Slashdot Mirror
Lousy E-mail Filters Complicating Outlook Worms
Mar writes "FRISK Software founder Fridrik Skulason has issued an open letter in which he blames other anti-virus companies for much of the Sobig.F network load problems: 'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'"
...traffic than you'd have if the worm got to its target and continued spreading.
After so many viri's that fake return to headers it's stupid to continue responding to them. No I didn't read the article...
The email bounce is nearly dead now. Between spam and viruses faking the from and reply-to headers, it's become almost a menace. I got nearly as many bounces as I did sobig messages.
This is completely stoppable at the ISP level. I received over 1,000 SoBig.F messages, not one of which had to go through!
It's Christmas everyday with BitTorrent.
You would think that server admins would know that responding to each worm would double traffic and take action to prevent it, by either using a better filter or reconfiguring the filter to not reply.
C:\>
Our Norton Exchange AV kicks out "we-saved-your-butt" emails to the admin, the original recip, and back at the "sender", who of course knows nothing about it since it was forged.
:) Serves AOL right...
I've just been creating more and more filters that send to trash with no notification to anyone.
Of course, you have to pay attention when you first turn some of the capabilities on, as Norton kindly preset you to block AOL mail
.sigs are for post^Hers.
letting the user get the email and start spewing out more viruses? I'd rather those reject emails go out than having more virus emails floating around..
Do most users exchange executable files? How about just blocking them if they're executable... How about getting an email client that isn't known for it's ability to spread received infected email without the user having to even open the email?
/been using pine since 1996...
Do not look into laser with remaining eye.
If you don't want to spend any money at all, you should consider getting SpamBayes. I've tried both SpamBayes and iHateSpam, and I personally like SpamBayes better. It is also FREE. Both have nice Outlook plugins.
More than enough BS
Not only are they doubling traffic, they can help spread the virus.. I've recieved bounced email containing the virus, since the the return address is randomized this in effect helps to spread the virus. Why include the attachment in a bounce message?
air and light and time and space
Nothing much can be said about security when you are using Outlook Express. Microsoft has always been quick to issue patches to cover up its bugs. It usually releases these patches on the Web. All you can do to keep your mails secure to the utmost extent is to keep a watch on these patches and update your OE as and when necessary. Please check that you have 128-bit encryption on your system. For this, please go to the `help' menu of your browser and then click `about Internet Explorer.' A dialog box will pop up. Look for the word Cypher strength. The cypher strength ideally should be 128bit. If it is anything less than that, then click on the link displayed next to it to upgrade it to 128. Cipher Strength is a security feature in browsers which provides encryption of information being transmitted across the Internet. Barring these security bugs, you can tweak your security to a great extent by applying file-level security to your mail box by using NTFS file system, for which you will have to have win2000 or XP as your primary OS.
I like pie. Pie is better than Outlook worms.
Douglas P. Price
Why (some) anti-virus companies are to blame for the recent
e-mail flood
As everyone should now know, Sobig.F has generated a tremendous amount of e-mail traffic world-wide. However, part of the blame for this traffic should be placed on some of the anti-virus companies.
What I am referring to is the large number of incorrectly configured mail filters that respond by sending a "virus alert" to the "From:" address. As Sobig.F falsifies the "From:" address, these e-mails just clutter up the mailboxes of innocent, non-infected people. These messages cause unnecessary annoyance and worry, as they typically (and incorrectly) claim that people have sent out a virus.
When you get an e-mail, warning you of a Sobig.F infection, with a subject line similar to these:
* *** detected and quarantined a virus in a message you sent.
* Warning: E-mail viruses detected
* Virus Detected by ***
* This is an alert from ***
it usually means that someone, somewhere has made a bad decision on how to react to infected mail, either by selecting a substandard product or by configuring it incorrectly.
Worse yet, if mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.
The problem is that some commercial mail filters have this behaviour set as the default. At least one filter gives only two options: Always send a "virus alert" to the "From" address of every infected e-mail received or "pass the message through to the recipient". Clearly neither of these options are acceptable.
I have only one word for this: Stupid!
Acceptable behaviour would be one of the following:
1. Have the mail filter properly distinguish between worms that falsify the "From:" address and ones that do not and only send a warning message when the "From:" address is likely to be genuine.
2. Do not send the alerts at all.
In fact, sending an alert automatically to the From: address for every virus or worm received by e-mail should not even be a selectable option.
With Sobig.F scheduled to die out today, Sept. 10th, the problem might go away for a while - until the next similar worm appears. And this is the scary part. Sobig.F didn't really infect that many machines world-wide, maybe only 200.000 or so. This is only a fraction of the number of machines infected by Msblaster (Lovsan). Now imagine a worm combining the distribution method of Msblaster with the mass-mailing feature of Sobig.F. The flood of traffic might practically render the Internet unusable.
Eventually, some virus author will create a virus like this, maybe this month, maybe in a few years, but it will happen. And when it does we do not need the anti-virus companies making a bad situation worse.
I hope the "guilty" anti-virus producers will be updating their products in the near future, but this is not going to happen unless their customers request it.
Fridrik Skulason ( frisk@f-prot.com )
Founder of FRISK Software International
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
Agreed. My box is getting dozens of filtered SoBig notifications every day. I'm not that paranoid that the wicked screensaver emails I would otherwise be receiving might be false-positives, and I imagine the same is true for most others; but for those who want to know about everything that is addressed to them, the filterware out there ought to let them opt-in. This is an unnecessary waste of server/network resources that clutters my emailing experience more than it already is.
If the e-mail filter is smart enough to know it's Sobig.F, why isn't it smart enough to know the "from" is spoofed?!?!?
I set our filters to just delete anything with an executable attachment, but that didn't to crap for the stupid "Virus Detected" warnings.
One guy was sending us about 150 copies a day, and the others his PC sent out with our address as the "from" resulted in about 50-75 Virus warnings a day - from the first day it popped up until it expired. I had his IP address, and called and e-mailed his ISP (Birch.net) a dozen or more times, and they did squat. 150 x ~100k x # of people in his address book - not to mention the undeliverables and virus warnings - and they did nothing.
666-607: 6th floor apartment of the beast
The SoBig.(X) (all of 'em, been getting them for months, good thing Evolution doesn't care) are all around 100K a piece.
A "your message was filtered" is maybe 2-3K including all headers (more likely under 1k), so responding to messages with Virus' in them adds 1-3% not 100% to the traffic.
That being said, since most of the current generation of SoBig happily fake the "From" email address, a reply to the from address doesn't really help anyone either.
So in the worst case scenario, a 3K reply to a fake email address results in a bounce message, so at the most you've got 5% overhead, and theoretically for that 6K of email, you've saved a user from getting infected, which would generate 100K*1000's of data.
I'd say it's not too high a price to pay.
Please send all UCE to scally@devolution.com so I can f
One member of our software development team ended up receiving over 10,000messages/hour during our peak load, about equally split between virus messages, and bounce backs/mailer daemon messages. The latter weren't blocked by the standard anti-spam solution.
The messages generally contain no usefull information, and are deleted without reading.
