Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lousy E-mail Filters Complicating Outlook Worms

Posted by CmdrTaco on from the cluttering-up-my-inbox dept.

Mar writes "FRISK Software founder Fridrik Skulason has issued an open letter in which he blames other anti-virus companies for much of the Sobig.F network load problems: 'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'"

4 of 461 comments (clear)

  1. Good for this guy... by fuqqer · · Score: 5, Interesting

    I work in Tech support for a telecommunications company and I get at least three calls per day regarding a message from Norton Antivirus. The message falsely states that they were a sender of the sobig.f virus. Of course, our users are completely up to date with their virus software and our e-mail servers catch the sobig virus. A big shame on you to Norton for having an e-mail enabled warning like that. It preys on the stupidity of end users.

    Granted, if nobody talked about AIDS, the infection rate would probably skyrocket too. So is it better that there be a symptom of the virus such as increased network traffic. Or is it better to not inform external users and try to repair in house?

    Maybe it offers a little job security too though.

  2. It's viewed as promotion by mcrbids · · Score: 5, Interesting

    One of my clients is an ISP - and they *want* the bounces to go out for the simple reason that it broadcasts to the world that "your mail is safe with us".

    So the bounce messages go something like "Our mail server detected a virus in an email you appear to have sent, and we protected our customer ... For more information about our services come to --URL--"

    I don't know if it's effective at all, but it sure doesn't cost much - the virus notification is essentially a mild form of SPAM which few people really get up in arms about.

    Just to understand, there are market conditions behind those virus notices...

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  3. The response I got - it IS part of the problem by ctwxman · · Score: 5, Interesting

    I received hundreds of bouncebacks from one organization. So, I did a whois and wrote to the contact listed:
    My name is Geoff Fox and I am writing because I have received hundreds upon hundreds of message bounces from your **** mail server.
    These messages are not originating with me. These are SoBig virus generated and are spoofing my address as the return.
    I am asking nicely, but I need you to take action immediately. I am attaching a bounce message so you can see what I've received. From the headers it looks like they're actually coming from ***.com
    Sincerely, Geoff Fox

    I did get a response... but not what I had expected.

    Geoff, Thanks for raising the issue of the SoBig virus infection.
    From the information that you have provided, it does look like the infected machine is located at **** Architecs, Inc. of Harford, CT. Their contact information is provided below.
    Have your IT technical staff contact the admistrative contact or the technical contact below. They may not realize that they have a SoBig infected machine and that it needs to be cleaned.
    (whois stuff deleted)
    It was signed by their Director of IT Security.

    So, even at that level, he didn't realize he was doing something wrong... or that these bouncebacks came from him, not from the site that was infected. And, he felt it was my obligation to do something about it, not his!

  4. Re:How come we even get them? by lseltzer · · Score: 5, Interesting

    My latest column deals with this too. I got a lot of e-mail in response from ISPs talking about how it would be difficult/expensive to implement and that it would violate customer privacy. One said it would be a HIPAA violation. My own ISP (Speakeasy.net) virus-scans all e-mail that goes through their servers; is that a HIPAA violation? A lot of them are also scared of losing customers after offending them by blocking their outbound port 25 access, but does an ISP really want business from someone infected with Sobig?

    It is true that since Sobig uses its own SMTP server the ISP would have to do the monitoring via a port 25 monitor. I'm not completely sure how difficult/expensive this would be to implement on a large scale, but there's an opportunity for someone who comes up with a cheap solution. I suppose it could be part of a general IDS, but it needs to be something price-accessible to an ISP.

    Larry Seltzer
    Security Editor, eWEEK.com
    http://security.eweek.com/