Slashdot Mirror
Lousy E-mail Filters Complicating Outlook Worms
Mar writes "FRISK Software founder Fridrik Skulason has issued an open letter in which he blames other anti-virus companies for much of the Sobig.F network load problems: 'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'"
The email bounce is nearly dead now. Between spam and viruses faking the from and reply-to headers, it's become almost a menace. I got nearly as many bounces as I did sobig messages.
Do most users exchange executable files? How about just blocking them if they're executable... How about getting an email client that isn't known for it's ability to spread received infected email without the user having to even open the email?
/been using pine since 1996...
Do not look into laser with remaining eye.
Not only are they doubling traffic, they can help spread the virus.. I've recieved bounced email containing the virus, since the the return address is randomized this in effect helps to spread the virus. Why include the attachment in a bounce message?
air and light and time and space
Duh it may be, but that's the default behavior for Norton's Exchange AV software.
You have to fool around with it in a most confusing way to get it to stop doing that. Like all good Windows management interfaces, it's confusing and inconsistent. But I digress...
.sigs are for post^Hers.
...traffic than you'd have if the worm got to its target and continued spreading.
That's a lousy argument for obvious poor behavior on the part of anti-virus software. It's like saying every time the police catch a violent criminal, they should kick the ass of some random citizen. Hey, it may be annoying, but it's still less violence than you'd have if the criminal got to their target and acted violently.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
One member of our software development team ended up receiving over 10,000messages/hour during our peak load, about equally split between virus messages, and bounce backs/mailer daemon messages. The latter weren't blocked by the standard anti-spam solution.
The messages generally contain no usefull information, and are deleted without reading.
Spam catchers should be combined with anti virus solutions, to ensure that authentic messages do generate some sort of response, either to the sender or receiving, informing them of the infection. The technologies would mesh well in this case.
paul reinheimer
That's beside the point. The problem isn't that the mail blocking is objectionable. It's the idiotic reply messages that worsen traffic problems. The email can be blocked with the stupid "warning" being returned to a forged address.
Roving Web-Teleoperated Robot
Wouldn't it be better to blame those resposible for Outlook for Outlook worms? (Be it users who fail to patch, admins to deploy it, Microsoft for writing it on one drunken weekend that involved a lot of monkey hookers and a boat load of cocaine.)
It's certainly better than blaming a _client_ problem on the _network_ which when it was designed didn't anticipate (understandably) a near monoculture of such vunerable products being deployed.
Beep beep.
There's some flaws in the logic.
First, there's a cost per message that you're not including. Every message I get I have to consider and read, or delete. I'm getting tons of virus bounces, even though I've never sent a virus - the virus uses forged headers. So, for me, someone who has no way to contract a virus, my "work"load has gone up noticably, and the price I pay went from $0 to $X where X is a positive number.
Second, the autoresponder is not a necessary part of the virus removal. The savings is already there by blocking the virus from infecting the user's computer. The bounce is just an extra thing the anti-virus people put in to try to advertise their product.
It's *pretty damn close* to being spam.
I'm not Seth Finkelstein. I still speak the truth.
I'm still getting about 200-300 "You sent a message with SoBig.F! Patch your computer immediately!" every day.
Trouble is, I'm on a Mac. I couldn't be infected with SoBig.F if I wanted to.*
Further trouble is, SoBig.F spoofs the FROM: field, so these messages invariably go to everybody except the schmuck with the infected box.
So no, these messages hurt far more than they help.
[* Pedant filter: I suppose I could buy Virtual PC or somesuch and install a vulnerable version of Windows. That'd probably do the trick.]
Obliteracy: Words with explosions
I find this most interesting.
Until recently, no e-mail worms spoofed the email address. F-Prot obviously never had the functionality of replying to infected emails.
Until just recently, it was really good to reply to the sender alerting him about the fact that he sent out a virus/worm. Where was F-Prot back then??
The way I see it, it's been three steps.
Step 1: No email worms.
Step 2: Email worms that didn't spoof the sender (replying to sender is good).
Step 3: Email worms that spoof the sender (replying to sender is bad).
