Virus Scanner Auto-Replies - A Good Thing or Obsolete?

Moryath writes "Used to be, everyone put an auto-responder in their email server's virus scanner. That way, some dingus sends in a virus, you're protected, and they get notified so they scan and fix their system. Of course, all these stupid things ever do is reply to the From: field, and possibly to Abuse@domain, webmaster@domain, etc... as well. Enter viruses like Sobig. We've had them for years in various forms, they spoof the From: field with another email from another victim's contact book, and all of a sudden random people are getting bounces of emails they've never sent. I have actually gotten more bounces today than actual Sobig attachments. So what does the Slashdot crowd think? Is it time for the people running these mail servers to take down those autoresponders? Are they guilty for part of the damage things like SoBig have caused, since their ill-configured mail servers are doubling, tripling, or even quadrupling the amount of traffic one Sobig infection produces?"

It takes brains

[Kelerain]

If you aren't smart enough to automate the replies intelegently (based on wether the worm type spoofs emails for example) then don't send anything. Simple as that. Use it right, or don't use it at all.

It is ridiculous to send these notices

[Dancin_Santa]

There is no tangible benefit to having these notices. The user receiving the notice either knows what it means or doesn't know what it means and either way receiving the notice wouldn't change their behavior regardless.

Now that my Inbox is overflowing and my ISP's mail server is rejecting emails because I'm over the account size limit, I'm a little more wary of these supposed "user friendly" helping hands that virus scanner companies are building into their products.

Re:It is ridiculous to send these notices

[Gudlyf]

What's been really making my life hell at work is when our "info@..." mail alias gets used as a spoofed return address. Our CEO is on this list, and of course he panics thinking someone in our company sent out a virus. Then he wants me to show him how I know for sure it's not us. *sigh*

Luckily my direct boss, the VP, doesn't let him pull that kind of crap often, and puts him in his place.

Yes and Another Thing...

[sybarite]

To those who admin Windows networks... Please put an exit filter for TCP port 25 on your firewall so only your mail server can send SMTP and not infected workstations.

Re:Yes and Another Thing...

[Blkdeath]

To those who admin Windows networks... Please put an exit filter for TCP port 25 on your firewall so only your mail server can send SMTP and not infected workstations.

That advice should be extended to all end-user networks. Realistically, regular corporate workstations and home DSL/Cable/Dial-Up users should have no reason to talk directly to a foreign SMTP server in the first place.

Obsolete.

[hackwrench]

I've been getting tons of bounces and antivirus messages that are a result of someone else with my e-mail address having the virus. Of course, the whole e-mail infrastructure is obsolete: What do you mean someone else can easily send an e-mail as me! Perhaps if they fixed that however antivirus messages would once again be useful. Could someone with modpoints please mod up my post two posts earlier that erroneously got modded 'Troll'?

Re:Obsolete.

[Blkdeath]

I've been getting tons of bounces and antivirus messages that are a result of someone else with my e-mail address having the virus. Of course, the whole e-mail infrastructure is obsolete: What do you mean someone else can easily send an e-mail as me!

For the same reason someone can mail a letter as you or send a fax as you or communicate in any interpersonal forum as you.

Enter digital cryptography. Sign your messages and never worry again.

In the RFC lies the answer

[linuxwrangler]

Sobig greets the other server with the netbios name of the infected computer. This does not conform to rfc2821 which requires a fully qualified domain name. My mailserver does not accept connections from hosts that do not properly identify themselves as the RFC requires. Haven't seen a single Sobig here - the server rejected them all.

Now bounced messages from other mailservers...that's another issue.

If mail admins simply set their servers to require FQDN greetings then Sobig would be stopped dead. By rejecting the message my mailserver expects the connecting MTA to generate any necessary bounce which Sobig, of course, does not do. No delivery. No bounce messages. No problem.

So how about it all you mail admins out there. How about demanding a bit of RFC compliance from connecting MTAs. Perhaps this virus will provide the moral authority you need to tighten up your servers.

Re:What they need are SMART replies

[babbage]

They need to inspect the header and only send a response when they can have some reasonable confidence that it is in fact from a user. If the hosts used to send the mail don't match the email address, it probably didn't come from that person.

But that doesn't work either. I use a pobox.com mail forwarding address. My outgoing mail never has their servers in the headers, but it is a legit "From:" line, and mail delivered there does make it back to me.

On the other hand, for the last company I worked at there were a number of mail aliases for directing mail to different teams or departments. Some of these were easy to guess, others were pretty obscure. None of them were, as far as I know, ever used as the From: line on an outgoing email: of the handful of people that knew how to munge their mail headers to spoof this, I can't picture anyone bothering to do this.

