Slashdot Mirror
Lousy E-mail Filters Complicating Outlook Worms
Mar writes "FRISK Software founder Fridrik Skulason has issued an open letter in which he blames other anti-virus companies for much of the Sobig.F network load problems: 'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'"
Our Norton Exchange AV kicks out "we-saved-your-butt" emails to the admin, the original recip, and back at the "sender", who of course knows nothing about it since it was forged.
:) Serves AOL right...
I've just been creating more and more filters that send to trash with no notification to anyone.
Of course, you have to pay attention when you first turn some of the capabilities on, as Norton kindly preset you to block AOL mail
.sigs are for post^Hers.
...traffic than you'd have if the worm got to its target and continued spreading.
That's a lousy argument for obvious poor behavior on the part of anti-virus software. It's like saying every time the police catch a violent criminal, they should kick the ass of some random citizen. Hey, it may be annoying, but it's still less violence than you'd have if the criminal got to their target and acted violently.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
I work in Tech support for a telecommunications company and I get at least three calls per day regarding a message from Norton Antivirus. The message falsely states that they were a sender of the sobig.f virus. Of course, our users are completely up to date with their virus software and our e-mail servers catch the sobig virus. A big shame on you to Norton for having an e-mail enabled warning like that. It preys on the stupidity of end users.
Granted, if nobody talked about AIDS, the infection rate would probably skyrocket too. So is it better that there be a symptom of the virus such as increased network traffic. Or is it better to not inform external users and try to repair in house?
Maybe it offers a little job security too though.
One of my clients is an ISP - and they *want* the bounces to go out for the simple reason that it broadcasts to the world that "your mail is safe with us".
... For more information about our services come to --URL--"
So the bounce messages go something like "Our mail server detected a virus in an email you appear to have sent, and we protected our customer
I don't know if it's effective at all, but it sure doesn't cost much - the virus notification is essentially a mild form of SPAM which few people really get up in arms about.
Just to understand, there are market conditions behind those virus notices...
I have no problem with your religion until you decide it's reason to deprive others of the truth.
There's some flaws in the logic.
First, there's a cost per message that you're not including. Every message I get I have to consider and read, or delete. I'm getting tons of virus bounces, even though I've never sent a virus - the virus uses forged headers. So, for me, someone who has no way to contract a virus, my "work"load has gone up noticably, and the price I pay went from $0 to $X where X is a positive number.
Second, the autoresponder is not a necessary part of the virus removal. The savings is already there by blocking the virus from infecting the user's computer. The bounce is just an extra thing the anti-virus people put in to try to advertise their product.
It's *pretty damn close* to being spam.
I'm still getting about 200-300 "You sent a message with SoBig.F! Patch your computer immediately!" every day.
Trouble is, I'm on a Mac. I couldn't be infected with SoBig.F if I wanted to.*
Further trouble is, SoBig.F spoofs the FROM: field, so these messages invariably go to everybody except the schmuck with the infected box.
So no, these messages hurt far more than they help.
[* Pedant filter: I suppose I could buy Virtual PC or somesuch and install a vulnerable version of Windows. That'd probably do the trick.]
Obliteracy: Words with explosions
Autoreplies have always been problematic at best, which anyone who's experienced the annoyance caused by vacation programs on public mailing lists can attest to. Autoreplies to automatically generated traffic have always been a no-no.
Viruses and worms are clearly autogenerated traffic.
Also, although 95% of computer users have never heard of FRISK, Fridrik has been a respected member of the A/V community since it very began and wrote one of the very first virus scanners.
Disclaimer: I work for FRISK, writing said e-mail filter code. But I can tell you with authority that the decision was taken a long time ago.
Host your own websites, anywhere!
I received hundreds of bouncebacks from one organization. So, I did a whois and wrote to the contact listed:
My name is Geoff Fox and I am writing because I have received hundreds upon hundreds of message bounces from your **** mail server.
These messages are not originating with me. These are SoBig virus generated and are spoofing my address as the return.
I am asking nicely, but I need you to take action immediately. I am attaching a bounce message so you can see what I've received. From the headers it looks like they're actually coming from ***.com
Sincerely, Geoff Fox
I did get a response... but not what I had expected.
Geoff, Thanks for raising the issue of the SoBig virus infection.
From the information that you have provided, it does look like the infected machine is located at **** Architecs, Inc. of Harford, CT. Their contact information is provided below.
Have your IT technical staff contact the admistrative contact or the technical contact below. They may not realize that they have a SoBig infected machine and that it needs to be cleaned.
(whois stuff deleted)
It was signed by their Director of IT Security.
So, even at that level, he didn't realize he was doing something wrong... or that these bouncebacks came from him, not from the site that was infected. And, he felt it was my obligation to do something about it, not his!
Lousy E-mail Filters Complicating Outlook Worms
SoBig.F is not an Outlook worm. It is a Windows worm. It does not require Outlook to run. It has it's own built in MTA and grabs email addresses from cached webpages and local text files as well as the Outlook/Express address book.
-Ab
Nothing fails quite like prayer.
Last year, my wife received a spate of "you sent this virus" messages. Worse, a number of her associates received "this person tried to send you a virus" message, referring to her.
I followed up with several of the administrators running the virus filters. In all cases, the administrators had quarantined the messages without headers so it was impossible to tell what machine really sent the message. I would have liked to know this information so as to have some hope of tracing the owner of the infected machine.
I understand why users are unaware of headers. Microsoft's products go out of their way to hide them. In Outlook Express, to get headers you have to find the relevant show headers pull-down and even then the headers appear in a too-small non-resizable window. You have to clip the contents and paste into a real window before the headers can be read/forwarded.
The "From:" field of email means no more than the snail-mail return address that you scribble on an envelope. The header, like the snail-mail postmark, tells the origin.
What is the excuse for vendors of email software (filtering or end-user) perpetrating unawareness of this basic property of email?
My latest column deals with this too. I got a lot of e-mail in response from ISPs talking about how it would be difficult/expensive to implement and that it would violate customer privacy. One said it would be a HIPAA violation. My own ISP (Speakeasy.net) virus-scans all e-mail that goes through their servers; is that a HIPAA violation? A lot of them are also scared of losing customers after offending them by blocking their outbound port 25 access, but does an ISP really want business from someone infected with Sobig?
It is true that since Sobig uses its own SMTP server the ISP would have to do the monitoring via a port 25 monitor. I'm not completely sure how difficult/expensive this would be to implement on a large scale, but there's an opportunity for someone who comes up with a cheap solution. I suppose it could be part of a general IDS, but it needs to be something price-accessible to an ISP.
Larry Seltzer
Security Editor, eWEEK.com
http://security.eweek.com/