Spam catchers should be combined with anti virus solutions, to ensure that authentic messages do generate some sort of response, either to the sender or receiving, informing them of the infection. The technologies would mesh well in this case.
paul reinheimer
last time
This FRISK dude needs to go back and look at his assumptions:
Worse yet, if mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic.
huh? If person A's infected machine sends out 100 emails, and the one received by person Q generates a reply to sender, how does this double the amount of traffic. Sheesh! Calm down.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
It's pretty rare that an e-mail that we send out does not eventually get to its recipient, and in most cases the e-mail is in response to something so the recipient will let us know if they aren't getting a message from us, so this system has been working out well so far.
I never vote for anyone. I always vote against.
-- W.C. Fields
They arent entirely part of the problem. I think this report lacks some valuable data and misses a key point.
What about all the emails these virus detectors PREVENT by warning the user about the potential virii in the emails.
Remember, the average user isnt that smart. We dont want to prevent them from getting their mail. We do want to warn them. Not only this, the warning emails are likely just local anyways, so this isnt going to be too bad of a traffic increase.
If everyone used even the worst email virus detection software, most of these worms would be stopped much quicker.
Most worms that are using a lot of bandwidth are not email based, and scanning for other vulnerable machines.
[I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
Nice rant. Sheesh, this guy makes McBride seem all warm and fuzzy.
Any sightings of Sobig.G in the wild yet? Everybody was predicting it to be released today.
use pine. and whenever you goto a website that requires an email address type in root@website.com
I also use SpamBayes, filters like this are THE way to go. No extra traffic generated from all the notifications heading out, just a few weeks of learning and all works well. If EVERYONE used it, only the people who wanted a penis enlargement would actually recieve the email. hooray!
I'd rather have a bottle in front of me than a frontal lobotomy
A related, but smaller, problem is users responding to the spoofed from address and complaining about being on someone's mailing list. I received a lot of these during the SoBig.F mess, and my system was never infected. (But obviously the system of one or more people who had me in their address book got the bug.)
is adding to the bottom of the fake message "please send this email to everybody you know"
how long until
The SoBig.F virus message was much larger than a "we found a virus" letter, because it included a copy of the virus itself. The number of messages bouncing around may have doubled, but the total bandwidth required did not.
However, as the recipient of 300+ messages a day, I for one would be delighted if the virus scanners had an option to Just Shut Up when they find a specific virus. While I don't believe the scanners aggravated the problem -- indeed, by reducing its transmission, they certainly improved matters -- the bogus reject messages were a highly visible and easily avoidable irritant.
... you'll start getting "You're mailbox is near/over it's limit" messages.
Are there any mailservers that can check if you've received a message previously? Maybe they should have a 'Sent' mailbox and check against them. It could clear it out every ten minutes of everything older than 24 hours, ensuring you'd get 1 notice a day max. If these filters are outside the server, it should be easy for them to offer this. Shouldn't it?
R: That voice. Where have I heard that voice before? B: In about 365 other episodes. But I don't know who it is either.
I work in Tech support for a telecommunications company and I get at least three calls per day regarding a message from Norton Antivirus. The message falsely states that they were a sender of the sobig.f virus. Of course, our users are completely up to date with their virus software and our e-mail servers catch the sobig virus. A big shame on you to Norton for having an e-mail enabled warning like that. It preys on the stupidity of end users.
Granted, if nobody talked about AIDS, the infection rate would probably skyrocket too. So is it better that there be a symptom of the virus such as increased network traffic. Or is it better to not inform external users and try to repair in house?
Maybe it offers a little job security too though.
completely irrelevant, and sounds copy & pasted
One of my clients is an ISP - and they *want* the bounces to go out for the simple reason that it broadcasts to the world that "your mail is safe with us".
... For more information about our services come to --URL--"
So the bounce messages go something like "Our mail server detected a virus in an email you appear to have sent, and we protected our customer
I don't know if it's effective at all, but it sure doesn't cost much - the virus notification is essentially a mild form of SPAM which few people really get up in arms about.
Just to understand, there are market conditions behind those virus notices...
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Wouldn't it be better to blame those resposible for Outlook for Outlook worms? (Be it users who fail to patch, admins to deploy it, Microsoft for writing it on one drunken weekend that involved a lot of monkey hookers and a boat load of cocaine.)
It's certainly better than blaming a _client_ problem on the _network_ which when it was designed didn't anticipate (understandably) a near monoculture of such vunerable products being deployed.
Beep beep.
good advice
I just got a call from the Data Security guy in my office. I've had run-ins with him before, because their scans of my PC would occasionally find that I run Eudora for my personal email rather than routing it through the corporate virus portal known as Outlook Express. My bosses have been supportive -- as long as I get my work done, who the heck cares what I've got installed?
Now, I get 50-100 messages from "helpful" virus checkers telling me that I sent them a virus. Duh, of course I didn't. But what's worse is when they try to help my by sending the damned virus back to me! So my Eudora inbox fills up with viruses. No problem, I just delete them, right?
But we've got real-time virus scanning installed, and the admins take a dim view of tweaking it to skip certain directories. It finds that In.mbx contains a virus and kills the file. Poof, there goes my Eudora inbox. Frustrating, but it was full of junk anyway.
This morning, though, I get a call from the head Data Security honcho. Norton called mommy when it found the virus, and did it often enough for me to show up on the admin guy's radar again. Now, I'm going to have to quit using Eudora at work, just because brain-dead virus protection is sending me viruses! I'd fight it again, but I have to agree -- if I keep downloading viruses, I'm part of the problem.
Thanks for nothing, AV companies. All you're doing is keeping yourselves in business with false virus alerts. Or maybe that was the "2. ???" in between "1. Spread Viruses" and "3. Profit!"
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
I'm still fielding like 400 auto-generated emails from various anti-virus software each day. The author's suggestion to simply stop the alerts is not that far fetched at all.
Obligatory bad analogy: it's like pelting someone with rocks in order to warn them they're about to be run over by a car (and then continuing to pelt them with rocks even after the car has passed and is way down the block).
The mail filters that send out a message for each virus message received are not the problem. Indeed, they're just following the basic requirements for bounced messages listed in RFC 2822.
THE problem is the mail filters which also send a second message to postmaster@whatever domain. Whatever brainiac thought that one up should be shot.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Either the antivirus software has to get a lot smarter about which viruses fake the headers (and not send bounce messages in those cases), or there needs to be a netiquette against sending bounce messages for virus infected messages in all cases, or these antivirus companies that produce this crappy software need to be added to SPEWS. I am really sick of this problem personally.
I find this most interesting.
Until recently, no e-mail worms spoofed the email address. F-Prot obviously never had the functionality of replying to infected emails.
Until just recently, it was really good to reply to the sender alerting him about the fact that he sent out a virus/worm. Where was F-Prot back then??
The way I see it, it's been three steps.
Step 1: No email worms.
Step 2: Email worms that didn't spoof the sender (replying to sender is good).
Step 3: Email worms that spoof the sender (replying to sender is bad).
