Slashdot Mirror

← Back to Stories (view on slashdot.org)

Virus Scanner Auto-Replies - A Good Thing or Obsolete?

Posted by Cliff on from the excuse-me-sir,-you-have-an-infection dept.

Moryath writes "Used to be, everyone put an auto-responder in their email server's virus scanner. That way, some dingus sends in a virus, you're protected, and they get notified so they scan and fix their system. Of course, all these stupid things ever do is reply to the From: field, and possibly to Abuse@domain, webmaster@domain, etc... as well. Enter viruses like Sobig. We've had them for years in various forms, they spoof the From: field with another email from another victim's contact book, and all of a sudden random people are getting bounces of emails they've never sent. I have actually gotten more bounces today than actual Sobig attachments. So what does the Slashdot crowd think? Is it time for the people running these mail servers to take down those autoresponders? Are they guilty for part of the damage things like SoBig have caused, since their ill-configured mail servers are doubling, tripling, or even quadrupling the amount of traffic one Sobig infection produces?"

5 of 123 comments (clear)

  1. It takes brains by Kelerain · · Score: 4, Insightful

    If you aren't smart enough to automate the replies intelegently (based on wether the worm type spoofs emails for example) then don't send anything. Simple as that. Use it right, or don't use it at all.

  2. Yes and Another Thing... by sybarite · · Score: 5, Insightful

    To those who admin Windows networks... Please put an exit filter for TCP port 25 on your firewall so only your mail server can send SMTP and not infected workstations.

  3. Obsolete. by hackwrench · · Score: 5, Insightful

    I've been getting tons of bounces and antivirus messages that are a result of someone else with my e-mail address having the virus. Of course, the whole e-mail infrastructure is obsolete: What do you mean someone else can easily send an e-mail as me! Perhaps if they fixed that however antivirus messages would once again be useful. Could someone with modpoints please mod up my post two posts earlier that erroneously got modded 'Troll'?

  4. In the RFC lies the answer by linuxwrangler · · Score: 4, Interesting

    Sobig greets the other server with the netbios name of the infected computer. This does not conform to rfc2821 which requires a fully qualified domain name. My mailserver does not accept connections from hosts that do not properly identify themselves as the RFC requires. Haven't seen a single Sobig here - the server rejected them all.

    Now bounced messages from other mailservers...that's another issue.

    If mail admins simply set their servers to require FQDN greetings then Sobig would be stopped dead. By rejecting the message my mailserver expects the connecting MTA to generate any necessary bounce which Sobig, of course, does not do. No delivery. No bounce messages. No problem.

    So how about it all you mail admins out there. How about demanding a bit of RFC compliance from connecting MTAs. Perhaps this virus will provide the moral authority you need to tighten up your servers.

    --

    ~~~~~~~
    "You are not remembered for doing what is expected of you." - Atul Chitnis
  5. My Reply by Nishi-no-wan · · Score: 4, Insightful
    Just got notified today that I had sent someone SOBIG.F. This was my reply:

    I just received a notice from your Notes server that you received a virus (SOBIG.F) from my address. I would like to let you or your administrator know that the address on that is forged. Your virus checker should look at the headers and report to the ISP from which the infected mail originated, not to the "From" header.

    I've been 100% Microsoft Free since January 1, 2000. Unless SOBIG.F has found a way to worm into FreeBSD, I doubt very strongly if this message came from any domain I control.

    P.S. While having an automated system to notify possible infections to senders is a nice idea, most worms today spoof the From and ReplyTo headers. Without the Received headers there is no way that I can help track down the infected party, making sending this to the person in the "From" header a waste of time (especially for Windows users who then have to check to see if they are infected or not, when the chances are that they aren't). If your company is serious about tracking down the source of infected mail, they will use the IP address (not the DNS name associated with it as that, too, can be spoofed) in the Received headers to track down the originating ISP and report the infection to them, along with the timestamp and time zone received. ISPs can then use their logs to track down who had said IP address at that time in their time zone.

    If your system administration isn't concerned enough to take the time to do it right, then including the full header information of the offending message in your notification would be useful for those of us who do take the time. (There are risks involved with this, as you may be notifying a Black Hat about a compromised machine - i.e. the computer that originally sent the infected message.)

    Thank you for your time and forwarding this to your system administrator.