Virus Scanner Auto-Replies - A Good Thing or Obsolete?

Moryath writes "Used to be, everyone put an auto-responder in their email server's virus scanner. That way, some dingus sends in a virus, you're protected, and they get notified so they scan and fix their system. Of course, all these stupid things ever do is reply to the From: field, and possibly to Abuse@domain, webmaster@domain, etc... as well. Enter viruses like Sobig. We've had them for years in various forms, they spoof the From: field with another email from another victim's contact book, and all of a sudden random people are getting bounces of emails they've never sent. I have actually gotten more bounces today than actual Sobig attachments. So what does the Slashdot crowd think? Is it time for the people running these mail servers to take down those autoresponders? Are they guilty for part of the damage things like SoBig have caused, since their ill-configured mail servers are doubling, tripling, or even quadrupling the amount of traffic one Sobig infection produces?"

It takes brains

[Kelerain]

If you aren't smart enough to automate the replies intelegently (based on wether the worm type spoofs emails for example) then don't send anything. Simple as that. Use it right, or don't use it at all.

It is ridiculous to send these notices

[Dancin_Santa]

There is no tangible benefit to having these notices. The user receiving the notice either knows what it means or doesn't know what it means and either way receiving the notice wouldn't change their behavior regardless.

Now that my Inbox is overflowing and my ISP's mail server is rejecting emails because I'm over the account size limit, I'm a little more wary of these supposed "user friendly" helping hands that virus scanner companies are building into their products.

Re:It is ridiculous to send these notices

[Gudlyf]

What's been really making my life hell at work is when our "info@..." mail alias gets used as a spoofed return address. Our CEO is on this list, and of course he panics thinking someone in our company sent out a virus. Then he wants me to show him how I know for sure it's not us. *sigh*

Luckily my direct boss, the VP, doesn't let him pull that kind of crap often, and puts him in his place.

Re:It is ridiculous to send these notices

[Chop]

My info@... address has been getting slammed as well. I'm glad i'm not the only one, maybe we should start a support group?

Yes and Another Thing...

[sybarite]

To those who admin Windows networks... Please put an exit filter for TCP port 25 on your firewall so only your mail server can send SMTP and not infected workstations.

Re:Yes and Another Thing...

[Blkdeath]

To those who admin Windows networks... Please put an exit filter for TCP port 25 on your firewall so only your mail server can send SMTP and not infected workstations.

That advice should be extended to all end-user networks. Realistically, regular corporate workstations and home DSL/Cable/Dial-Up users should have no reason to talk directly to a foreign SMTP server in the first place.

Re:Yes and Another Thing...

[TheOtherChimeraTwin]

But the situation suggested was the ISP's mail server was "screwed", which means it isn't suitable to use as a smarthost. The ISP's server might be blacklisted so other hosts block all mail coming from it, or it might just be unreliable or slow. A number of ISPs block outgoing port 25. Have you noticed a decrease in the amount of spam?

Re:Yes and Another Thing...

[mikeswi]

Realistically, regular corporate workstations and home DSL/Cable/Dial-Up users should have no reason to talk directly to a foreign SMTP server in the first place.

That is incorrect. Web site owners often use the mail server associated with their domain(s) to send and receive email. When I send email to a business partner, I would prefer they see it come from my web site's domain, not my ISP's.

If my ISP did this, I would just switch to the alternate port number my web host has set up for just that event. When/if they block that port also, I will ask them if the dubious benefit of blocking that port makes up for the $780 they would have made from my account that year when I choose another ISP.

Obsolete.

[hackwrench]

I've been getting tons of bounces and antivirus messages that are a result of someone else with my e-mail address having the virus. Of course, the whole e-mail infrastructure is obsolete: What do you mean someone else can easily send an e-mail as me! Perhaps if they fixed that however antivirus messages would once again be useful. Could someone with modpoints please mod up my post two posts earlier that erroneously got modded 'Troll'?

Re:Obsolete.

[Blkdeath]

I've been getting tons of bounces and antivirus messages that are a result of someone else with my e-mail address having the virus. Of course, the whole e-mail infrastructure is obsolete: What do you mean someone else can easily send an e-mail as me!

For the same reason someone can mail a letter as you or send a fax as you or communicate in any interpersonal forum as you.

Enter digital cryptography. Sign your messages and never worry again.

Emails to abuse@ rarely stop infected users

[DaveJay]

I doubt these email replies are doing any good at all.

