Slashdot Mirror
Lousy E-mail Filters Complicating Outlook Worms
Mar writes "FRISK Software founder Fridrik Skulason has issued an open letter in which he blames other anti-virus companies for much of the Sobig.F network load problems: 'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'"
...traffic than you'd have if the worm got to its target and continued spreading.
After so many viri's that fake return to headers it's stupid to continue responding to them. No I didn't read the article...
The email bounce is nearly dead now. Between spam and viruses faking the from and reply-to headers, it's become almost a menace. I got nearly as many bounces as I did sobig messages.
This is completely stoppable at the ISP level. I received over 1,000 SoBig.F messages, not one of which had to go through!
It's Christmas everyday with BitTorrent.
Our Norton Exchange AV kicks out "we-saved-your-butt" emails to the admin, the original recip, and back at the "sender", who of course knows nothing about it since it was forged.
:) Serves AOL right...
I've just been creating more and more filters that send to trash with no notification to anyone.
Of course, you have to pay attention when you first turn some of the capabilities on, as Norton kindly preset you to block AOL mail
.sigs are for post^Hers.
Do most users exchange executable files? How about just blocking them if they're executable... How about getting an email client that isn't known for it's ability to spread received infected email without the user having to even open the email?
/been using pine since 1996...
Do not look into laser with remaining eye.
Not only are they doubling traffic, they can help spread the virus.. I've recieved bounced email containing the virus, since the the return address is randomized this in effect helps to spread the virus. Why include the attachment in a bounce message?
air and light and time and space
Duh it may be, but that's the default behavior for Norton's Exchange AV software.
You have to fool around with it in a most confusing way to get it to stop doing that. Like all good Windows management interfaces, it's confusing and inconsistent. But I digress...
.sigs are for post^Hers.
Why (some) anti-virus companies are to blame for the recent
e-mail flood
As everyone should now know, Sobig.F has generated a tremendous amount of e-mail traffic world-wide. However, part of the blame for this traffic should be placed on some of the anti-virus companies.
What I am referring to is the large number of incorrectly configured mail filters that respond by sending a "virus alert" to the "From:" address. As Sobig.F falsifies the "From:" address, these e-mails just clutter up the mailboxes of innocent, non-infected people. These messages cause unnecessary annoyance and worry, as they typically (and incorrectly) claim that people have sent out a virus.
When you get an e-mail, warning you of a Sobig.F infection, with a subject line similar to these:
* *** detected and quarantined a virus in a message you sent.
* Warning: E-mail viruses detected
* Virus Detected by ***
* This is an alert from ***
it usually means that someone, somewhere has made a bad decision on how to react to infected mail, either by selecting a substandard product or by configuring it incorrectly.
Worse yet, if mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.
The problem is that some commercial mail filters have this behaviour set as the default. At least one filter gives only two options: Always send a "virus alert" to the "From" address of every infected e-mail received or "pass the message through to the recipient". Clearly neither of these options are acceptable.
I have only one word for this: Stupid!
Acceptable behaviour would be one of the following:
1. Have the mail filter properly distinguish between worms that falsify the "From:" address and ones that do not and only send a warning message when the "From:" address is likely to be genuine.
2. Do not send the alerts at all.
In fact, sending an alert automatically to the From: address for every virus or worm received by e-mail should not even be a selectable option.
With Sobig.F scheduled to die out today, Sept. 10th, the problem might go away for a while - until the next similar worm appears. And this is the scary part. Sobig.F didn't really infect that many machines world-wide, maybe only 200.000 or so. This is only a fraction of the number of machines infected by Msblaster (Lovsan). Now imagine a worm combining the distribution method of Msblaster with the mass-mailing feature of Sobig.F. The flood of traffic might practically render the Internet unusable.
Eventually, some virus author will create a virus like this, maybe this month, maybe in a few years, but it will happen. And when it does we do not need the anti-virus companies making a bad situation worse.
I hope the "guilty" anti-virus producers will be updating their products in the near future, but this is not going to happen unless their customers request it.
Fridrik Skulason ( frisk@f-prot.com )
Founder of FRISK Software International
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
If the e-mail filter is smart enough to know it's Sobig.F, why isn't it smart enough to know the "from" is spoofed?!?!?
I set our filters to just delete anything with an executable attachment, but that didn't to crap for the stupid "Virus Detected" warnings.
One guy was sending us about 150 copies a day, and the others his PC sent out with our address as the "from" resulted in about 50-75 Virus warnings a day - from the first day it popped up until it expired. I had his IP address, and called and e-mailed his ISP (Birch.net) a dozen or more times, and they did squat. 150 x ~100k x # of people in his address book - not to mention the undeliverables and virus warnings - and they did nothing.