Seems to me that F-Prot is complaining that everyone hasn't reached step 3 yet (with spoofed sender addresses, infected emails shouldn't be replied to), even though we pretty much reached it just now. Before Sobig, even though there were worms that spoofed the sender, they were a minority. After Sobig, spoofing worms are a majority, which means that AV products need to change. This won't happen in a second like it did for F-Prot, because most AV vendors didn't skip step 2 like F-Prot did.
This coming from a company who 95% of computer users never heard, and who never even added the functionality of replying to emails even though it was really good until just recently, makes me believe his just looking for his two minutes of fame.
Critical Update:
A security issue has been identified that could allow an attacker to compromise a computer running Microsoft Windows and install Linux on it. You can help protect your computer by installing this EULA from Microsoft. After you install this EULA, a NULL update will be downloaded for your benefit.
Change the bounce messages to something like the following.
Try our new penis enlargement patch and make your lady love you forever.
Use the bounce messages as vehicle for spamming.
Got Code?
'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'
Not quite. Fortunately the alert emails are (usually) just text, and not some several-kilobyte attachment. They may be doubling the messages, but certainly nowhere *near* the bandwidth used.
One would hope the anti-virus tool folks could build in ways to sniff out "Oh, this is a SoBig-laden email" and *not* send out the completely useless alert to someone's address that happened to be the random "From" address used.
"People" using "unnecessary" quotes should be "shot".
Funny thing is I have seen some mail servers bounce the sobig mail and include the entire mail - including the attached virus - in the reply.
I envisage some mail servers are continually sending each other the sobig virus as they bounce each others bounces for containing the virus.
Until the anti-virus software developers, M$ and the general e-mail population can out-wit a 12 year old script kiddie, no progress will be made.
~insert tech sarcasm here~
A bounce is a good thing, since it tells the sender of the virus "Hey, you've got a virus". This encourages the sender to remove the virus from their system, and results in a net reduction of network volume.
:)
The problem, of course, is that many of these email worms forge the from. But... the virus filter takes the time to identify that there is a virus, and the filter knows that it's Sobig.F, so why can't the filter also be smart enough to not send a bounce FOR Sobig.F? This seems like it should be trivial to implement.
Ahh well... Speaking as someone who works at a data switch and router company, more network traffic is a good thing.
However, why can't I opt with either my ISP or email provider to have virus emails deleted immediately from the server? It would seem to be economical for either to do so, because they would save server space and prevent the spread of the virus by keeping dumb users from opening the attachments.
Furthermore, should they even have to ask? Virus emails are not really personal or private email, it's junk. I doubt there would be much complaint (from the average Joe) if the Post Office just started throwing away those stupid Valupak coupon things or other mail addressed to "our friend at ADDRESS."
Again, I have no idea what is technically feasible, but perhaps someone could enlighten me as to what an ISP or mail provider could do to cut the spread of virus-laden email before the end user has a change to see who loves them...
Under capitalism man exploits man. Under communism it's the other way around.
helo valid? .exe|.bat|.cmd|.vb*|.scr|.jsp|.com|.sys|.bin|..... .
mailfrom: xxx
rctpto: xxx
data
550 For security reasons this form of message is denied on this system.
connection closed.
With the way our mail system is now, mail servers accepting and routing mail from any client w/o the need for any real kind of authorization or identity matching, we are screwed.
Most modern clients support digitally signing mail, either via PGP or S/MIME. This needs to become a lot more widespread, with 3rd party verification of signatures ala VeriSign/SSL-certs. When it is in place we can safely delete any mail we get w/o a real signature, and go about our business. If someone with a legit signature DOES join the dark side, they are stamped, labeled, and easily filtered.
Does anyone see any arguments against digitally signed mail, besides the large over-head of layering security onto a system that started w/o any, by design?
/* * pope1 */
We have Mail Marshall here at work. I got the following mail from the system yesterday...
:(
MailMarshal (an automated content monitoring gateway) has stopped the following email for the following reason:
It believes it may contain unacceptable language, or inappropriate material.
Message: B000038072.00000001.mml
From: xxx@xxx.com
To: xxx@xxx.com
Subject: Re: So Whuz Up?
Please remove any inappropriate language and send it again.
The blocked email will be automatically deleted after 5 days.
MailMarshal Rule: Inbound Messages : Block Unacceptable Language Script Offensive Language (Basic) Triggered
Expression: asshole Triggered 1 times weighting 5
Email security by MailMarshal from Marshal Software.
So the message tells both the ortiginal sender and I that it won't deliver the email because it contains the term "asshole". So it lets me know that by sending me an email telling me the exact same word that was supposed to be filtered? It seems like we've got a hypocrytical mail filter here
Ironic, you spam on a thread about spam...
It seems that automatic filtering software is failing, and e-mail viruses are only becoming more and more clever, with ever more randomized characteristics. The solution to this problem is obvious: someone needs to be there to look through all the e-mail that goes through the Internet and filter out the viruses and spam that nobody wants.
So how about this idea? The government mandates that all ISPs to have a group of people on-site full-time, 24/7, to scan through every e-mail message to go through their mail servers. If it is a known virus or spam e-mail, they would set the evil bit to true, and thus render it invisible to both future mail servers and recipients. Spam and viruses can be completely eliminated using this method!
I would recommend having a team of seveal dozen with short, 4-hour shifts rotating throughout the day in order to minimize the effects of fatigue. Boredom shouldn't be a problem, due to the sheer stupidity of much e-mail that would have to be certified. In the future, this could even be outsourced to a work-at-home type environment, where all that is required is a computer with a capable internet connection and some time!
This may even introduce a new way to tax e-mail, by adding a minute "certification charge" to have your e-mail certified genuine by a third party. Low monthly subsription rates could also be available, allowing you to send an unlimited number of e-mails at a fixed price.
What a grand future these e-mail viruses have created! Thank you, Outlook!
Seen this on my network at work. Most of the from addresses are faked anyway so were getting bounce backs from these anti-virus software daemons saying that we sent so and so a virus. Now, not only is our network underheavy load from the actual sobig.x virus but were also dealing with these bogus e-mails.
Server load went from 55% usage up to 98% usage. 17% of all emails comming in were these bounce backs to either us or our customers. 17%!! This is totally unexceptable expectially when most of not all of the current breed of e-mail bourn virus's fake the e-mail address.
Personaly, I think this option should just be removed totally from the software packages. Barring that, have it off by default not on. I have enough spam and virus emails comming in without having to deal with the extra load of warning emails from poorly configured virus walls.
See this comment from another discussion on protecting your mail server.
By that logic, also a mean fisting was administered.
Marketing guys love email notices because it raises awareness that the product is working. This is independent of it being a good idea.
At no point should a response be generated for a virus. Maybe five years ago, when viruses tagged along with legitimate data, but nowadays, a virus generates it's own delivery system, and there's no point to a bounce.
Vintage computer games and RPG books available. Email me if you're interested.
The statement "If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution" is also what I've been saying for months. This is a condemnation of challenge/response. Challenge/response is flawed conceptually in that it assumes the return address is correct. In an age of spam (which it supposedly addresses) and viruses it is absurd to believe the return address exists and sending email to the return address just multiplies the problem.
