Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lousy E-mail Filters Complicating Outlook Worms

Posted by CmdrTaco on from the cluttering-up-my-inbox dept.

Mar writes "FRISK Software founder Fridrik Skulason has issued an open letter in which he blames other anti-virus companies for much of the Sobig.F network load problems: 'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'"

11 of 461 comments (clear)

  1. But still less... by mindriot · · Score: 4, Interesting

    ...traffic than you'd have if the worm got to its target and continued spreading.

  2. How come we even get them? by TerryAtWork · · Score: 4, Interesting

    This is completely stoppable at the ISP level. I received over 1,000 SoBig.F messages, not one of which had to go through!

    --
    It's Christmas everyday with BitTorrent.
    1. Re:How come we even get them? by lseltzer · · Score: 5, Interesting

      My latest column deals with this too. I got a lot of e-mail in response from ISPs talking about how it would be difficult/expensive to implement and that it would violate customer privacy. One said it would be a HIPAA violation. My own ISP (Speakeasy.net) virus-scans all e-mail that goes through their servers; is that a HIPAA violation? A lot of them are also scared of losing customers after offending them by blocking their outbound port 25 access, but does an ISP really want business from someone infected with Sobig?

      It is true that since Sobig uses its own SMTP server the ISP would have to do the monitoring via a port 25 monitor. I'm not completely sure how difficult/expensive this would be to implement on a large scale, but there's an opportunity for someone who comes up with a cheap solution. I suppose it could be part of a general IDS, but it needs to be something price-accessible to an ISP.

      Larry Seltzer
      Security Editor, eWEEK.com
      http://security.eweek.com/

  3. No doubt! by tbase · · Score: 4, Interesting

    If the e-mail filter is smart enough to know it's Sobig.F, why isn't it smart enough to know the "from" is spoofed?!?!?

    I set our filters to just delete anything with an executable attachment, but that didn't to crap for the stupid "Virus Detected" warnings.

    One guy was sending us about 150 copies a day, and the others his PC sent out with our address as the "from" resulted in about 50-75 Virus warnings a day - from the first day it popped up until it expired. I had his IP address, and called and e-mailed his ISP (Birch.net) a dozen or more times, and they did squat. 150 x ~100k x # of people in his address book - not to mention the undeliverables and virus warnings - and they did nothing.

    --

    666-607: 6th floor apartment of the beast
  4. Fuzzy Math by Akai · · Score: 4, Interesting

    The SoBig.(X) (all of 'em, been getting them for months, good thing Evolution doesn't care) are all around 100K a piece.

    A "your message was filtered" is maybe 2-3K including all headers (more likely under 1k), so responding to messages with Virus' in them adds 1-3% not 100% to the traffic.

    That being said, since most of the current generation of SoBig happily fake the "From" email address, a reply to the from address doesn't really help anyone either.

    So in the worst case scenario, a 3K reply to a fake email address results in a bounce message, so at the most you've got 5% overhead, and theoretically for that 6K of email, you've saved a user from getting infected, which would generate 100K*1000's of data.

    I'd say it's not too high a price to pay.

    --
    Please send all UCE to scally@devolution.com so I can f
    1. Re:Fuzzy Math by Snowdog668 · · Score: 4, Interesting

      You'd be right and I wouldn't care if I only got the headers. Unfortunately about 95% of the bounce messages I've gotten contain the original attachment as well. Thank goodness I check that account on webmail so I didn't have to wait to download the messages over dial-up(stuck in the great broadband wasteland). It was easy to get rid of from my point of view because all I had to do was was go down the list and mark all the e-mails that were 100k for deletion and get rid of them. If I had to actually download each message over my dial-up account because some sysadmin decided to bounce the entire message I'd be seriously pissed.

      --
      I wouldn't say I'm a bad gambler but the last time I went to Vegas I even lost a buck on the soda machine.
  5. Good for this guy... by fuqqer · · Score: 5, Interesting

    I work in Tech support for a telecommunications company and I get at least three calls per day regarding a message from Norton Antivirus. The message falsely states that they were a sender of the sobig.f virus. Of course, our users are completely up to date with their virus software and our e-mail servers catch the sobig virus. A big shame on you to Norton for having an e-mail enabled warning like that. It preys on the stupidity of end users.