666-607: 6th floor apartment of the beast
The SoBig.(X) (all of 'em, been getting them for months, good thing Evolution doesn't care) are all around 100K a piece.
A "your message was filtered" is maybe 2-3K including all headers (more likely under 1k), so responding to messages with Virus' in them adds 1-3% not 100% to the traffic.
That being said, since most of the current generation of SoBig happily fake the "From" email address, a reply to the from address doesn't really help anyone either.
So in the worst case scenario, a 3K reply to a fake email address results in a bounce message, so at the most you've got 5% overhead, and theoretically for that 6K of email, you've saved a user from getting infected, which would generate 100K*1000's of data.
I'd say it's not too high a price to pay.
Please send all UCE to scally@devolution.com so I can f
One member of our software development team ended up receiving over 10,000messages/hour during our peak load, about equally split between virus messages, and bounce backs/mailer daemon messages. The latter weren't blocked by the standard anti-spam solution.
The messages generally contain no usefull information, and are deleted without reading.
Spam catchers should be combined with anti virus solutions, to ensure that authentic messages do generate some sort of response, either to the sender or receiving, informing them of the infection. The technologies would mesh well in this case.
paul reinheimer
last time
It's pretty rare that an e-mail that we send out does not eventually get to its recipient, and in most cases the e-mail is in response to something so the recipient will let us know if they aren't getting a message from us, so this system has been working out well so far.
I never vote for anyone. I always vote against.
-- W.C. Fields
The SoBig.F virus message was much larger than a "we found a virus" letter, because it included a copy of the virus itself. The number of messages bouncing around may have doubled, but the total bandwidth required did not.
However, as the recipient of 300+ messages a day, I for one would be delighted if the virus scanners had an option to Just Shut Up when they find a specific virus. While I don't believe the scanners aggravated the problem -- indeed, by reducing its transmission, they certainly improved matters -- the bogus reject messages were a highly visible and easily avoidable irritant.
I work in Tech support for a telecommunications company and I get at least three calls per day regarding a message from Norton Antivirus. The message falsely states that they were a sender of the sobig.f virus. Of course, our users are completely up to date with their virus software and our e-mail servers catch the sobig virus. A big shame on you to Norton for having an e-mail enabled warning like that. It preys on the stupidity of end users.
Granted, if nobody talked about AIDS, the infection rate would probably skyrocket too. So is it better that there be a symptom of the virus such as increased network traffic. Or is it better to not inform external users and try to repair in house?
Maybe it offers a little job security too though.
One of my clients is an ISP - and they *want* the bounces to go out for the simple reason that it broadcasts to the world that "your mail is safe with us".
... For more information about our services come to --URL--"
So the bounce messages go something like "Our mail server detected a virus in an email you appear to have sent, and we protected our customer
I don't know if it's effective at all, but it sure doesn't cost much - the virus notification is essentially a mild form of SPAM which few people really get up in arms about.
Just to understand, there are market conditions behind those virus notices...
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Wouldn't it be better to blame those resposible for Outlook for Outlook worms? (Be it users who fail to patch, admins to deploy it, Microsoft for writing it on one drunken weekend that involved a lot of monkey hookers and a boat load of cocaine.)
It's certainly better than blaming a _client_ problem on the _network_ which when it was designed didn't anticipate (understandably) a near monoculture of such vunerable products being deployed.
Beep beep.
I just got a call from the Data Security guy in my office. I've had run-ins with him before, because their scans of my PC would occasionally find that I run Eudora for my personal email rather than routing it through the corporate virus portal known as Outlook Express. My bosses have been supportive -- as long as I get my work done, who the heck cares what I've got installed?
Now, I get 50-100 messages from "helpful" virus checkers telling me that I sent them a virus. Duh, of course I didn't. But what's worse is when they try to help my by sending the damned virus back to me! So my Eudora inbox fills up with viruses. No problem, I just delete them, right?
But we've got real-time virus scanning installed, and the admins take a dim view of tweaking it to skip certain directories. It finds that In.mbx contains a virus and kills the file. Poof, there goes my Eudora inbox. Frustrating, but it was full of junk anyway.
This morning, though, I get a call from the head Data Security honcho. Norton called mommy when it found the virus, and did it often enough for me to show up on the admin guy's radar again. Now, I'm going to have to quit using Eudora at work, just because brain-dead virus protection is sending me viruses! I'd fight it again, but I have to agree -- if I keep downloading viruses, I'm part of the problem.
Thanks for nothing, AV companies. All you're doing is keeping yourselves in business with false virus alerts. Or maybe that was the "2. ???" in between "1. Spread Viruses" and "3. Profit!"