Challenge/response was never well thought out. It shifts the burden of spam filtering to the person that sends email to that user, and tends to mailbomb innocent users that happen to have their addresses forged by spam or viruses. All so someone can supposedly enjoy a spam-free existance with no thought to the hassle they are creating for others and the spam that they are creating by mailbombibf C/R challenges to forged addresses.
Hopefully with much better filters already available Challenge/response will just disappear. It's bad technology.
Entourage has the absolute worst filters I've ever come across. I made the mistake of enabling the Junk filters and now it trashes every other good message and totally misses spam. I have rules for things in the address book but it totally ignores them. Some rules don't work at all, but when you highlight a bunch of messages, right - click and apply rule, suddenly it discovers that yes, those messages are in the rules. What is really bad is that once I enabled junk mail filtering, it still does it after un-enabling it! I'm going back to mail.app
The past two days had a ton of them - with that was the original email coming in, then the message sent to the user, the admin, and three other backup/side admins notifying that there was a virus. Then the pop-ups on two server consoles.
It was getting annoying - you would think that I would just disable all that notification except the admin... but you'd be wrong.
That is all just on our Exchange server though, no outside bandwidth.
There are some odd things afoot now, in the Villa Straylight.
Anyone notice that white dot right below the banner ad at the top of the main /. page?? What is it??? Is it a secret message from an alien race?
This is news? Geesh.
But perhaps with more awareness of the insanity this is causing, admins will change their filters to NOT bug people that have had their addresses faked..
Actually at this point I get MORE of the 'kind notices' then actual infected emails. A lot more.
---- Booth was a patriot ----
for the letter. i'm sick of these spam bounce mails cluttering up my caughtspam folder.
perl -e '$_="\007/4`\cp%2,".chr(127);s/./"\"\\c$&\""/gees
When you have patches galore and your eyes are all sore, FUCK the skull of Microsoft! FUCK the skull of Microsoft!
They say security's their focus, but their bug list's a swarm of locusts! FUCK the skull of Microsoft! FUCK the skull of Microsoft!
Bill Gates can't write a program for 640K o RAM! FUCK the skull of Microsoft! FUCK the skull of Microsoft!!
Although there's trusted computing and Palladium in our future, MS is such a target that even those will need some sutures!
How can you trust something you can't see? (the code) Even Christians have a hard time convincing me!
So no matter what they say, we all know MS is sooo teh ghey! FUCK the skull of Microsoft! FUCK the skull of Microsoft!
Yep. It's a troll. Could someone set it music please? ;P
Un-news
I mean, come on!
We aren't having problems with internet lice! Why should a lousy filter work? Use the right tool for the job and install some wormy filters and all will be okay.
Only a fuckin' moron configures his email antivirus system to autoreply to the claimed sender of incoming infected emails, and the average typical email sysadmin is, uhh, well... Oh, nevermind.
If the bounce mentions the virus scanners name then its promotion aka spam, just like the ones that tack it on outgoing mail, branding is all about pushing the products name into peoples minds
how many people see messages such as
"a virus was detected by superscannr (www.superscan.viruscompany.com) in your attachment it was removed, "
or
"this email was checked for all known viruses by superviruscanner, for more details visit www.superviruscanner.com"
keep plugging that name into managers/IT buyers minds
I received hundreds of bouncebacks from one organization. So, I did a whois and wrote to the contact listed:
My name is Geoff Fox and I am writing because I have received hundreds upon hundreds of message bounces from your **** mail server.
These messages are not originating with me. These are SoBig virus generated and are spoofing my address as the return.
I am asking nicely, but I need you to take action immediately. I am attaching a bounce message so you can see what I've received. From the headers it looks like they're actually coming from ***.com
Sincerely, Geoff Fox
I did get a response... but not what I had expected.
Geoff, Thanks for raising the issue of the SoBig virus infection.
From the information that you have provided, it does look like the infected machine is located at **** Architecs, Inc. of Harford, CT. Their contact information is provided below.
Have your IT technical staff contact the admistrative contact or the technical contact below. They may not realize that they have a SoBig infected machine and that it needs to be cleaned.
(whois stuff deleted)
It was signed by their Director of IT Security.
So, even at that level, he didn't realize he was doing something wrong... or that these bouncebacks came from him, not from the site that was infected. And, he felt it was my obligation to do something about it, not his!
Some good reading material:
h q.com/sobig-e.htmlh tml
http://www.lurhq.com/sobig.html
http://www.lur
http://www.lurhq.com/sobig-f.
- James
Maybe you lunix fags could stop making heroes out of hackers, and start to look at them as the bottom feeding dregs that they are.
Maybe if it wasn't so hip and trendy to h4x0r j00r b0x0r with your m4d sk1llz0rz
Lunix fags? Hip and trendy? There's an oxymoron if I ever heard one!
if uHateSpam, I suggest you feed it to the Great Hole of Despair.
That is somewhat of an interesting thought... If I was still taking sociology classes I would love to do a study on the correlation between weight and virus writing in programmers.
I don't know if anyone has been paying attention but the last wave of virus authors have been pretty fat.
Am I part of the problem if I send a reply to the sysadmin informing them that I don't have the virus and didn't transmit the initial message?
Remember, the average user isnt that smart. We dont want to prevent them from getting their mail. We do want to warn them. Not only this, the warning emails are likely just local anyways, so this isnt going to be too bad of a traffic increase.
You didn't read the article did you? This isn't about AV software warning a user that an email they recieved might contain a virus. It's about AV software the sends a reply back to the supposed (sender) of the email saying they are infected.
The problem here is that lately pretty much all email based viruses forge their From: address to make it look like the email came from what is actually an innocent party.
I use Linux and OpenBSD on my worstations exclusively, with mail programs that can't even render html email etc. The chance of me sending out or spreading an email virus is almost zero, yet I recieved hundreds of bounces warning me that the email I sent out contained a virus, from people I never even heard let alone even sent an email to in the first place.
"That" is the problem the article was refering to.
Messages from known spamming autoresponders should be blocked by spam filters. A publicly available list of canned text appearing in messages from spamming autoresponders should be made available and placed into mail filters.
That should deal with the problem.
I bounce any "you have a virus" notification with a 5xx error, as I don't run Windows. Let the fuckwit admin whose system is sending the mail get buried under the bounces.
Pretty soon it looks like I'll have to start bouncing "mailbox full" notifications similarly.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Lousy E-mail Filters Complicating Outlook Worms
SoBig.F is not an Outlook worm. It is a Windows worm. It does not require Outlook to run. It has it's own built in MTA and grabs email addresses from cached webpages and local text files as well as the Outlook/Express address book.
-Ab
Nothing fails quite like prayer.
I don't. Their contribution to the problem is only limited to their marketshare. Any antivirus can block the viruses - but using these idiots over better competitors results in how many *illions of extra messages? Not to mention the confusion it creates on behalf of less savvy recipients. How many people paid for tech service on their "infected" computers only to discover they were fine?
Under any circumstances, I don't find this behavior acceptable.
-Looking for a job as a materials chemist or multivariat
I am a satisfied customer, although sadly their business licenses have become a lot more $expensive lately.
I am currently looking into antivirus solutions for our company mailserver, and originally thought about disabling the bounce messages.
