Slashdot Mirror
Lousy E-mail Filters Complicating Outlook Worms
Mar writes "FRISK Software founder Fridrik Skulason has issued an open letter in which he blames other anti-virus companies for much of the Sobig.F network load problems: 'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'"
Why (some) anti-virus companies are to blame for the recent
e-mail flood
As everyone should now know, Sobig.F has generated a tremendous amount of e-mail traffic world-wide. However, part of the blame for this traffic should be placed on some of the anti-virus companies.
What I am referring to is the large number of incorrectly configured mail filters that respond by sending a "virus alert" to the "From:" address. As Sobig.F falsifies the "From:" address, these e-mails just clutter up the mailboxes of innocent, non-infected people. These messages cause unnecessary annoyance and worry, as they typically (and incorrectly) claim that people have sent out a virus.
When you get an e-mail, warning you of a Sobig.F infection, with a subject line similar to these:
* *** detected and quarantined a virus in a message you sent.
* Warning: E-mail viruses detected
* Virus Detected by ***
* This is an alert from ***
it usually means that someone, somewhere has made a bad decision on how to react to infected mail, either by selecting a substandard product or by configuring it incorrectly.
Worse yet, if mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.
The problem is that some commercial mail filters have this behaviour set as the default. At least one filter gives only two options: Always send a "virus alert" to the "From" address of every infected e-mail received or "pass the message through to the recipient". Clearly neither of these options are acceptable.
I have only one word for this: Stupid!
Acceptable behaviour would be one of the following:
1. Have the mail filter properly distinguish between worms that falsify the "From:" address and ones that do not and only send a warning message when the "From:" address is likely to be genuine.
2. Do not send the alerts at all.
In fact, sending an alert automatically to the From: address for every virus or worm received by e-mail should not even be a selectable option.
With Sobig.F scheduled to die out today, Sept. 10th, the problem might go away for a while - until the next similar worm appears. And this is the scary part. Sobig.F didn't really infect that many machines world-wide, maybe only 200.000 or so. This is only a fraction of the number of machines infected by Msblaster (Lovsan). Now imagine a worm combining the distribution method of Msblaster with the mass-mailing feature of Sobig.F. The flood of traffic might practically render the Internet unusable.
Eventually, some virus author will create a virus like this, maybe this month, maybe in a few years, but it will happen. And when it does we do not need the anti-virus companies making a bad situation worse.
I hope the "guilty" anti-virus producers will be updating their products in the near future, but this is not going to happen unless their customers request it.
Fridrik Skulason ( frisk@f-prot.com )
Founder of FRISK Software International
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
last time
The SoBig.F virus message was much larger than a "we found a virus" letter, because it included a copy of the virus itself. The number of messages bouncing around may have doubled, but the total bandwidth required did not.
However, as the recipient of 300+ messages a day, I for one would be delighted if the virus scanners had an option to Just Shut Up when they find a specific virus. While I don't believe the scanners aggravated the problem -- indeed, by reducing its transmission, they certainly improved matters -- the bogus reject messages were a highly visible and easily avoidable irritant.
The downside is that the lusers are protected but those who keep their system in shape and don't click on every attachment become victims and can't even do anything about it. After 30000 SoBig.F related messages you learn that it is nearly impossible to filter bounces. They come in all languages, with or without headers. Some mention the worm, others don't because they're just "user unknown" bounces. My system is clean. The 900+ wormmails per day were easily filtered, but I had to sort through more than 100 bounces a day. To me, the bounces where the real problem.
Until the anti-virus software developers, M$ and the general e-mail population can out-wit a 12 year old script kiddie, no progress will be made.
~insert tech sarcasm here~
Here's a
Milter to block messages containing windows-executable attachments.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
SoBig.F had an SMTP "signature" which was different from normal MTAs, so it was recognizable and could have been rejected without affecting other direct-to-MX applications. This deviation obviously isn't necessary, so the next worm may not be stoppable as early in the processing chain as SoBig.F was.
Autoreplies have always been problematic at best, which anyone who's experienced the annoyance caused by vacation programs on public mailing lists can attest to. Autoreplies to automatically generated traffic have always been a no-no.
Viruses and worms are clearly autogenerated traffic.
Also, although 95% of computer users have never heard of FRISK, Fridrik has been a respected member of the A/V community since it very began and wrote one of the very first virus scanners.
Disclaimer: I work for FRISK, writing said e-mail filter code. But I can tell you with authority that the decision was taken a long time ago.
Host your own websites, anywhere!
A "your message was filtered" is maybe 2-3K including all headers (more likely under 1k), so responding to messages with Virus' in them adds 1-3% not 100% to the traffic.