Case in point: Every twenty minutes ago, as of first thing this morning, I have received an email with an evil .pif file (thankfully automatically deleted by my company's email server.) I know where the mails are coming from, and have contacted the abuse@[nameofispdeleted] address with the details.

As of this writing, I have received no reply, the emails are still coming, the user's account is still active, and I don't even know if they got my email, as there is no mention of an abuse department or a means of contacting them on their web site (this is a HUGE corporate ISP, too) -- abuse@[nameofispdeleted] was just my first best guess.

So, let's be honest -- if a big, well-staffed company like this isn't going to respond to a personal request to stop a one-man-virus-festival, automated emails will most likely be ignored, too.

In the RFC lies the answer

[linuxwrangler]

Sobig greets the other server with the netbios name of the infected computer. This does not conform to rfc2821 which requires a fully qualified domain name. My mailserver does not accept connections from hosts that do not properly identify themselves as the RFC requires. Haven't seen a single Sobig here - the server rejected them all.

Now bounced messages from other mailservers...that's another issue.

If mail admins simply set their servers to require FQDN greetings then Sobig would be stopped dead. By rejecting the message my mailserver expects the connecting MTA to generate any necessary bounce which Sobig, of course, does not do. No delivery. No bounce messages. No problem.

So how about it all you mail admins out there. How about demanding a bit of RFC compliance from connecting MTAs. Perhaps this virus will provide the moral authority you need to tighten up your servers.

Re:In the RFC lies the answer

[Jahf]

Until the next one figures out to use the RFC.

That's not a long-term answer.

Re:In the RFC lies the answer

[njchick]

What if the next virus use a full qualified domain name? Standard compliance is good as the first line of defence against really stupid junk, but it's easy to break even for a virus, just by being compliant.

Re:What they need are SMART replies

[babbage]

They need to inspect the header and only send a response when they can have some reasonable confidence that it is in fact from a user. If the hosts used to send the mail don't match the email address, it probably didn't come from that person.

But that doesn't work either. I use a pobox.com mail forwarding address. My outgoing mail never has their servers in the headers, but it is a legit "From:" line, and mail delivered there does make it back to me.

On the other hand, for the last company I worked at there were a number of mail aliases for directing mail to different teams or departments. Some of these were easy to guess, others were pretty obscure. None of them were, as far as I know, ever used as the From: line on an outgoing email: of the handful of people that knew how to munge their mail headers to spoof this, I can't picture anyone bothering to do this.

Nonetheless, all of these mail aliases got a steady stream of spam, and as far as I could tell, they must have been in somebody's Outlook address book, because we'd regularly get "helpful" messages like:

Dear systemadministratorteam,
A message you sent has been determined to have the WhatEver.F virus. Please update your virus scanners. Thank you.

Signed,
The SuperExpensive Mail Scanner at Whatsamatta U

But the thing is, we weren't an Outlook company, so [a] there was no question that it was someone internal that had the virus, and [b] there was almost no possibility that one of these internal addresses should have been out in the public unless an employee deliberately forwarded something (which, I suppose, must be exactly what happened).

In any case, the point is, spoofing the From: line is trivial if you have the right tools, and determining if a spoofed address is legit is impossible without manual verification by sending a message to the recipient. My pobox.com address is legit, but may not appear to be so; allstaff@widgets.com is probably never legit, but it doesn't look any different than the pobox.com address.

Moreover, covering your tracks is easy -- just choose a random From: line and tack on some random Received: headers to make it appear as if the message really did come from where it claims. Such a message might be detectable by a human scanning the headers, but the whole "store & forward" architecture of the internet mail system demands that each receiving server has to trust what another host claims about prior headers -- so the whole system is vulnerable to anybody running a maliciously configured server.

So to give my opinion on the original article's question, no, I don't think auto-responses for mail viruses make sense anymore. The current wave has generated at least as much bandwidth waste from the "helpful" replies as from the virus itself -- as anyone on a gnu.org mailing list (to pick a random example) would have noticed lately. (Really, of all people to be feeling the side effects of a Windows issue -- GNU.org?)

It might arguably be okay to send mail to abuse@..., etc, but even then, [a] the spoofing problem is still there, so you don't know which of the Received: lines is legit, and [b] contacting these addresses won't necessarily do any good. Most of the people propagating the current worm seem to be home users, and so are connected via one or another ISP; what ISP is going to take on the tech support expense of walking all their users through how to patch their systems? Few, if any have the resources to do this.