..
But unfortunately it seems that it could be illegal in Germany to intercept a message without notifying the sender. As far as I understand it, eMail seems to be subject to the same regulations as snail mail here, so dropping the message silently could constitute a legal hazard
I think they're helping the worms...!
\m/
See the lengthy discusasion of this subject on NANOG a three weeks ago, when all these issues were flogged to death in a much more authoritative manner than will be the case in the comments around this post...
I've pretty much given up on beating this dead hosre but, I'll say it one more time for your benefit: Email was not intended to be a file transfer and or storage system. If you need to transfer files a better solution would be to make them available via HTTP or FTP and simply email the URL to the recipient. They can then click the link and download the file themselves rather than a mailbox with a gigabyte of messages that all have attachmented files.
Last time: Email was never intended to be a file transfer or storage mechanism. Use it as it was originally intended and you will not have any problems or frustrations.
Not only does each virus email generate an autoresponse email, every user in our building emails me *every time* they receive an autoresponse about an infected file.
Ok, so maybe it isn't every user every time, but boy does it feel like it. When you've explained to someone for the fourth time that the emails are junk, it gets frustrating.
Last year, my wife received a spate of "you sent this virus" messages. Worse, a number of her associates received "this person tried to send you a virus" message, referring to her.
I followed up with several of the administrators running the virus filters. In all cases, the administrators had quarantined the messages without headers so it was impossible to tell what machine really sent the message. I would have liked to know this information so as to have some hope of tracing the owner of the infected machine.
I understand why users are unaware of headers. Microsoft's products go out of their way to hide them. In Outlook Express, to get headers you have to find the relevant show headers pull-down and even then the headers appear in a too-small non-resizable window. You have to clip the contents and paste into a real window before the headers can be read/forwarded.
The "From:" field of email means no more than the snail-mail return address that you scribble on an envelope. The header, like the snail-mail postmark, tells the origin.
What is the excuse for vendors of email software (filtering or end-user) perpetrating unawareness of this basic property of email?
What is your definition of "recently"? Apparently it's about two years.
why not have the filter do a whois on the ip of sender and send the warning to the admin of that net block?
seems like abetter solution as it gets the virus warning in hands of the person that can do soemthing about it rather than sent to people who have no virus on their systems..
comeon how hard is it to parse the record gotten back from a whois query?
Don't Tread on OpenSource
Love,
Egg Troll
Later versions of the amavisd-new mail scanner don't send mail to sender addresses from virii/worms that forge mail headers, even if you have it configured to do so.
What is an affordable server side virus filter? There are several out there I am guessing, but I am unsure about the reliability vs. cost. We currently use SpamAssassin for our spam filtering needs and are very pleased with it.
What is a the de-facto standard for email virus filtering these days? (Something that a geek would be proud to have filtering their email)
...if you prefer discrete integer variables, you could go with the number of chins. That kid had about 4.
-Looking for a job as a materials chemist or multivariat
If you receive a message from AV product then send it back to the company who wrote the AV.
Send it to sales@, support@, info@, etc. and tell them they should fix their program.
Let's look at two cases. First, the virus goes through to an end user. We'll assume the chances are 1 out of 10 that the user will become infected, and generate another 2,000 messages. Number of messages sent per average user: 201.
Now, let's say that a filter stops the message, and still sends a reply - but prevents infection. Number of messages sent: 2.
So, it looks to me like even if the filter DOES send a reply, there's still a 100-fold DECREASE in load vs. not having a filter.
Now, I'm not saying that virus filters SHOULD send the notification - that's open for debate. However, the simple statement that virus filters which DO send out notifications doubles the load is a tremendous simplification, and does not take into account the real-world DECREASE in messages sent when effective virus filters are in place.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
I remember the day that SoBig.F reared it's ugly head. I can into work and must have had 40-50 emails claiming I sent a virus to some person I have never heard of. It was so many I actually figured I better check and make sure I didn't have the virus.
Even worse 1 in 4 of the messages sent the virus to me in the message bounce.
But in reality antivirus software is playing a losing game, it tries to get out virus definitions to protect systems after the virus has been released. Not only that the viruses have much faster distribution rate than the definitions so it's a loosing battle. We need a new solution.
I propose that we should call for a ban of Microsoft Lookout. In its short existence, it has become the most insecure piece of software every written -- surpassing Bind, Sendmail and even Wuftpd, programs much older than it.
While we are at it lets call for banning direct access to the internet for all windows based systems. Let's face it. If you put a windows box bare on the net, eventually it is going to be compromised. Windows wasn't originally designed to work on the internet and Microsoft has shoehorned in the internet support without proper security measures taken.
You can't rely on end users who are too afraid to install there own OS to properly secure and update the machine. Someone needs to do that for them and frankly Microsoft doesn't.
This has been a known problem since the first header forging virus/worm was released.
On the Exim mail list, the big question wasn't how to stop sobig.f. It was never a problem. The discussion was on how best to filter out the "you have a virus" bounce messages that were flooding the admins.
-- Will program for bandwidth
Here are some procmail recipes to identify these bounce messages:
* ^Subject: delivery fail
* ^Subject: Delivery Status Notification
* ^Subject: failure notice
* ^Subject: mail system error
* ^Subject: norton antivirus detected
* ^Subject: returned mail
* ^Subject: undeliverable mail
* ^Subject: undeliverable:
* ^Subject: undelivered mail
* ^Subject: virus alert
* ^Subject: virus detect
* ^Subject: virus found in sent message
* ^Subject: virus in your mail
* ^Subject: virus warning
* ^Subject: warning:.*virus
* ^Subject: your e-mail.*virus
I would recommend redirecting these messages to a separate folder rather than deleting them, as there's a small chance of false positives.
BTW, how does one write a procmail rule that succeeds if ANY of the lines match, rather than if ALL? (I have all of the lines above in separate recipes, currently...)
I use No-IP.com. Within a few hours of the worm spreading they had turned off bounce notifications of virus messages. I received a total of 10 SoBig worm notifications messages, and none of the actual worm.
I think it's up to the ISP administrators to stay up to date with what is going on and to stop these sort of things in their tracks. That is why I get my email through a third party: so I don't have to deal with the bull. They have a responsiblity to their customers. I think No-IP did a great job living up to that responsibility.
Frisk has been around for a long time, I used f-prot in DOS. But I think the letter he wrote is definitely a marketing ploy. They have recently updated their site to a more modern interface and it seems they are attempting to make some kind of mainstream market pull. I have the f-prot trial on my work windows xp box and honestly, it's pretty good. Fast and stable and less intrusive than Norton AV. So it might be good for it to work out for them.
I administrate a mail server with around 550 accounts on it. We got slammed by Sobig.F and eventually had to block it using header_checks in Postfix.
This won't catch every virus-infected file attachment (like Word macro viruses), but the regex I put in place will block files with certain file extensions (e.g. pif, exe, etc.) What's nice is that the mail is rejected during the SMTP transaction and produces no residual mail traffic since the sending mail server is the worm's SMTP engine.
So, for anyone using Postfix 2 who would like to stop most e-mail worms, using header_checks to scan MIME headers is a very effective way to protect your customers/users.