    Granted, if nobody talked about AIDS, the infection rate would probably skyrocket too. So is it better that there be a symptom of the virus such as increased network traffic. Or is it better to not inform external users and try to repair in house?

    Maybe it offers a little job security too though.

  6. It's viewed as promotion by mcrbids · · Score: 5, Interesting

    One of my clients is an ISP - and they *want* the bounces to go out for the simple reason that it broadcasts to the world that "your mail is safe with us".

    So the bounce messages go something like "Our mail server detected a virus in an email you appear to have sent, and we protected our customer ... For more information about our services come to --URL--"

    I don't know if it's effective at all, but it sure doesn't cost much - the virus notification is essentially a mild form of SPAM which few people really get up in arms about.

    Just to understand, there are market conditions behind those virus notices...

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  7. Just got my hand slapped by Data Security by RobertB-DC · · Score: 4, Interesting

    I just got a call from the Data Security guy in my office. I've had run-ins with him before, because their scans of my PC would occasionally find that I run Eudora for my personal email rather than routing it through the corporate virus portal known as Outlook Express. My bosses have been supportive -- as long as I get my work done, who the heck cares what I've got installed?

    Now, I get 50-100 messages from "helpful" virus checkers telling me that I sent them a virus. Duh, of course I didn't. But what's worse is when they try to help my by sending the damned virus back to me! So my Eudora inbox fills up with viruses. No problem, I just delete them, right?

    But we've got real-time virus scanning installed, and the admins take a dim view of tweaking it to skip certain directories. It finds that In.mbx contains a virus and kills the file. Poof, there goes my Eudora inbox. Frustrating, but it was full of junk anyway.

    This morning, though, I get a call from the head Data Security honcho. Norton called mommy when it found the virus, and did it often enough for me to show up on the admin guy's radar again. Now, I'm going to have to quit using Eudora at work, just because brain-dead virus protection is sending me viruses! I'd fight it again, but I have to agree -- if I keep downloading viruses, I'm part of the problem.

    Thanks for nothing, AV companies. All you're doing is keeping yourselves in business with false virus alerts. Or maybe that was the "2. ???" in between "1. Spread Viruses" and "3. Profit!"

    --
    Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
  8. The response I got - it IS part of the problem by ctwxman · · Score: 5, Interesting

    I received hundreds of bouncebacks from one organization. So, I did a whois and wrote to the contact listed:
    My name is Geoff Fox and I am writing because I have received hundreds upon hundreds of message bounces from your **** mail server.
    These messages are not originating with me. These are SoBig virus generated and are spoofing my address as the return.
    I am asking nicely, but I need you to take action immediately. I am attaching a bounce message so you can see what I've received. From the headers it looks like they're actually coming from ***.com
    Sincerely, Geoff Fox

    I did get a response... but not what I had expected.

    Geoff, Thanks for raising the issue of the SoBig virus infection.
    From the information that you have provided, it does look like the infected machine is located at **** Architecs, Inc. of Harford, CT. Their contact information is provided below.
    Have your IT technical staff contact the admistrative contact or the technical contact below. They may not realize that they have a SoBig infected machine and that it needs to be cleaned.
    (whois stuff deleted)
    It was signed by their Director of IT Security.

    So, even at that level, he didn't realize he was doing something wrong... or that these bouncebacks came from him, not from the site that was infected. And, he felt it was my obligation to do something about it, not his!

  9. Troublesome? Yes, but necessary ... by ElektroHolunder · · Score: 4, Interesting

    I am currently looking into antivirus solutions for our company mailserver, and originally thought about disabling the bounce messages.

    But unfortunately it seems that it could be illegal in Germany to intercept a message without notifying the sender. As far as I understand it, eMail seems to be subject to the same regulations as snail mail here, so dropping the message silently could constitute a legal hazard ..