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
The mail filters that send out a message for each virus message received are not the problem. Indeed, they're just following the basic requirements for bounced messages listed in RFC 2822.
THE problem is the mail filters which also send a second message to postmaster@whatever domain. Whatever brainiac thought that one up should be shot.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
I'm not Seth Finkelstein. I still speak the truth.
I find this most interesting.
Until recently, no e-mail worms spoofed the email address. F-Prot obviously never had the functionality of replying to infected emails.
Until just recently, it was really good to reply to the sender alerting him about the fact that he sent out a virus/worm. Where was F-Prot back then??
The way I see it, it's been three steps.
Step 1: No email worms.
Step 2: Email worms that didn't spoof the sender (replying to sender is good).
Step 3: Email worms that spoof the sender (replying to sender is bad).
Seems to me that F-Prot is complaining that everyone hasn't reached step 3 yet (with spoofed sender addresses, infected emails shouldn't be replied to), even though we pretty much reached it just now. Before Sobig, even though there were worms that spoofed the sender, they were a minority. After Sobig, spoofing worms are a majority, which means that AV products need to change. This won't happen in a second like it did for F-Prot, because most AV vendors didn't skip step 2 like F-Prot did.
This coming from a company who 95% of computer users never heard, and who never even added the functionality of replying to emails even though it was really good until just recently, makes me believe his just looking for his two minutes of fame.
Critical Update:
A security issue has been identified that could allow an attacker to compromise a computer running Microsoft Windows and install Linux on it. You can help protect your computer by installing this EULA from Microsoft. After you install this EULA, a NULL update will be downloaded for your benefit.
'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'
Not quite. Fortunately the alert emails are (usually) just text, and not some several-kilobyte attachment. They may be doubling the messages, but certainly nowhere *near* the bandwidth used.
One would hope the anti-virus tool folks could build in ways to sniff out "Oh, this is a SoBig-laden email" and *not* send out the completely useless alert to someone's address that happened to be the random "From" address used.
"People" using "unnecessary" quotes should be "shot".
Until the anti-virus software developers, M$ and the general e-mail population can out-wit a 12 year old script kiddie, no progress will be made.
~insert tech sarcasm here~
We have Mail Marshall here at work. I got the following mail from the system yesterday...
:(
MailMarshal (an automated content monitoring gateway) has stopped the following email for the following reason:
It believes it may contain unacceptable language, or inappropriate material.
Message: B000038072.00000001.mml
From: xxx@xxx.com
To: xxx@xxx.com
Subject: Re: So Whuz Up?
Please remove any inappropriate language and send it again.
The blocked email will be automatically deleted after 5 days.
MailMarshal Rule: Inbound Messages : Block Unacceptable Language Script Offensive Language (Basic) Triggered
Expression: asshole Triggered 1 times weighting 5
Email security by MailMarshal from Marshal Software.
So the message tells both the ortiginal sender and I that it won't deliver the email because it contains the term "asshole". So it lets me know that by sending me an email telling me the exact same word that was supposed to be filtered? It seems like we've got a hypocrytical mail filter here
At no point should a response be generated for a virus. Maybe five years ago, when viruses tagged along with legitimate data, but nowadays, a virus generates it's own delivery system, and there's no point to a bounce.
Vintage computer games and RPG books available. Email me if you're interested.
The statement "If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution" is also what I've been saying for months. This is a condemnation of challenge/response. Challenge/response is flawed conceptually in that it assumes the return address is correct. In an age of spam (which it supposedly addresses) and viruses it is absurd to believe the return address exists and sending email to the return address just multiplies the problem.
Challenge/response was never well thought out. It shifts the burden of spam filtering to the person that sends email to that user, and tends to mailbomb innocent users that happen to have their addresses forged by spam or viruses. All so someone can supposedly enjoy a spam-free existance with no thought to the hassle they are creating for others and the spam that they are creating by mailbombibf C/R challenges to forged addresses.
Hopefully with much better filters already available Challenge/response will just disappear. It's bad technology.
I received hundreds of bouncebacks from one organization. So, I did a whois and wrote to the contact listed:
My name is Geoff Fox and I am writing because I have received hundreds upon hundreds of message bounces from your **** mail server.
These messages are not originating with me. These are SoBig virus generated and are spoofing my address as the return.
I am asking nicely, but I need you to take action immediately. I am attaching a bounce message so you can see what I've received. From the headers it looks like they're actually coming from ***.com
Sincerely, Geoff Fox
I did get a response... but not what I had expected.
Geoff, Thanks for raising the issue of the SoBig virus infection.