Uh huh.
So you wanna read your personal email at the office. Fine if your company supports that.
But then you just absolutely positively gotta use only your favorite email client, not the one already installed, not a web portal. The email client now installed by you, presumably licensed to you, that is not owned or supported by IS. The one that makes IS's day that much tougher by throwing one more ingredient into the stew that is the company's desktop computer.
Now on top if it your personal email client reading your personal email is bringing in viruses to the company. Onto that corporate PC logged into the corporate network. And dammit those nasty folks in IS aren't willing to spend their time making exceptions to the virus scanning so your unique-in-the-company personal email client reading your personal, virus-infected email is exempted.
Cry me a river.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
The ISP, OTHO, uses a lot of CPU cycles filtering.
Most antivirus software is configurable as to what to do with the virus. I set mine to delete the attachment, the email and send no message (that is tight, but during worm activity that is the way to go). So, if he had problems with too much mail when filters engaged he should RTFM
Replace user, press any key
At least, that's what I've been told.
SoBig's builtin MTA sends a syntactically-incorrect "HELO" line when connecting to a mail server. The SMTP grammar specifies a fully qualified name in the machine name following HELO, I think, and SoBig doesn't give one.
This is hearsay, though. Can someone verify it?
So, if true, you could simply drop the connection on poorly-formed HELO lines. But that would also disconnect a few legit-but-badly-written MTAs out there. (In my opinion, fuck 'em. It's lost past time to be using properly written software.)
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Some of the "worst offenders" will send the offending attachment back.
So the reply is larger (original message + "we found a virus" stuff) AND it potentially spreads the virus to an uninfected machine.
retrorocket.o not found, launch anyway?
What part of "forged originator address" don't you understand?
The "you've got a virus" messages DON'T GO BACK TO THE INFECTED PERSON. Instead, they come to me, and I'm running a freaking Macintosh!
Clear, Dark Skies
I would imagine that most of the virus scanners for mail servers out there can be configured to not send out the notification to the forged From address. The virus scanner I am familiar with - RAV, has this capability. I had ours configured to send out the notification until Klez and other viruses made it a worthless endeavour. Unless of course you are an ISP that has no qualms about using the opportunity to advertise.
It would be nice if GeCAD would rewrite their software to stop the notice from being sent when the virus is Klez, Sobig, etc. But since GeCAD got bought out by Microsoft who will be discontinuing their product line, I know that will never happen. Hopefully someone else like Sophos will.
People need to stop calling sobig an outlook worm, it doesn't use outlook. It has its own smtp server, it scans your harddrive for emails addresses. Its a windows worm, and if you read the history on it. It spread via usenet first.
Have you ever been to a turkish prison?
I received far more mistaken bounces--and virus-infected attachments--than original Sobig-sent copies
I have seen this since Klez started doing it, and being on a mac, I knew I wasn't infected. I have thought about an application that might help finding out those who were originally infected by emailing the person who sent out the anitvirus message, to try and find out who this person was that we both knew. I guess in the end were all related to each others email by knowing somebody who knows somebody who knows somebody who sent it.
SCOrdure has no reason to be asking you for $699 to continue to use Linux, or $199, or $32 for that matter until they show tangible and irrefutible proof that their "IP" (feh, ptui!) was used in Linux.
Until then they won't get a red penny from me.
-uso.
What you hear in the ear, preach from the rooftop Matthew 10.27b
Second, get everyone to agree to get a key that's signed by a CA.
Some individuals can't afford the annual fees that many existing CAs charge. And how can a new CA get its key into circulation?
Will I retire or break 10K?
Only after idiot users run the attachment.
"Sufferin' succotash."
So, if true, you could simply drop the connection on poorly-formed HELO lines.
That could work, but remember to make sure that the MTA doesn't actually drop the connection until after the RCPT line; otherwise, it breaks the SMTP RFCs.
Will I retire or break 10K?
The reason the AV companies put this capability into their systems isn't to be friendly and let people know their computers are infected -- it's freepub. Imagine if you were an anti-virus company and had a list of the e-mails of all the world's infected computers -- you could spam them and get some small percentage of new customers. This automates the process, and in the case of falsified headers, only helps them spam and scare even more people.
World's tallest building rises in the desert
Do most users exchange executable files?
Hobbyist developers sometimes e-mail executable files to people who don't have a compiler installed. And if you don't have a compiler, a web browser, or an FTP client, how are you supposed to get one of those without receiving an executable through e-mail or spending an exorbitant sum on international postage?
Will I retire or break 10K?
We run postfix/amavisd-new with a commercial virus scanner (why not just a commercial virus gateway? Well, most of them aren't as flexible).
.zip etc).
So, first thing a virus find is our header checks for the common windows virus files (.vbs, etc etc). This catches *all* the Sobig.* stuff we have hitting the server, if the connecting client is Sobig itself, we save 100% of the traffic (ok, maybe 99.9%).
Then, we have the antivirus, which will catch anything embedded in the kind of files our users want to receive (.doc,
Then the antispam (spamassassin).
If a virus is found, we notify the intended recipient (if they are local), quarantine the whole original mail, and notify our postmaster, but we don't notify the (potentially forged) sender. If the recipient actually knows the sender, they can inform them if they think it's a real concern.
Now, I get a bounce from one of these ridiculous virus gateway implementations. Some of them return the *entire* original mail as an attachment. This breaks our header checks, and gets through to the AV, and gets me a notification. This is the *only* traffic I get as a result of Sobig.F, and is wasting my time due to the incompetence of other mail administrators (it's ok if it's a user, at least they can have an excuse).
What I need now is a header check that matches Norton, and returns a suitable message.
Anyway, it's nice to see at least one vendor agrees, but I need more ammunition to send with my complaints to the administrators of these broken mail virus solutions.
Trend Micro's VirusScan for Linux does a good job for us. While it does send 'warning' messages to sender and recipient by default, these can be disabled. I turned them off the day Klez first reared its ugly head and started the address spoofing trend. I bet this is mostly just a matter of configuration/laziness.
include $sig;
1;
I'm as annoyed by this as anybody. I've received hundreds of "rejects", far more than actual copies of the virus.
But people seem to be forgetting one thing: anti-virus software has false positives
If anti-virus software eats infected emails without bouncing them, then it will eat some real emails without bouncing them either. This is very bad, as the sender doesn't know his email hasn't been received.
I don't know the solution. The assumption that once you send an email it will get to its destination is eroding anyway, due to over-zealous anti-spam systems operated by people who think that setting them to reject all emails is a good way of making a point. DSN is becoming more widespread, though God knows what problems that might cause for us if it becomes the norm.
True, idiot users still have to run the attachment, but they can run it on any mailer that works with any(?) windows OS. That includes Mozilla, Groupwise, Eudora, Pegasus or any brand of web based mail clients. The attachment is the virus and it doesn't work through any mail client. It has it's own MTA built in.
-Ab
Nothing fails quite like prayer.
Now imagine a worm combining the distribution method of Msblaster with the mass-mailing feature of Sobig.F. The flood of traffic might practically render the Internet unusable.