Seems to me that F-Prot is complaining that everyone hasn't reached step 3 yet (with spoofed sender addresses, infected emails shouldn't be replied to), even though we pretty much reached it just now. Before Sobig, even though there were worms that spoofed the sender, they were a minority. After Sobig, spoofing worms are a majority, which means that AV products need to change. This won't happen in a second like it did for F-Prot, because most AV vendors didn't skip step 2 like F-Prot did.
This coming from a company who 95% of computer users never heard, and who never even added the functionality of replying to emails even though it was really good until just recently, makes me believe his just looking for his two minutes of fame.
'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'
Not quite. Fortunately the alert emails are (usually) just text, and not some several-kilobyte attachment. They may be doubling the messages, but certainly nowhere *near* the bandwidth used.
One would hope the anti-virus tool folks could build in ways to sniff out "Oh, this is a SoBig-laden email" and *not* send out the completely useless alert to someone's address that happened to be the random "From" address used.
"People" using "unnecessary" quotes should be "shot".
And on top of that, some of them return the virus with the message. Therefore, it you don't have virus protection (which is stupid) and your address is forged on one, you might get a copy and also get infected.
There are people out there that don't understand that email addresses are easy to forge. I had two people last night a church services comment about me sending them a virus. I never check email with anything except Linux at home and even at that I have virus scanning on and working to make sure. I also received a few messages bounced by corporate systems that included the virus within the message they sent me, to "notify me that I was infected". Glad I wasn't on Windows.
I have no sig, does anyone have one to spare?
What about the responders that include the original message in the bounce?
And as you mentioned with SoBig the From address is spoofed, so not only is the message just as bad as everyday spam, it may also contain the attached virus.
It's not a matter of "price to pay", it's a matter of "why the hell would you have stupid behavior like this the default action?" Maybe you just missed that there was an article attached to this story that explained this?
Of course you're right. The bounces are becoming a problem because most new worm variants fake the From: header anyway. The question would be, what percentage of total SoBig.F-related traffic comes from bounces? It might, of course, be as high as 50% if every message sent is bounced; but Frisk didn't really point out how much the Bounce problem contributed to the general worm traffic.
I'd be happy if bounces in SoBig-like cases were reduced, but I find it a weak argument to blame the worm problem on anti-virus software without giving numbers of how much bounces actually added to the problem. (Well, it's another anti-virus software producer writing this statement, so this open letter could be considered a PR statement to some extent.)
Somehow this also reminds me of those stupid Windows firewall products that by default alert you of every single stupid network packet...
It is well known that the Sobig.F and many other viruses forge the sender address. These viruses are identified by the relevant filter product.
Then, why on earth do you send a notification to an address that is known to be forged?
The answer is simple - free advertising payed with your and my money. It is not stupidity. It is malice. An outright form of advertising a product by SPAM. I think that any Washington (or other state with antispam laws) resident should sue them for this.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
it's just utterly stupid from the companies making the software, for crying out loud, most of the programs can tell about sobig.f that it forges it's address(have a flag for it in their virus db, so it wouldn't be much of a chore to add it to NOT send warning email to that forged address)!
but i guess it's just a nice feature some phb's think that is cool.
world was created 5 seconds before this post as it is.
The worst part of it is that the antivirus software sending these messages knows that it's SoBig.F. Thus, it should also know that the virus forges the From: header, and that it's pointless to send out the warning message to that address.
So thanks, antivirus programmers. Thanks for wasting my time instead of doing your job correctly. How long would have taken to add an extra if(){} to your code, and another boolean field to your virus database?
This has already been implemented; for this reason, I can't send executable attachments to some of the people I know...
I'm a programmer. I write games in my spare time. I really don't feel like mailing a floppy to everyone (friends and family) who might find my game interesting.
Yeah, I understand that most executable attachments are probably viruses. However, this doesn't justify the intrusion on my freedom - I would expect a company to just delete virus emails, rather than a blanket rejection of something that could be a virus, but might be very important to the recipient.