For better or worse, the only solution I see is mandatory updates from the software vendor. As long as people continue to use Outlook but refuse to update it, the proposal from Microsoft to possibly force home users to install patches is the only solution I can think of that seems to have any chance of helping. It'll be interesting to see if & how they do that.

Do it right

[Permission+Denied]

Most of the auto-responders I've seen simply send a note with the subject of the message to the From: address. A few might include part of the body of the message.

These are absolutely useless as you can't figure out what machine originally sent out the message without the full Received headers. I've not seen one virus auto-responder include the full Received headers. The right thing to do would be to include the entire message as an RFC 2047 MIME attachment.

My reasoning is that these auto-reply messages occasionally get to the right person: namely, me. I then look at the infected IP address and if it's one of ours, send someone out to fix it. This is what I do for messages that get sent to undeliverable addresses where the remote site sends a bounce containing the full original message. A lot of these end up coming to one of my addresses since my addresses are widely advertised within our organization and are likely in many people's web cache and address books.

Past this, I don't see any reason for the auto-replies. They'll never get back to the person whose machine was infected, but they might get to me. It's easier to find out about the problem from some bounce and fix it immediately than it is to have some end-user from some other organization complain to you and then having to explain to this person how to send a message containing full headers (which is actually difficult and non-intuitive in most Windows MUAs).

It's not a mistake, it's SPAM

[menscher]

Obviously any half-decent virus-scanner can tell that this is sobig.f, and they know that it spoofs the headers. Why auto-reply? Free advertising! Most users will say "ooh... we should get that for our company" rather than saying "what crappy software that is that spams the wrong people".

Makes me wonder... the antivirus companies are knowingly and willfully causing a DDoS of spam to our accounts. Can they be sued at $50/message for that?

Re:Merely "addressing" symptoms

[Paul+Jakma]

How so?

If you look at the 6Bone list archives you'll see there was a recent thread on how spammers are already exploiting IPv6 open relays.

IPv6 is no panacea.

Chez moi

[dozer]

My numbers in the last 24 hours:

2018 Sobig.F-infected messages. ClamAV+Amavis recognized all of them and sent them straight to the Spam.SobigF folder. I never even saw them. Beautiful.

On the other hand, I've had to wade through and delete 100+ erroneous messages telling me that I sent out a virus infected mail. The hell I did. I'm being buried in these warnings and -- because there's no standard way of generating warnings -- I can't filter them!

So, yeah, if you're sending virus warnings for inbound mail, you're essentially spamming people. ME. Cut it out. Only send virus warnings to your internal users if at all.

Thank you.

My Reply

[Nishi-no-wan]

Just got notified today that I had sent someone SOBIG.F. This was my reply:

I just received a notice from your Notes server that you received a virus (SOBIG.F) from my address. I would like to let you or your administrator know that the address on that is forged. Your virus checker should look at the headers and report to the ISP from which the infected mail originated, not to the "From" header.

I've been 100% Microsoft Free since January 1, 2000. Unless SOBIG.F has found a way to worm into FreeBSD, I doubt very strongly if this message came from any domain I control.

P.S. While having an automated system to notify possible infections to senders is a nice idea, most worms today spoof the From and ReplyTo headers. Without the Received headers there is no way that I can help track down the infected party, making sending this to the person in the "From" header a waste of time (especially for Windows users who then have to check to see if they are infected or not, when the chances are that they aren't). If your company is serious about tracking down the source of infected mail, they will use the IP address (not the DNS name associated with it as that, too, can be spoofed) in the Received headers to track down the originating ISP and report the infection to them, along with the timestamp and time zone received. ISPs can then use their logs to track down who had said IP address at that time in their time zone.

If your system administration isn't concerned enough to take the time to do it right, then including the full header information of the offending message in your notification would be useful for those of us who do take the time. (There are risks involved with this, as you may be notifying a Black Hat about a compromised machine - i.e. the computer that originally sent the infected message.)

Thank you for your time and forwarding this to your system administrator.

The correct way to do this

[epsalon]

The virus checker should verify if the virus spoofs from addresses.
If not, send a warning to the 'from' address.
Otherwise, check the first "received" header and use whois to find the admin of that IP range and notify him/her.
Also, we're in despearate need of an RFC for returned mail messages so they could be easily filtered.

Re:HOWTO in exim4?

[cbcbcb]

use SAUCE:http://www.chiark.greenend.org.uk/~ian/sauce /

Having had my mailbox overflow...

[dpbsmith]

...with bogus "bounced mail" messages, I'd say, yes, it's time for a change.