Obviously, this guy must be on a different internet than the one I'm connected to right now... My gateway router is rotating it's logs twice a day at this point...
As for his Blaster.Sobig.F worm, I'm sure as we speak, some knucklehead is working on that right now. It'll be the swissarmy knife of MS worms that'll just go down and try every current exploit. Then it'll just mail itself to everybody...
Yes Francis, the world has gone crazy.
Amen, Brother. For is it not better to give than to receive.
True, However most of these things are configurable as to what they do when you get a hit.
You, the admin, set it to send you an email (or page, or whatever) everytime it gets a hit, it's your fault you get buried in a flood.
Kinda like when you set your work email to forward all emails to your home email when you are on vacation, then the mail server crashes. Your home email got filled, so it sent rejections to the sender, your work email, which forwarded it to your home email, setting up an eternally increasing infinite loop. (At least till one of the mailservers crashes.)
It's not the filter/antivirus/whatever software that's at fault here, it's just doing EXACTLY what you told it to, not what you want it to.
Sorry for ranting, but I've dealt with so called admins (the real ones figure it out on their own) whine about their problems that they themselves caused and are too stupid to figure out. (And won't take responsibility for their own mistake either.)
I have received and deleted 152 emails infected with the Sobig virus.
As of about 30 minutes ago, I have received and deleted 318 auto-replies from Norton telling me I have been sending emails containing the Sobig virus even though my system is clean.
The cure is killing the patient.
What's a "wormius?" If you use "wormii," there's got to be a singular form, "wormius." What's a "wormius?"
What I'd like to know is how they were able to falsify their from address with legitimate emails? This is a direct result of spam- anytime I submit my hotmail account as my email address on web forms, I invariably will get spam as those companies sell my address. This is why I have the hotmail address- to keep my 'legit' accounts more or less spamfree. But even if I keep my legit accounts clean, the end result is still increased network traffic to my hotmail account, a direct result of spammers. Honestly, this is not just an annoyance problem now, it is starting to become an economic one too.
I think it fits near the SpongeBob theme song.
SETH FINKLESTEIN is a troll of SETH FINKELSTEIN!
You are telling me you didn't learn to ZIP THEM UP??????
I am the Barber of Seville.
> But in reality antivirus software is playing a losing game
... why?
There is a huge Emperor's New Clothes factor with the anti-Virus industry. Consumers say to eachother "I must have anti-virus. My virus databases are updated once every nano-second. I am secure... blah blah."
But when was the last time your A-V system actually stopped a NEW virus before it did you significant damage?
ExploreZip: We had Norton on all desktops and up-
to-date. Screwed us up purdy good. We sent most users home at lunchtime.
"I Love You" - same again. But this time, users asked if they could take the rest of the day off around about 11:00am.
Klez - a pattern emerging...
SoBig - SAFE! NO INFECTIONS! YIPEE!
BECAUSE AFTER KLEZ WE DECIDED TO BAN ALL EXECUTABLES FILES, THAT'S WHY.
I overheard our IT Director griping that Norton have almost doubled their bill for the renewal of our corporate license this year. Sounds like we might just tell them to fuck themselves.
"And the meaning of words; when they cease to function; when will it start worrying you?"
To some of us, it is axiomatic that legitimate Email should *never* be dropped on the floor silently. When I send a message, either it must reach the recipient, or I must receive a bounce. Any other behavior is unacceptable.
This guy is arguing that mail servers should silently drop Sobig-infested mail on the floor. But take that argument to its logical conclusion. If Sobig, why not all viruses? If all viruses, why not spam?
The end result of this "logic" is that my mail will be silently dropped whenever some program *thinks* my message is a virus or spam. And I will never even be notified when my message is not delivered.
Again, this is unacceptable. It is a cure worse than the disease.
The real problem is that SMTP does not use strong authentication for envelope senders. Fixing this would require replacing the Internet mail infrastructure. Until that happens, I am happy to accept Sobig bounces in exchange for a reliable mail infrastructure.
I run an email service. I also bounce messages that are infected. Yes, it's a great way to get the word about about the service. No, I don't bounce faked FROM Addresses, IMHO, that's a good way to get bad PR.
Anyways, I monitor 'bandwidth' usage. I had a customer who just signed up for a free account to stop viruses, and they almost immediately exceeded their bandwidth (15MB a month by default, and they were at 60MB in a week) After 40 'you are over quota' messages, I finally disabled his account. As far as I could tell, he was spamming with a perfect list, or just abusing the quotas.
It turns out he is a business who was SWAMPED with those bounces from other providers, and completely missed all my automated notifications, and my very important "You will be disabled if you don't respond" notification.
So he was disabled for two days before he realized what happened. Lost customers? I'm sure he had some legitimate email bounce. All because of mis-configured servers. Maybe he should keep a record of who is flooding him, and sue them.
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
You gotta love an anti-virus company that TRUSTS the "from" address of worm-embedded message.
Talk about stupidity. During the Sobig mess, I must have received hundreds of erroneous warnings from stupid anti-virus programs telling me my computer was infected when it was not. What idiots.
What about the anti-spam lameware products that CC spam complaints to multiple role accounts at each and every ISP and upstream with an even a distant cousin relation to the spam. I've counted over 100 CCs in some of these. As a NOC monkey at an ISP (well, of course they CC the NOC role addy and just about any standard ISP role account you can imagine), even though we have a responsive abuse role), my typical reaction is to LART the complainant and send my own abuse complaint to the luser's ISP.
Some (or most) mail relays will reject the message outright without queueing it, which means the sender machine is left with the task of creating the returned email, and it does not know the exact reason for the rejection.
Some vendors send the complete email out to persons not sending it. The new recipient might then go "oh what was that then" and open the executable and themselves become infected.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Excuses, excuses.
Examine the Computer Science principle of Big O.
If you have an exponential function any constant multiplier or addition is thrown out of the equation as unimportant.
O(2n) = O(n + k) = O(n)
and so
O((2x)^y) = O(x^y)
The point is that the exponent is so important as to nullify the constant multiplier.
So they're trying to sell me on an antivirus product that informs me of an infection when I'm not infected. Brilliant marketing move.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I don't think I've gotten a single SoBig virus. Either they're not getting sent or something upstream is blocking them.
OTOH, I get about 1000+ pieces of virus related junk. Its exceeded spam. About half is anti-virus software telling me they blocked a virus. The other half is various bounce messages and autoresponders from viruses going out to addresses that no longer exist or to list admin addresses, lists that require verification, etc... with my email address.
How many legit pieces of email do I get a day? 100-200 maybe.
The situation is absurd. If your email address is widely available (in my case, in the Perl documentation) you'll get clobbered. I had to franticly write a set of SpamAssassin rules to block the antivirus reponses to make my mail usable again.
I've been archiving all my unfiltered, incoming mail since Feburary. 80,000 messages. If anyone seriously wants to run some statistics for how hard a popular email address gets hammered, I'll consider making it available.
That I turned off security notifies at my company. Our Queue's were going well over 2000 and personally anyone dumb enough to accept or send .pif .bat and other file types deserve the viruses and no notices.