Messages from known spamming autoresponders should be blocked by spam filters. A publicly available list of canned text appearing in messages from spamming autoresponders should be made available and placed into mail filters.
That should deal with the problem.
I don't. Their contribution to the problem is only limited to their marketshare. Any antivirus can block the viruses - but using these idiots over better competitors results in how many *illions of extra messages? Not to mention the confusion it creates on behalf of less savvy recipients. How many people paid for tech service on their "infected" computers only to discover they were fine?
Under any circumstances, I don't find this behavior acceptable.
-Looking for a job as a materials chemist or multivariat
And on top of that, some of them return the virus with the message. Therefore, it you don't have virus protection (which is stupid) and your address is forged on one, you might get a copy and also get infected.
<rant>
That's what utterly astonished me during the recent SoBig.F infestation. When an undelivered mail message with an attachment bounces, the mail servers return not just the subject line, or the message text, but the attachment to the putative sender.
Were the architects of the common Internet mail utilities just plain stupid? What other conclusion can possibly be drawn? Who taught these epsilon-minus lackwits to use a computer, and why? What else am I supposed to think when a mail gateway or server is designed to bounce hundreds of kilobytes worth of attached junk to someone who, by definition, already has the data (since, after all, it's not as if he or she is the one who fucking sent it the first place)? And when it's designed to do so via an untrustworthy return address courtesy of the nullwits who designed the SMTP protocol, no less?
It is WAY past time to scrap the Internet's existing email infrastructure in favor of something designed by actual engineers. What we have now is a giant, virtual Petri dish better suited for the cultivation of worms, viruses and spam than for communication between legitimate users.
</rant>
Dahlmann tightly grips the knife, which he may have no idea how to use, and steps out into the plain.
Last year, my wife received a spate of "you sent this virus" messages. Worse, a number of her associates received "this person tried to send you a virus" message, referring to her.
I followed up with several of the administrators running the virus filters. In all cases, the administrators had quarantined the messages without headers so it was impossible to tell what machine really sent the message. I would have liked to know this information so as to have some hope of tracing the owner of the infected machine.
I understand why users are unaware of headers. Microsoft's products go out of their way to hide them. In Outlook Express, to get headers you have to find the relevant show headers pull-down and even then the headers appear in a too-small non-resizable window. You have to clip the contents and paste into a real window before the headers can be read/forwarded.
The "From:" field of email means no more than the snail-mail return address that you scribble on an envelope. The header, like the snail-mail postmark, tells the origin.
What is the excuse for vendors of email software (filtering or end-user) perpetrating unawareness of this basic property of email?
1. The world isn't quite that authroitarian.
2. Your desire to have people behave politely doesn't override the general need to have the Internet remain an open exchange of packets between peers.
3. What's an ISP? What's a customer? Should UUNet filter mail coming from their peers? Should a University filter mail coming from its own dekstops? What about labs that have their own Internet presence, but are part of the University? What about multi-homed businesses?
I get a slew of these messages, and I have to admit to not having the time to solve the problem, but it's easily solved, if a monumental social engineering problem.
What you need to do is this: first, get everyone to agree that they need to use SMTP/TLS. Second, get everyone to agree to get a key that's signed by a CA. Notice I didn't say "ISPs" above... that's because not everyone relates to their upstream in the same way, and some people (big Universities for example) tend to peer with multiple providers.
Once everyone has a CA-signed key for their TLS-only mail then we can kill this sort of thing, dead. You send spam, you get axed. You send spam from multiple certs owned by the same entity, that entity gets axed. You send spam from multiple certs owned by multiple entities with the same CA, that CA gets axed.
Apply SpamAssassin-like weighting to this process (weighting each key and entity and CA based on frequency of good or bad mail) and you quickly evolve a system of personal and community reputation that lets us get back to business without hurting those who don't deserve to be hurt (e.g. you might use a bad CA and work for a bad company, but if your key is never used for spam, you will evolved a good reputation over time).
The same is true of viruses, it's just slightly more important to track individual sender keys (which will reprsent homes, corporate divisions and whatever other units make sense for you to create a unique mail server) when it comes to viruses. Databases of keys will have to be huge, but they can be distributed on various useful boundaries in the same way as DNS (e.g. by CA and then by organization).