I've yet to receive Sobig.F in a direct mail from another person (i.e. the people who send me email apparently have clean systems).

But I've now received between fifty and a hundred copies of the Sobig.F, all in bounce messages from servers. So apparently I've sent email a lot of people who a) have the Sobig.F virus, and b) have a lot of bad email addresses in their address books.

Each of these messages is about 100K in size. That can fill up a mailbox quickly.

But why should any server include the attachments when they bounce a message. Why? Why? Even in the absense of viruses, all I need to know is enough to identify the message that didn't get through.

Even more brains would do it in the MTA

[bill_mcgonigle]

Really, if there were a way to run MailScanner (e.g.) straight out of Sendmail (e.g.), instead of after Sendmail is done with it, we could give an error to the person who actually sent the mail during SMTP, instead of having something down the line try to send errors to whatever might be in the From: header.

I'm not sure which if any MTA's have hooks for this (though I suspect the answer is Postfix) but SoBig, Klez, et. al., have proven that doing it in the MDA is a flawed model.

Re:Even more brains would do it in the MTA

[Lars+T.]

Article in German. Sobig.F filter rules for Sendmail, Postfix and Exim.

The virus software should know.

[Above]

The companies that make virus scanners have detailed definitions of each virus. They need to include in that a flag "spoofs from address". If it does, sending autoreplies only adds to the problem, if not, returning a message to the sender is probably ok. They are just too lazy to add a flag to the definitions they send out, and put a simple "if()" around the mail code. It's stupid.

Dumb virus scanners are spammers

[Animats]

Any virus scanner that doesn't verify the message header (look at how SpamCop does this) but replies to it is basically spamming.

Incidentally, anything that bounces a message should return the entire message header. Most of these mail bounces don't return enough info to identify the real source.

Compromised box == open relay?

[Mryll]

Is there any practical difference between an open relay box that spams you and a virus-compromised box that sends you viruses plus potentially future spam from the compromise?

Should virus-compromised machines that send out undesired emails be RBL'ed like open relays?

Pointless

[shamino0]

Agreed. These auto-responders are pointless.

In addition to generating tons of traffic that nobody pays attention to, it has the effect of panicking those users who don't understand what the virus is about.

A relative of mine uses AOL on a Macintosh. There is no way his system can be infected with Sobig, but I had to spend nearly a half hour explaining it to him. He kept on pointing to the "your system has a virus" messages in his mailbox as proof that he is infected and that he needs a better virus scanner (because the one he has doesn't say he has it.)

The majority of computer users are like this relative, not like you and me.

For the love of GOD!!

[The+AtomicPunk]

1) Exchange virus scanner plugins have GOT to stop blindly sending replies to whatever email address the message loosely appears to come from. This is absurd - viruses that forge email addresses have been the NORM for what, 2? 3 years now?

2) Why can't someone write a virus that DESTROYS Outlook address books and turns off Auto-Learn, so that all the future viruses only have about 1% of the number of potential victims as current viruses?

I have postfix rejected 16,000 viruses a day, and 500-600 "You have a virus" emails, but I still get several hundred "You have a virus" mails per day that sneak by the filters because of unique subjects, content, etc.

Re:Similar problem with spammers

[schon]

How can one protect from this?

Track down the spammer, and press charges against them for identity theft.

This is the biggest proof that spam is a social problem. You basically have someone going around saying that they are you. If you want them to stop, you have to deal with them in RL.

Any non-trivial application is misconfigurable

[Medievalist]

Long before Sobig.F hit the net, I configured our mailscanners to skip sending autoreplies to senders of sobig* virii (the asterisk being a wildcard to catch all variants). I also don't autoreply to Klez, Yaha, Bugbear, Braid-A, or WinEvar since they all forge their source mail addresses.

Think about it; Linux can be misconfigured to do bad things (tm) - is this a reason to stop using it? No, it's a reason to identify those who can configure it properly and put them in charge of doing so. It's also a reason to have someone conscientious on the payroll - hiring consultants to configure services that represent security risks is just asking for a reaming.

Same thing with virus scanners. It is appropriate to autorespond to certain virii, and not to others. A more appropriate question might have been "should antivirus products identify mail-spoofing virii in their API?" or "should virus scanners default to not auto-responding, and require additional configuration to implement this feature?".

+ Yes I used the word virii on purpose. I like the distinction between computer virii and biological viruses because it is useful in my work. And I don't give a damn about latin declensions or Tom Christiansen's opinion on the matter.