Slashdot Mirror
Lousy E-mail Filters Complicating Outlook Worms
Mar writes "FRISK Software founder Fridrik Skulason has issued an open letter in which he blames other anti-virus companies for much of the Sobig.F network load problems: 'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'"
Do most users exchange executable files? How about just blocking them if they're executable... How about getting an email client that isn't known for it's ability to spread received infected email without the user having to even open the email?
/been using pine since 1996...
Do not look into laser with remaining eye.
Not only are they doubling traffic, they can help spread the virus.. I've recieved bounced email containing the virus, since the the return address is randomized this in effect helps to spread the virus. Why include the attachment in a bounce message?
air and light and time and space
...traffic than you'd have if the worm got to its target and continued spreading.
That's a lousy argument for obvious poor behavior on the part of anti-virus software. It's like saying every time the police catch a violent criminal, they should kick the ass of some random citizen. Hey, it may be annoying, but it's still less violence than you'd have if the criminal got to their target and acted violently.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
One member of our software development team ended up receiving over 10,000messages/hour during our peak load, about equally split between virus messages, and bounce backs/mailer daemon messages. The latter weren't blocked by the standard anti-spam solution.
The messages generally contain no usefull information, and are deleted without reading.
Spam catchers should be combined with anti virus solutions, to ensure that authentic messages do generate some sort of response, either to the sender or receiving, informing them of the infection. The technologies would mesh well in this case.
paul reinheimer
There's some flaws in the logic.
First, there's a cost per message that you're not including. Every message I get I have to consider and read, or delete. I'm getting tons of virus bounces, even though I've never sent a virus - the virus uses forged headers. So, for me, someone who has no way to contract a virus, my "work"load has gone up noticably, and the price I pay went from $0 to $X where X is a positive number.
Second, the autoresponder is not a necessary part of the virus removal. The savings is already there by blocking the virus from infecting the user's computer. The bounce is just an extra thing the anti-virus people put in to try to advertise their product.
It's *pretty damn close* to being spam.
I'm still getting about 200-300 "You sent a message with SoBig.F! Patch your computer immediately!" every day.
Trouble is, I'm on a Mac. I couldn't be infected with SoBig.F if I wanted to.*
Further trouble is, SoBig.F spoofs the FROM: field, so these messages invariably go to everybody except the schmuck with the infected box.
So no, these messages hurt far more than they help.
[* Pedant filter: I suppose I could buy Virtual PC or somesuch and install a vulnerable version of Windows. That'd probably do the trick.]
Obliteracy: Words with explosions
The bounces from the anti-virus software programs is pretty damned close to spam. Close enough that it gets their name out there, but not close enough that they'd actually be pinned about it except by the most self-righteous of the anti-spammers.
Of course you're right. The bounces are becoming a problem because most new worm variants fake the From: header anyway. The question would be, what percentage of total SoBig.F-related traffic comes from bounces? It might, of course, be as high as 50% if every message sent is bounced; but Frisk didn't really point out how much the Bounce problem contributed to the general worm traffic.
I'd be happy if bounces in SoBig-like cases were reduced, but I find it a weak argument to blame the worm problem on anti-virus software without giving numbers of how much bounces actually added to the problem. (Well, it's another anti-virus software producer writing this statement, so this open letter could be considered a PR statement to some extent.)
Somehow this also reminds me of those stupid Windows firewall products that by default alert you of every single stupid network packet...
It is well known that the Sobig.F and many other viruses forge the sender address. These viruses are identified by the relevant filter product.
Then, why on earth do you send a notification to an address that is known to be forged?
The answer is simple - free advertising payed with your and my money. It is not stupidity. It is malice. An outright form of advertising a product by SPAM. I think that any Washington (or other state with antispam laws) resident should sue them for this.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
The worst part of it is that the antivirus software sending these messages knows that it's SoBig.F. Thus, it should also know that the virus forges the From: header, and that it's pointless to send out the warning message to that address.
So thanks, antivirus programmers. Thanks for wasting my time instead of doing your job correctly. How long would have taken to add an extra if(){} to your code, and another boolean field to your virus database?
And on top of that, some of them return the virus with the message. Therefore, it you don't have virus protection (which is stupid) and your address is forged on one, you might get a copy and also get infected.
<rant>
That's what utterly astonished me during the recent SoBig.F infestation. When an undelivered mail message with an attachment bounces, the mail servers return not just the subject line, or the message text, but the attachment to the putative sender.
Were the architects of the common Internet mail utilities just plain stupid? What other conclusion can possibly be drawn? Who taught these epsilon-minus lackwits to use a computer, and why? What else am I supposed to think when a mail gateway or server is designed to bounce hundreds of kilobytes worth of attached junk to someone who, by definition, already has the data (since, after all, it's not as if he or she is the one who fucking sent it the first place)? And when it's designed to do so via an untrustworthy return address courtesy of the nullwits who designed the SMTP protocol, no less?
It is WAY past time to scrap the Internet's existing email infrastructure in favor of something designed by actual engineers. What we have now is a giant, virtual Petri dish better suited for the cultivation of worms, viruses and spam than for communication between legitimate users.
</rant>
Dahlmann tightly grips the knife, which he may have no idea how to use, and steps out into the plain.
Last year, my wife received a spate of "you sent this virus" messages. Worse, a number of her associates received "this person tried to send you a virus" message, referring to her.
I followed up with several of the administrators running the virus filters. In all cases, the administrators had quarantined the messages without headers so it was impossible to tell what machine really sent the message. I would have liked to know this information so as to have some hope of tracing the owner of the infected machine.
I understand why users are unaware of headers. Microsoft's products go out of their way to hide them. In Outlook Express, to get headers you have to find the relevant show headers pull-down and even then the headers appear in a too-small non-resizable window. You have to clip the contents and paste into a real window before the headers can be read/forwarded.
The "From:" field of email means no more than the snail-mail return address that you scribble on an envelope. The header, like the snail-mail postmark, tells the origin.
What is the excuse for vendors of email software (filtering or end-user) perpetrating unawareness of this basic property of email?
Uh huh.
So you wanna read your personal email at the office. Fine if your company supports that.
But then you just absolutely positively gotta use only your favorite email client, not the one already installed, not a web portal. The email client now installed by you, presumably licensed to you, that is not owned or supported by IS. The one that makes IS's day that much tougher by throwing one more ingredient into the stew that is the company's desktop computer.
Now on top if it your personal email client reading your personal email is bringing in viruses to the company. Onto that corporate PC logged into the corporate network. And dammit those nasty folks in IS aren't willing to spend their time making exceptions to the virus scanning so your unique-in-the-company personal email client reading your personal, virus-infected email is exempted.
Cry me a river.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
It can actually exceed 50% in some scenarios. For example:
1. Trojan fakes from address of 'joe@foo.com', sends email to 'sue@bar.com' with infected attachment.
2. Filter at 'bar.com' detects infected attachment, sends rejection email from 'sue@bar.com' to 'joe@foo.com'.
3. It turns out that 'joe@foo.com' is no longer a valid address. 'foo.com' mail agent sends a delivery failure email to 'sue@bar.com'.
Thus we get two pointless administrative emails generated by a single infected email.
I am seeing this happening quite commonly, by the way.
When all you have is a hammer, everything looks like a skull.