-reply? Free advertising! Most users will say "ooh... we should get that for our company" rather than saying "what crappy software that is that spams the wrong people".

Makes me wonder... the antivirus companies are knowingly and willfully causing a DDoS of spam to our accounts. Can they be sued at $50/message for that?

Re:In the RFC lies the answer

[Jahf]

Until the next one figures out to use the RFC.

That's not a long-term answer.

My Reply

[Nishi-no-wan]

Just got notified today that I had sent someone SOBIG.F. This was my reply:

I just received a notice from your Notes server that you received a virus (SOBIG.F) from my address. I would like to let you or your administrator know that the address on that is forged. Your virus checker should look at the headers and report to the ISP from which the infected mail originated, not to the "From" header.

I've been 100% Microsoft Free since January 1, 2000. Unless SOBIG.F has found a way to worm into FreeBSD, I doubt very strongly if this message came from any domain I control.

P.S. While having an automated system to notify possible infections to senders is a nice idea, most worms today spoof the From and ReplyTo headers. Without the Received headers there is no way that I can help track down the infected party, making sending this to the person in the "From" header a waste of time (especially for Windows users who then have to check to see if they are infected or not, when the chances are that they aren't). If your company is serious about tracking down the source of infected mail, they will use the IP address (not the DNS name associated with it as that, too, can be spoofed) in the Received headers to track down the originating ISP and report the infection to them, along with the timestamp and time zone received. ISPs can then use their logs to track down who had said IP address at that time in their time zone.

If your system administration isn't concerned enough to take the time to do it right, then including the full header information of the offending message in your notification would be useful for those of us who do take the time. (There are risks involved with this, as you may be notifying a Black Hat about a compromised machine - i.e. the computer that originally sent the infected message.)

Thank you for your time and forwarding this to your system administrator.

Even more brains would do it in the MTA

[bill_mcgonigle]

Really, if there were a way to run MailScanner (e.g.) straight out of Sendmail (e.g.), instead of after Sendmail is done with it, we could give an error to the person who actually sent the mail during SMTP, instead of having something down the line try to send errors to whatever might be in the From: header.

I'm not sure which if any MTA's have hooks for this (though I suspect the answer is Postfix) but SoBig, Klez, et. al., have proven that doing it in the MDA is a flawed model.

Dumb virus scanners are spammers

[Animats]

Any virus scanner that doesn't verify the message header (look at how SpamCop does this) but replies to it is basically spamming.

Incidentally, anything that bounces a message should return the entire message header. Most of these mail bounces don't return enough info to identify the real source.

For the love of GOD!!

[The+AtomicPunk]

1) Exchange virus scanner plugins have GOT to stop blindly sending replies to whatever email address the message loosely appears to come from. This is absurd - viruses that forge email addresses have been the NORM for what, 2? 3 years now?

2) Why can't someone write a virus that DESTROYS Outlook address books and turns off Auto-Learn, so that all the future viruses only have about 1% of the number of potential victims as current viruses?

I have postfix rejected 16,000 viruses a day, and 500-600 "You have a virus" emails, but I still get several hundred "You have a virus" mails per day that sneak by the filters because of unique subjects, content, etc.

Any non-trivial application is misconfigurable

[Medievalist]

Long before Sobig.F hit the net, I configured our mailscanners to skip sending autoreplies to senders of sobig* virii (the asterisk being a wildcard to catch all variants). I also don't autoreply to Klez, Yaha, Bugbear, Braid-A, or WinEvar since they all forge their source mail addresses.

Think about it; Linux can be misconfigured to do bad things (tm) - is this a reason to stop using it? No, it's a reason to identify those who can configure it properly and put them in charge of doing so. It's also a reason to have someone conscientious on the payroll - hiring consultants to configure services that represent security risks is just asking for a reaming.

Same thing with virus scanners. It is appropriate to autorespond to certain virii, and not to others. A more appropriate question might have been "should antivirus products identify mail-spoofing virii in their API?" or "should virus scanners default to not auto-responding, and require additional configuration to implement this feature?".

+ Yes I used the word virii on purpose. I like the distinction between computer virii and biological viruses because it is useful in my work. And I don't give a damn about latin declensions or Tom Christiansen's opinion on the matter.