There are bigger problems than just the total amount of traffic. Lets say you run a domain that's in thousands and thousands of address books and Internet cache files... like "real.com". Now lets say that a multithreaded virus starts emailing itself as rapidly as possible to all of the addresses it can find... like SoBig.F.
Care to guess what the result is? Something to the tune of 10,000 attempted connections PER MINUTE. That's way more than our mail servers are configured to accept (they're rate throttled). While load on the machines stayed acceptable due to their throttling incoming connections, access to port 25 was highly contended. People outside the company trying to send us mail obviously experienced delays. I can only imagine what was going on at better known domains.
Here's the hitch: The overhead of accepting a connection is greater than the cost of the rest of the message. Judging by the messages that actually did get through, probably only 1000 connections per minute of the 10000 were the SoBig virus. The other 9000 were bounce notices from other systems. So, in our case the traffic increase wasn't 1-3%, and it wasn't 100%, it was 900%. There's no good reason for it, either. Those bounce messages don't protect anyone from getting infected, they just waste bandwidth.
Lousy E-mail Filters Complicating Outlook Worms
SoBig.F is not an Outlook worm. It is a Windows worm. It does not require Outlook to run. It has it's own built in MTA and grabs email addresses from cached webpages and local text files as well as the Outlook/Express address book.
-Ab
Nothing fails quite like prayer.
What is your definition of "recently"? Apparently it's about two years.
Some of this poor/bad config files and settings. Example, Amavis can notify the sender that they sent a virus. However, you can give a amavis a list or regexp of viruses that should skip the notify step. I bet most anti-virus products have a simmilar feature, but they must be turned on by default.
Later versions of the amavisd-new mail scanner don't send mail to sender addresses from virii/worms that forge mail headers, even if you have it configured to do so.
I administrate a mail server with around 550 accounts on it. We got slammed by Sobig.F and eventually had to block it using header_checks in Postfix.
This won't catch every virus-infected file attachment (like Word macro viruses), but the regex I put in place will block files with certain file extensions (e.g. pif, exe, etc.) What's nice is that the mail is rejected during the SMTP transaction and produces no residual mail traffic since the sending mail server is the worm's SMTP engine.
So, for anyone using Postfix 2 who would like to stop most e-mail worms, using header_checks to scan MIME headers is a very effective way to protect your customers/users.
The rationale behind including the attachment with the bounce is that the server which rejects the mail is doing so because of the mail content, not due to a protocol error. The sender has no reason to believe that the email has not been sent correctly. In the early days of the internet, an email got through or it came back to the sender. It "never" got lost. So it is very possible that the sender deletes the file after sending it, for example if it is not in the form he usually keeps on his computer (example: a reduced version of a high res image for a recipient with a slow connection, or other "dynamic" data). Returning the attachment was a sensible concept at the time, but nowadays it's just wasteful. People don't expect the same level of reliability from email anymore - with reason.
I would imagine that most of the virus scanners for mail servers out there can be configured to not send out the notification to the forged From address. The virus scanner I am familiar with - RAV, has this capability. I had ours configured to send out the notification until Klez and other viruses made it a worthless endeavour. Unless of course you are an ISP that has no qualms about using the opportunity to advertise.
It would be nice if GeCAD would rewrite their software to stop the notice from being sent when the virus is Klez, Sobig, etc. But since GeCAD got bought out by Microsoft who will be discontinuing their product line, I know that will never happen. Hopefully someone else like Sophos will.
It's an efficiency problem: In order to stop the mails at the SMTP level, the scanner has to work while the connection is kept open. For a high-profile email server that's an unacceptable delay because it increases the number of open sockets at a time. Scanning "after the fact" doesn't keep the TCP connections open, so it's preferred. On the other hand, if the virus scanner is going to send out notifications, that may as well not be the tradeoff to make.
Good post, overall, but I have to object to your phrase "the nullwits who designed the SMTP protocol". SMTP was designed at a time when the nascent internet was more or less a research preserve, all users of which were cooperative and well-intentioned. SMTP uses what I call "Moria security", for reasons which will be obvious to Tolkien fans.
SMTP lacks meaningful authentication features for the same reasons that TCP/IP lacks such features; they weren't needed at the time, and better to get something working out there and doing good than to sit on it while you build in design features that might possibly someday become useful.
A dirt path is a perfectly useful way for a few hikers to climb a hill. When a stream of passenger cars start using that path and a few of them lose their oil pans, don't blame the people who created the path.
When all you have is a hammer, everything looks like a skull.
Examine the Computer Science principle of Big O.
If you have an exponential function any constant multiplier or addition is thrown out of the equation as unimportant.
O(2n) = O(n + k) = O(n)
and so
O((2x)^y) = O(x^y)
The point is that the exponent is so important as to nullify the constant multiplier.