From the information that you have provided, it does look like the infected machine is located at **** Architecs, Inc. of Harford, CT. Their contact information is provided below.
Have your IT technical staff contact the admistrative contact or the technical contact below. They may not realize that they have a SoBig infected machine and that it needs to be cleaned.
(whois stuff deleted)
It was signed by their Director of IT Security.
So, even at that level, he didn't realize he was doing something wrong... or that these bouncebacks came from him, not from the site that was infected. And, he felt it was my obligation to do something about it, not his!
This has already been implemented; for this reason, I can't send executable attachments to some of the people I know...
I'm a programmer. I write games in my spare time. I really don't feel like mailing a floppy to everyone (friends and family) who might find my game interesting.
Yeah, I understand that most executable attachments are probably viruses. However, this doesn't justify the intrusion on my freedom - I would expect a company to just delete virus emails, rather than a blanket rejection of something that could be a virus, but might be very important to the recipient.
Messages from known spamming autoresponders should be blocked by spam filters. A publicly available list of canned text appearing in messages from spamming autoresponders should be made available and placed into mail filters.
That should deal with the problem.
Lousy E-mail Filters Complicating Outlook Worms
SoBig.F is not an Outlook worm. It is a Windows worm. It does not require Outlook to run. It has it's own built in MTA and grabs email addresses from cached webpages and local text files as well as the Outlook/Express address book.
-Ab
Nothing fails quite like prayer.
I don't. Their contribution to the problem is only limited to their marketshare. Any antivirus can block the viruses - but using these idiots over better competitors results in how many *illions of extra messages? Not to mention the confusion it creates on behalf of less savvy recipients. How many people paid for tech service on their "infected" computers only to discover they were fine?
Under any circumstances, I don't find this behavior acceptable.
-Looking for a job as a materials chemist or multivariat
I am currently looking into antivirus solutions for our company mailserver, and originally thought about disabling the bounce messages.
..
But unfortunately it seems that it could be illegal in Germany to intercept a message without notifying the sender. As far as I understand it, eMail seems to be subject to the same regulations as snail mail here, so dropping the message silently could constitute a legal hazard
Last year, my wife received a spate of "you sent this virus" messages. Worse, a number of her associates received "this person tried to send you a virus" message, referring to her.
I followed up with several of the administrators running the virus filters. In all cases, the administrators had quarantined the messages without headers so it was impossible to tell what machine really sent the message. I would have liked to know this information so as to have some hope of tracing the owner of the infected machine.
I understand why users are unaware of headers. Microsoft's products go out of their way to hide them. In Outlook Express, to get headers you have to find the relevant show headers pull-down and even then the headers appear in a too-small non-resizable window. You have to clip the contents and paste into a real window before the headers can be read/forwarded.
The "From:" field of email means no more than the snail-mail return address that you scribble on an envelope. The header, like the snail-mail postmark, tells the origin.
What is the excuse for vendors of email software (filtering or end-user) perpetrating unawareness of this basic property of email?
What is your definition of "recently"? Apparently it's about two years.
why not have the filter do a whois on the ip of sender and send the warning to the admin of that net block?
seems like abetter solution as it gets the virus warning in hands of the person that can do soemthing about it rather than sent to people who have no virus on their systems..
comeon how hard is it to parse the record gotten back from a whois query?
Don't Tread on OpenSource
Later versions of the amavisd-new mail scanner don't send mail to sender addresses from virii/worms that forge mail headers, even if you have it configured to do so.
I remember the day that SoBig.F reared it's ugly head. I can into work and must have had 40-50 emails claiming I sent a virus to some person I have never heard of. It was so many I actually figured I better check and make sure I didn't have the virus.
Even worse 1 in 4 of the messages sent the virus to me in the message bounce.
But in reality antivirus software is playing a losing game, it tries to get out virus definitions to protect systems after the virus has been released. Not only that the viruses have much faster distribution rate than the definitions so it's a loosing battle. We need a new solution.
I propose that we should call for a ban of Microsoft Lookout. In its short existence, it has become the most insecure piece of software every written -- surpassing Bind, Sendmail and even Wuftpd, programs much older than it.
While we are at it lets call for banning direct access to the internet for all windows based systems. Let's face it. If you put a windows box bare on the net, eventually it is going to be compromised. Windows wasn't originally designed to work on the internet and Microsoft has shoehorned in the internet support without proper security measures taken.
You can't rely on end users who are too afraid to install there own OS to properly secure and update the machine. Someone needs to do that for them and frankly Microsoft doesn't.
I use No-IP.com. Within a few hours of the worm spreading they had turned off bounce notifications of virus messages. I received a total of 10 SoBig worm notifications messages, and none of the actual worm.