Nonetheless, all of these mail aliases got a steady stream of spam, and as far as I could tell, they must have been in somebody's Outlook address book, because we'd regularly get "helpful" messages like:

Dear systemadministratorteam,
A message you sent has been determined to have the WhatEver.F virus. Please update your virus scanners. Thank you.

Signed,
The SuperExpensive Mail Scanner at Whatsamatta U

But the thing is, we weren't an Outlook company, so [a] there was no question that it was someone internal that had the virus, and [b] there was almost no possibility that one of these internal addresses should have been out in the public unless an employee deliberately forwarded something (which, I suppose, must be exactly what happened).

In any case, the point is, spoofing the From: line is trivial if you have the right tools, and determining if a spoofed address is legit is impossible without manual verification by sending a message to the recipient. My pobox.com address is legit, but may not appear to be so; allstaff@widgets.com is probably never legit, but it doesn't look any different than the pobox.com address.

Moreover, covering your tracks is easy -- just choose a random From: line and tack on some random Received: headers to make it appear as if the message really did come from where it claims. Such a message might be detectable by a human scanning the headers, but the whole "store & forward" architecture of the internet mail system demands that each receiving server has to trust what another host claims about prior headers -- so the whole system is vulnerable to anybody running a maliciously configured server.

So to give my opinion on the original article's question, no, I don't think auto-responses for mail viruses make sense anymore. The current wave has generated at least as much bandwidth waste from the "helpful" replies as from the virus itself -- as anyone on a gnu.org mailing list (to pick a random example) would have noticed lately. (Really, of all people to be feeling the side effects of a Windows issue -- GNU.org?)

It might arguably be okay to send mail to abuse@..., etc, but even then, [a] the spoofing problem is still there, so you don't know which of the Received: lines is legit, and [b] contacting these addresses won't necessarily do any good. Most of the people propagating the current worm seem to be home users, and so are connected via one or another ISP; what ISP is going to take on the tech support expense of walking all their users through how to patch their systems? Few, if any have the resources to do this.

For better or worse, the only solution I see is mandatory updates from the software vendor. As long as people continue to use Outlook but refuse to update it, the proposal from Microsoft to possibly force home users to install patches is the only solution I can think of that seems to have any chance of helping. It'll be interesting to see if & how they do that.

Chez moi

[dozer]

My numbers in the last 24 hours:

2018 Sobig.F-infected messages. ClamAV+Amavis recognized all of them and sent them straight to the Spam.SobigF folder. I never even saw them. Beautiful.

On the other hand, I've had to wade through and delete 100+ erroneous messages telling me that I sent out a virus infected mail. The hell I did. I'm being buried in these warnings and -- because there's no standard way of generating warnings -- I can't filter them!

So, yeah, if you're sending virus warnings for inbound mail, you're essentially spamming people. ME. Cut it out. Only send virus warnings to your internal users if at all.

Thank you.

My Reply

[Nishi-no-wan]

Just got notified today that I had sent someone SOBIG.F. This was my reply:

I just received a notice from your Notes server that you received a virus (SOBIG.F) from my address. I would like to let you or your administrator know that the address on that is forged. Your virus checker should look at the headers and report to the ISP from which the infected mail originated, not to the "From" header.

I've been 100% Microsoft Free since January 1, 2000. Unless SOBIG.F has found a way to worm into FreeBSD, I doubt very strongly if this message came from any domain I control.

P.S. While having an automated system to notify possible infections to senders is a nice idea, most worms today spoof the From and ReplyTo headers. Without the Received headers there is no way that I can help track down the infected party, making sending this to the person in the "From" header a waste of time (especially for Windows users who then have to check to see if they are infected or not, when the chances are that they aren't). If your company is serious about tracking down the source of infected mail, they will use the IP address (not the DNS name associated with it as that, too, can be spoofed) in the Received headers to track down the originating ISP and report the infection to them, along with the timestamp and time zone received. ISPs can then use their logs to track down who had said IP address at that time in their time zone.

If your system administration isn't concerned enough to take the time to do it right, then including the full header information of the offending message in your notification would be useful for those of us who do take the time. (There are risks involved with this, as you may be notifying a Black Hat about a compromised machine - i.e. the computer that originally sent the infected message.)

Thank you for your time and forwarding this to your system administrator.

The correct way to do this

[epsalon]

The virus checker should verify if the virus spoofs from addresses.
If not, send a warning to the 'from' address.
Otherwise, check the first "received" header and use whois to find the admin of that IP range and notify him/her.
Also, we're in despearate need of an RFC for returned mail messages so they could be easily filtered.

The virus software should know.

[Above]

The companies that make virus scanners have detailed definitions of each virus. They need to include in that a flag "spoofs from address". If it does, sending autoreplies only adds to the problem, if not, returning a message to the sender is probably ok. They are just too lazy to add a flag to the definitions they send out, and put a simple "if()" around the mail code. It's stupid.