Slashdot Mirror
Virus Scanner Auto-Replies - A Good Thing or Obsolete?
Moryath writes "Used to be, everyone put an auto-responder in their email server's virus scanner. That way, some dingus sends in a virus, you're protected, and they get notified so they scan and fix their system. Of course, all these stupid things ever do is reply to the From: field, and possibly to Abuse@domain, webmaster@domain, etc... as well. Enter viruses like Sobig. We've had them for years in various forms, they spoof the From: field with another email from another victim's contact book, and all of a sudden random people are getting bounces of emails they've never sent. I have actually gotten more bounces today than actual Sobig attachments. So what does the Slashdot crowd think? Is it time for the people running these mail servers to take down those autoresponders? Are they guilty for part of the damage things like SoBig have caused, since their ill-configured mail servers are doubling, tripling, or even quadrupling the amount of traffic one Sobig infection produces?"
There is no tangible benefit to having these notices. The user receiving the notice either knows what it means or doesn't know what it means and either way receiving the notice wouldn't change their behavior regardless.
Now that my Inbox is overflowing and my ISP's mail server is rejecting emails because I'm over the account size limit, I'm a little more wary of these supposed "user friendly" helping hands that virus scanner companies are building into their products.
Sobig greets the other server with the netbios name of the infected computer. This does not conform to rfc2821 which requires a fully qualified domain name. My mailserver does not accept connections from hosts that do not properly identify themselves as the RFC requires. Haven't seen a single Sobig here - the server rejected them all.
Now bounced messages from other mailservers...that's another issue.
If mail admins simply set their servers to require FQDN greetings then Sobig would be stopped dead. By rejecting the message my mailserver expects the connecting MTA to generate any necessary bounce which Sobig, of course, does not do. No delivery. No bounce messages. No problem.
So how about it all you mail admins out there. How about demanding a bit of RFC compliance from connecting MTAs. Perhaps this virus will provide the moral authority you need to tighten up your servers.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
These are absolutely useless as you can't figure out what machine originally sent out the message without the full Received headers. I've not seen one virus auto-responder include the full Received headers. The right thing to do would be to include the entire message as an RFC 2047 MIME attachment.
My reasoning is that these auto-reply messages occasionally get to the right person: namely, me. I then look at the infected IP address and if it's one of ours, send someone out to fix it. This is what I do for messages that get sent to undeliverable addresses where the remote site sends a bounce containing the full original message. A lot of these end up coming to one of my addresses since my addresses are widely advertised within our organization and are likely in many people's web cache and address books.
Past this, I don't see any reason for the auto-replies. They'll never get back to the person whose machine was infected, but they might get to me. It's easier to find out about the problem from some bounce and fix it immediately than it is to have some end-user from some other organization complain to you and then having to explain to this person how to send a message containing full headers (which is actually difficult and non-intuitive in most Windows MUAs).
My numbers in the last 24 hours:
2018 Sobig.F-infected messages. ClamAV+Amavis recognized all of them and sent them straight to the Spam.SobigF folder. I never even saw them. Beautiful.
On the other hand, I've had to wade through and delete 100+ erroneous messages telling me that I sent out a virus infected mail. The hell I did. I'm being buried in these warnings and -- because there's no standard way of generating warnings -- I can't filter them!
So, yeah, if you're sending virus warnings for inbound mail, you're essentially spamming people. ME. Cut it out. Only send virus warnings to your internal users if at all.
Thank you.
The virus checker should verify if the virus spoofs from addresses.
If not, send a warning to the 'from' address.
Otherwise, check the first "received" header and use whois to find the admin of that IP range and notify him/her.
Also, we're in despearate need of an RFC for returned mail messages so they could be easily filtered.
Make even shorter URLs - 8LN.org
But the situation suggested was the ISP's mail server was "screwed", which means it isn't suitable to use as a smarthost. The ISP's server might be blacklisted so other hosts block all mail coming from it, or it might just be unreliable or slow. A number of ISPs block outgoing port 25. Have you noticed a decrease in the amount of spam?
...with bogus "bounced mail" messages, I'd say, yes, it's time for a change.
I've yet to receive Sobig.F in a direct mail from another person (i.e. the people who send me email apparently have clean systems).
But I've now received between fifty and a hundred copies of the Sobig.F, all in bounce messages from servers. So apparently I've sent email a lot of people who a) have the Sobig.F virus, and b) have a lot of bad email addresses in their address books.
Each of these messages is about 100K in size. That can fill up a mailbox quickly.
But why should any server include the attachments when they bounce a message. Why? Why? Even in the absense of viruses, all I need to know is enough to identify the message that didn't get through.
"How to Do Nothing," kids activities, back in print!
The companies that make virus scanners have detailed definitions of each virus. They need to include in that a flag "spoofs from address". If it does, sending autoreplies only adds to the problem, if not, returning a message to the sender is probably ok. They are just too lazy to add a flag to the definitions they send out, and put a simple "if()" around the mail code. It's stupid.
Is there any practical difference between an open relay box that spams you and a virus-compromised box that sends you viruses plus potentially future spam from the compromise?
Should virus-compromised machines that send out undesired emails be RBL'ed like open relays?
In addition to generating tons of traffic that nobody pays attention to, it has the effect of panicking those users who don't understand what the virus is about.
A relative of mine uses AOL on a Macintosh. There is no way his system can be infected with Sobig, but I had to spend nearly a half hour explaining it to him. He kept on pointing to the "your system has a virus" messages in his mailbox as proof that he is infected and that he needs a better virus scanner (because the one he has doesn't say he has it.)
The majority of computer users are like this relative, not like you and me.
How can one protect from this?
Track down the spammer, and press charges against them for identity theft.
This is the biggest proof that spam is a social problem. You basically have someone going around saying that they are you. If you want them to stop, you have to deal with them in RL.