The one good thing about SoBig is the fact that it runs it's own SMTP engine, and has predictable subjects. This let sendmail check the subject and reject it during the SMTP session, resulting in zero bounces.
If is infinitely dumb on the part of the virus vendors to send out bounces when they *know* the virus fakes the from address.
Vs lbh pna ernq guvf, ybt bss abj. Tb bhgfvqr. Syl n xvgr.
From: postmaster@aceadventure.com.sg
Subject: Your mail server sent us a virus
The Virus software on our mail server detected the W32/Sobig.F@mm virus.
If your mail server had virus protection, it would have caused less work for our server and would have likely prevented one of your users from getting a virus in the first place!
------------
From: me
To: postmaster@aceadventure.com.sg
Um no... We didn't send any viruses.
If your server had BETTER virus protection it would not send virus notifications to spoofed sender addresses. This would *definitely* have prevented one of my users from phoning me and causing me more work!
iptables -s 203.117.141.86 -j DROP
Thank You,
Postmaster.
There's a very simple expedient to hammer home the idiocy of virus autoresponders.
Bounce virus notification messages you receive to the vendor responsible for the product. The next time a SoBig.F rolls around, and the AV vendors find that they have to deal with 1,235,000,000 additional daily emails[1], they might reconsider the merits of spewing warnings indescriminately.
Some might take this a step further, and include a courtesy notice to Microsoft suggesting that they address security issues with their OS and application products.
Indescriminate AV warnings aren't merely a hassle. I received ~1000 SoBig.F mails, and almost 200 warnings or bounces. Combined, this was over 35 MB of mail (my primary Internet access is over 56k dialup). A local large research university, during summer recess, received over 500,000 SoBig.F mails in one three day period.
What's worse is companies whose nontechnical staff receive these warnings, then waste both their time and that of their IT staff chasing down false alarms. This wastes significant real resources, and dilutes the significance of genuine alerts.
What I strongly suspect is that we're rapidly approproaching the time when all mail will need to be subjected to both virus and spam filtering, at SMTP time. Handling bounces at this stage would greatly reduce the current false notification problem.
Notes:
1. With 600 million email accounts, typical daily receipt being 35 messages and SoBig.F generating 1 in 17 mails, daily viral mail traffic works out to over one billion messages.
What part of "gestalt" don't you understand?
I'm the systems administrator of a promanent internet company. (There's a better than even chance that you've used our products.) We were unable to recieve email for a week due to the SoBig worm.
We had our primary email server on the other end of a T1 which quickly became saturated. We were receiving an estimated 4 megabit/s during the peak of the worm due to the worm. (We deleted and/or deflected well over 4 million emails due to the worm.) We now have a filtering front end which is on the other end of a mondo big pipe, and should keep things to a reasonable level in the future.
About 50% of our traffic (by bandwidth) was from faked bounces. We *might* have been able to weather the storm if so many anti-virus products didn't send out a 100k email from every intercepted copy of the worm! Even the emails without the attachment were enough to completely inundate our support account.
So, I'd say that at least one of these two things should be done:
First, virus programs should send to the *recipient* of the email an email telling them that such-and-who sent them a virus (instead of to the sender), or second, emails with viruses that have return addresses like "help@", "support@", "feedback@", "postmaster@", "admin@", "abuse@" or "bugs@" should be silently dropped. Furthermore, no infected attachment should *ever* be returned or forwarded under *any* circumstances.
Ah, now that finally makes sense. For future reference, people typically find variable names like "1" a tad confusing.
Please note that I am not even going to bother figuring in the cost of building/tearing down TCP/IP etc as you aren't concerned when one big image is split into multiple images on a web page are you?
When we're talking about a system already getting clogged from attacks and stupid bounces, yes. I do think that, as usual, the human costs will be higher.
What I really wanted to point out wasn't when a bounce message is infectios (cause I agree wholeheartedly that sending that "back" infectable is dumb)
It is dumb, but it occurs. I'm not sure what fraction of the time.
It is the JOB of people manning a help desk to correctly educate the users. It takes me as an outside consultant about 1 minute to explain it for even the dumbest users and nobody would run more than 50:1 user:hd ratio. A major virus breaks out, the phone is tied up for an hour. That is COMPLETELY acceptable.
Come on, that's just insane. For one, even granting you the most amazing powers of explanation, the dumbest user is going to glaze over, stare, and nod. You might want to check for actual comprehension, I'd like to see this "stupidest user" a month later when they get a respnse from the next virus. And for what it's worth, your education defeated any purpose of the emails in terms of informative power. The bounce emails are thus either useless or harmful, depending on if they've had someone explain things to them.
And it's not like the IT desk is sitting on their hands waiting for morons to call when a virus hits. Typically, they're damned busy. They really DO NOT need everyone calling them! It's damned easy for you to say, as an outside consultant, because your don't have to DEAL with it. You pick up the pieces later.
Updating your virus software costs nothing. And if you need to pay because you don't have it, then are you saying that people should NOT have the latest AV SW?
No, but a misinformation campaign is hardly a the best way to go about it, for one. And second, while updating AV is free, taking your computer into the shop (yes, dumb people really do that) because you can't figure out what's wrong with it (because nothing is!) is NOT free. If there were an efficient way to tell infected people they're infected, that's great. Or, if the email was more accurate, that would be better. Maybe it could say "This is an automatic message. Either you or someone who has emailed you in the past is infected.," That might be a tad irritating after a while. But what they're doing now is flat irresponsible because it confuses people, despite how well you THINK you're explaining these concepts. And not everyone has benefit of receiving the explanation.
Yes, they don't understand when 50 emails come in saying they have a virus when they really don't... but they need to be responsible for finding out what this SoBig thing is, and every search engine and geek cousin or hired help knows.
Bullshit. A car mechanic, for instance, has no more obligation to know all about the latest virus than you have to know about the latest Ford recall for a fan motor fuse. And this presupposes that they have the savvy and knowledge to ask the appropriate question in the first place! It may surprise you, but not everyone has a geek in the family. And most people want to treat their computer like an appliance, not a hobby. They have the right.
Bottom line is there's no advantage to these emails. I would like to see stats on how many clueless people got that email and really got their shit together. I don't think it's happening. Regardless of how *bad* it is for networks, it's not *good*. And the only people typically skilled enough to use the information (ie, if I'm getting these messages I need to update AV) are those likely to be updating their AV *anyway*.
So we'd all be better off if the AV companies added a bool to their virus defs that would clue their autoresponders into which virus forge headers.
-Looking for a job as a materials chemist or multivariat
When a virus scanner has an "ID" on a virus, the config for that virus should be able to say: DO NOT report to the sender. This flag should be on for "Sobig.F".
But for a number of other virusses, the flag could be left off, so that people whose computer is infected DO get warnings.
We do have some talented people, but have also been very lucky. We probably couldn't handle an extremely large outage. It isn't like we want to operate with that high a ratio though. Since our current operations are (apparently) handling everything, management doesn't see a need to add more help desk positions.
I've seen studies/surveys that indicate 50:1 is a good ratio to have. However the numbers in the surveys ranged all over, so I don't know that you can call 50:1 an average ratio.