Virus Scanner Auto-Replies - A Good Thing or Obsolete?

Moryath writes "Used to be, everyone put an auto-responder in their email server's virus scanner. That way, some dingus sends in a virus, you're protected, and they get notified so they scan and fix their system. Of course, all these stupid things ever do is reply to the From: field, and possibly to Abuse@domain, webmaster@domain, etc... as well. Enter viruses like Sobig. We've had them for years in various forms, they spoof the From: field with another email from another victim's contact book, and all of a sudden random people are getting bounces of emails they've never sent. I have actually gotten more bounces today than actual Sobig attachments. So what does the Slashdot crowd think? Is it time for the people running these mail servers to take down those autoresponders? Are they guilty for part of the damage things like SoBig have caused, since their ill-configured mail servers are doubling, tripling, or even quadrupling the amount of traffic one Sobig infection produces?"

It is ridiculous to send these notices

[Dancin_Santa]

There is no tangible benefit to having these notices. The user receiving the notice either knows what it means or doesn't know what it means and either way receiving the notice wouldn't change their behavior regardless.

Now that my Inbox is overflowing and my ISP's mail server is rejecting emails because I'm over the account size limit, I'm a little more wary of these supposed "user friendly" helping hands that virus scanner companies are building into their products.

Re:It is ridiculous to send these notices

[Gudlyf]

What's been really making my life hell at work is when our "info@..." mail alias gets used as a spoofed return address. Our CEO is on this list, and of course he panics thinking someone in our company sent out a virus. Then he wants me to show him how I know for sure it's not us. *sigh*

Luckily my direct boss, the VP, doesn't let him pull that kind of crap often, and puts him in his place.

In the RFC lies the answer

[linuxwrangler]

Sobig greets the other server with the netbios name of the infected computer. This does not conform to rfc2821 which requires a fully qualified domain name. My mailserver does not accept connections from hosts that do not properly identify themselves as the RFC requires. Haven't seen a single Sobig here - the server rejected them all.

Now bounced messages from other mailservers...that's another issue.

If mail admins simply set their servers to require FQDN greetings then Sobig would be stopped dead. By rejecting the message my mailserver expects the connecting MTA to generate any necessary bounce which Sobig, of course, does not do. No delivery. No bounce messages. No problem.

So how about it all you mail admins out there. How about demanding a bit of RFC compliance from connecting MTAs. Perhaps this virus will provide the moral authority you need to tighten up your servers.

Chez moi

[dozer]

My numbers in the last 24 hours:

2018 Sobig.F-infected messages. ClamAV+Amavis recognized all of them and sent them straight to the Spam.SobigF folder. I never even saw them. Beautiful.

On the other hand, I've had to wade through and delete 100+ erroneous messages telling me that I sent out a virus infected mail. The hell I did. I'm being buried in these warnings and -- because there's no standard way of generating warnings -- I can't filter them!

So, yeah, if you're sending virus warnings for inbound mail, you're essentially spamming people. ME. Cut it out. Only send virus warnings to your internal users if at all.

Thank you.

The correct way to do this

[epsalon]

The virus checker should verify if the virus spoofs from addresses.
If not, send a warning to the 'from' address.
Otherwise, check the first "received" header and use whois to find the admin of that IP range and notify him/her.
Also, we're in despearate need of an RFC for returned mail messages so they could be easily filtered.

The virus software should know.

[Above]

The companies that make virus scanners have detailed definitions of each virus. They need to include in that a flag "spoofs from address". If it does, sending autoreplies only adds to the problem, if not, returning a message to the sender is probably ok. They are just too lazy to add a flag to the definitions they send out, and put a simple "if()" around the mail code. It's stupid.