We'll get there, it's just that the pain threshold has to increase to the point that we all nod our heads and say, "I'm shutting off non-TLS now".
I already run TLS on my server, how about you?
Terrorism has INTENT. The behavior you are referring to I think may be better classified as sociopathic.
I am only offended by that comment by today's date. I'm sure I will get over it tomorrow.
This comment is guaranteed*
*not guaranteed
"Tolerance is the virtue of the man without convictions." -- G. K. Chesterton
The fact that the private keys are going to be stored on PCs owned by people who don't grok public/private key care one bit. Not to mention that a new worm should have no trouble lifting those keys off the box and spraying them around for a new forge attack.
Uh huh.
So you wanna read your personal email at the office. Fine if your company supports that.
But then you just absolutely positively gotta use only your favorite email client, not the one already installed, not a web portal. The email client now installed by you, presumably licensed to you, that is not owned or supported by IS. The one that makes IS's day that much tougher by throwing one more ingredient into the stew that is the company's desktop computer.
Now on top if it your personal email client reading your personal email is bringing in viruses to the company. Onto that corporate PC logged into the corporate network. And dammit those nasty folks in IS aren't willing to spend their time making exceptions to the virus scanning so your unique-in-the-company personal email client reading your personal, virus-infected email is exempted.
Cry me a river.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
It can actually exceed 50% in some scenarios. For example:
1. Trojan fakes from address of 'joe@foo.com', sends email to 'sue@bar.com' with infected attachment.
2. Filter at 'bar.com' detects infected attachment, sends rejection email from 'sue@bar.com' to 'joe@foo.com'.
3. It turns out that 'joe@foo.com' is no longer a valid address. 'foo.com' mail agent sends a delivery failure email to 'sue@bar.com'.
Thus we get two pointless administrative emails generated by a single infected email.
I am seeing this happening quite commonly, by the way.
When all you have is a hammer, everything looks like a skull.
Warning messages to the sender were good some time ago, but should be removed from any scanner now.
ALL "modern" viruses fake the return address.
I have seen this since Klez started doing it, and being on a mac, I knew I wasn't infected. I have thought about an application that might help finding out those who were originally infected by emailing the person who sent out the anitvirus message, to try and find out who this person was that we both knew. I guess in the end were all related to each others email by knowing somebody who knows somebody who knows somebody who sent it.
I'm as annoyed by this as anybody. I've received hundreds of "rejects", far more than actual copies of the virus.
But people seem to be forgetting one thing: anti-virus software has false positives
If anti-virus software eats infected emails without bouncing them, then it will eat some real emails without bouncing them either. This is very bad, as the sender doesn't know his email hasn't been received.
I don't know the solution. The assumption that once you send an email it will get to its destination is eroding anyway, due to over-zealous anti-spam systems operated by people who think that setting them to reject all emails is a good way of making a point. DSN is becoming more widespread, though God knows what problems that might cause for us if it becomes the norm.
To some of us, it is axiomatic that legitimate Email should *never* be dropped on the floor silently. When I send a message, either it must reach the recipient, or I must receive a bounce. Any other behavior is unacceptable.
This guy is arguing that mail servers should silently drop Sobig-infested mail on the floor. But take that argument to its logical conclusion. If Sobig, why not all viruses? If all viruses, why not spam?
The end result of this "logic" is that my mail will be silently dropped whenever some program *thinks* my message is a virus or spam. And I will never even be notified when my message is not delivered.
Again, this is unacceptable. It is a cure worse than the disease.
The real problem is that SMTP does not use strong authentication for envelope senders. Fixing this would require replacing the Internet mail infrastructure. Until that happens, I am happy to accept Sobig bounces in exchange for a reliable mail infrastructure.
Accept the email then scan it and notify concerned parties -> BAD.
Refuse the message by giving an SMTP 5xx error instead of a 250 after the DATA part -> GOOD.
Personnaly, I like the exim+exiscan combo.
---------- ovidius naso