I think it's up to the ISP administrators to stay up to date with what is going on and to stop these sort of things in their tracks. That is why I get my email through a third party: so I don't have to deal with the bull. They have a responsiblity to their customers. I think No-IP did a great job living up to that responsibility.
Frisk has been around for a long time, I used f-prot in DOS. But I think the letter he wrote is definitely a marketing ploy. They have recently updated their site to a more modern interface and it seems they are attempting to make some kind of mainstream market pull. I have the f-prot trial on my work windows xp box and honestly, it's pretty good. Fast and stable and less intrusive than Norton AV. So it might be good for it to work out for them.
I administrate a mail server with around 550 accounts on it. We got slammed by Sobig.F and eventually had to block it using header_checks in Postfix.
This won't catch every virus-infected file attachment (like Word macro viruses), but the regex I put in place will block files with certain file extensions (e.g. pif, exe, etc.) What's nice is that the mail is rejected during the SMTP transaction and produces no residual mail traffic since the sending mail server is the worm's SMTP engine.
So, for anyone using Postfix 2 who would like to stop most e-mail worms, using header_checks to scan MIME headers is a very effective way to protect your customers/users.
The fact that the private keys are going to be stored on PCs owned by people who don't grok public/private key care one bit. Not to mention that a new worm should have no trouble lifting those keys off the box and spraying them around for a new forge attack.
Uh huh.
So you wanna read your personal email at the office. Fine if your company supports that.
But then you just absolutely positively gotta use only your favorite email client, not the one already installed, not a web portal. The email client now installed by you, presumably licensed to you, that is not owned or supported by IS. The one that makes IS's day that much tougher by throwing one more ingredient into the stew that is the company's desktop computer.
Now on top if it your personal email client reading your personal email is bringing in viruses to the company. Onto that corporate PC logged into the corporate network. And dammit those nasty folks in IS aren't willing to spend their time making exceptions to the virus scanning so your unique-in-the-company personal email client reading your personal, virus-infected email is exempted.
Cry me a river.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
I would imagine that most of the virus scanners for mail servers out there can be configured to not send out the notification to the forged From address. The virus scanner I am familiar with - RAV, has this capability. I had ours configured to send out the notification until Klez and other viruses made it a worthless endeavour. Unless of course you are an ISP that has no qualms about using the opportunity to advertise.
It would be nice if GeCAD would rewrite their software to stop the notice from being sent when the virus is Klez, Sobig, etc. But since GeCAD got bought out by Microsoft who will be discontinuing their product line, I know that will never happen. Hopefully someone else like Sophos will.
Warning messages to the sender were good some time ago, but should be removed from any scanner now.
ALL "modern" viruses fake the return address.
The real answer is that virus definition files should have a flag that is set for viruses that always use forged addresses that tells the antivirus never to send an email in reply to that virus.
"Reality is just a convenient measure of complexity" -Alvy Ray Smith
I'm as annoyed by this as anybody. I've received hundreds of "rejects", far more than actual copies of the virus.
But people seem to be forgetting one thing: anti-virus software has false positives
If anti-virus software eats infected emails without bouncing them, then it will eat some real emails without bouncing them either. This is very bad, as the sender doesn't know his email hasn't been received.
I don't know the solution. The assumption that once you send an email it will get to its destination is eroding anyway, due to over-zealous anti-spam systems operated by people who think that setting them to reject all emails is a good way of making a point. DSN is becoming more widespread, though God knows what problems that might cause for us if it becomes the norm.
Examine the Computer Science principle of Big O.
If you have an exponential function any constant multiplier or addition is thrown out of the equation as unimportant.
O(2n) = O(n + k) = O(n)
and so
O((2x)^y) = O(x^y)
The point is that the exponent is so important as to nullify the constant multiplier.
I don't think I've gotten a single SoBig virus. Either they're not getting sent or something upstream is blocking them.
OTOH, I get about 1000+ pieces of virus related junk. Its exceeded spam. About half is anti-virus software telling me they blocked a virus. The other half is various bounce messages and autoresponders from viruses going out to addresses that no longer exist or to list admin addresses, lists that require verification, etc... with my email address.
How many legit pieces of email do I get a day? 100-200 maybe.
The situation is absurd. If your email address is widely available (in my case, in the Perl documentation) you'll get clobbered. I had to franticly write a set of SpamAssassin rules to block the antivirus reponses to make my mail usable again.
I've been archiving all my unfiltered, incoming mail since Feburary. 80,000 messages. If anyone seriously wants to run some statistics for how hard a popular email address gets hammered, I'll consider making it available.