Why Do Email Admins Make Viruses Worse?

gripdamage asks: "Why are email administrators still sending virus bounce messages, when everyone knows viruses forge the sender? This effectively doubles the amount of email traffic due to the virus (triples in the case that the recipient is also notified). As one of the links says 'any AV software or admins that have it mis-configured [so] that it is continuing to send out notices...to forged senders, deserve to be ridiculed.' I have received 4 times as many erroneous bounce notifications, because of MyDoom , than the actual virus, so the bounce messages are much more of a problem! This is a problem deserving publicity, so that email admins will be shamed into doing the right thing." The problem is that most bounces are automated responses, the simple thing would be to turn them off. Of course, the rational of the automated response is to hopefully notify the infected user of the problem -- what a catch-22! What kind of policy would you recommend when it comes to spam, e-mail and automated responders?

It doesn't seem to be the admin themselves

[dacarr]

Rather, it seems to be the AV screen they install. I just moments ago got one that indicated that I sent a copy of Mydoom to a user on Lucasfilm's network, which is kind of funny since I run Linux....

(fp!)

Re:It doesn't seem to be the admin themselves

[MerlynEmrys67]

Well shame on you for installing that virus to run in WINE just so you can hit the sco.com website

Re:It doesn't seem to be the admin themselves

[John+Hasler]

Of _course_ is the admins themselves. Who the hell else installed that AV package?

bounces are good

[Mod+Me+God]

If i send a mail to billabab@hotmail.com but meant to send it to millybob@hotmail.com, than i appreciate a bounce. A good virus spoof will make it too hard to differentiate genuine and false return addresses.

Re:bounces are good

[Mod+Me+God]

Of course this refers to a general virus spoof reply, rather than a specifically identified virus (when this is identified), but I sure don't advocate an advisory on stopping bounces/autoreplies.

Re:bounces are good

A bounce is one thing. A "You sent an email with a virus" thing is ANOTHER.

Quite clearly, the benifit of notifying the few people that really did send a virus is outweighed by the harassment of millions who did not, but are spammed-back by the virus scanners.

The solution is to simply stop sending *virus bounce* notices.

Re:bounces are good

[dabuk]

He's not saying not stop all bounces. That would as you say be unhelpful. Instead he's saying why does a virus detection program, that knows a virus forges the from address, send a message to the the "sender" when they never sent the original message.

I don't administer any of these programs, but I imagine they all do have the ability not to send these messages, but someone's got to change the settings.

Re:bounces are good

But how can you reply to them, given the mail is spoofed? A user emailing billybob@ms.com saying they spammed them is meaningless as billybob@ms.com probably never sent the email, nor was infiltrated, but simply was spoofed.

Re:bounces are good

[cyborch]

I am very much in agreement, bouncing to postmaster@ would be much more useful.

Re:bounces are good

[DarkFencer]

ABSOLUTELY NOT!

I run a mail server with 13000 users! Getting every bounce of these things to postmaster no matter who sent it would make me route postmaster to /dev/null

Re:bounces are good

[John+Hasler]

I run a system with _two_ users and I get so many bogus bounces that I have to send all bounces to /dev/null.

Re:bounces are good

[jonadab]

> I run a mail server with 13000 users! Getting every bounce of these things to
> postmaster no matter who sent it would make me route postmaster to /dev/null

Dude, why don't you just route the "Warning: someone forging your address in
the From field sent us a virus!" messages to /dev/null? Nobody wants them.

Re:bounces are good

[DrEasy]

Unfortunately, I receive so many "bad" bounces (most of them due to spammers using my email address in the "sender" field) that I've had to filter all bounces out. This means that now I have no idea whether my own emails reached their destination or not...

Re:bounces are good

[theparallax]

A simple bounce has nothing to with either viruses or spoofing. The virus bounces that are coming back are being returned because mail servers are scanning emails, finding known virueses, and notifying the sender that they are sending virueses. This is what should stop, because that is when the return is spoofed. If I have just sent a real email to the wrong address, however, a bounce is appropriate, since 1) the return address is very unlikely to be spoofed (I would hope), and 2) actual useful information is being returned to me, and no-one else.

Re:bounces are good

[jhunsake]

And why should you? Email is not, and was never intended to be, a reliable communication method. If you want that, use certified mail or chat software.

Re:bounces are good

[cyborch]

There are some 30ish users on the system I run. I get very few bounces to postmaster. My abuse on the other hand is sent to /dev/null but my postmaster is luckily kept relatively safe from harm... I apply my baynesian (sp?) filters to my postmaster mailbox, tho. That helps a lot.

Re:bounces are good

[DrEasy]

Well, then according to your logic, we don't need bounces at all...

Check for valid source before notification

[Baron_Yam]

SPF. If SPF checks out OK, then send the virus notification. If not, don't bother.

Re:Check for valid source before notification

[linuxwrangler]

It won't. It was recently discussed to death on the Postfix mailing list. It's a nice idea and I encourage more such brainstorming but SPF breaks too many things.

An easy example: mail forwarders. Lots of places like you@alumni.your.edu forward mail to your "real" account.

Now let's say your ISP starts enforcing SPF. Your friend at AOL sends a message to you@alumni.your.edu which gets forwarded to you@yourisp.com. Your ISP's server notes that this message from someone at aol.com is being sent from a server other than one listed in AOL's spf list and rejects it.

People have suggested workarounds like sender rewriting but each of those suggestions breaks something else. You really don't want to see all the problems it causes for mailing lists.

For now, I'd settle for enforcing strict compliance with RFCs and good practice (helo must be a FQDN that can be forward and reverse dns matched with the connecting IP would be an excellent start - I can't believe how many large corporations can't get this one right).

Re:Check for valid source before notification

This is exactly why Meng is working on SRS. Even the humble /home/$USER/.forward mechanism allows you to specify a filter so this really will be a non-issue.

Re:Check for valid source before notification

[Alizarin+Erythrosin]

And it doesn't even solve the problem of bouncing a virus infected email back to the person who is listed in the "from" address. Because with most new viruses, that person isn't the infected one most of the time.

I think that's what the submitter is complaining about. Anti-virus solutions sending bounce messages for virus infected emails to the people in the "from".

Re:Check for valid source before notification

reverse dns matched with the connecting IP would be an excellent start

Hmmm, how do you propose to make reverse DNS lookups map back to multiple domain names? (In the case where a SMTP smart-host is used for multiple domains.)

Forwarders are a different matter, yes, they're going to break - but you know what? I'm willing to make that trade-off if it stops my domain from being spoofed by worms / spammers / someone-with-axe-to-grind.

Re:Check for valid source before notification

[Baron_Yam]

I know a fair number of people disagree with me, but I'm willing to deal with the fallout of SPF - it doesn't break anything I care about that can't be fixed.

If enough people agree with me, it'll end up being the defacto standard.

Re:Check for valid source before notification

[jonadab]

> For now, I'd settle for enforcing strict compliance with RFCs

Indeed. I'd pay money to get my ISP to block messages that don't have a
valid Subject: header.

> helo must be a FQDN that can be forward and reverse dns matched with the
> connecting IP would be an excellent start

I've considered merely rejecting mail from sending servers whose IP address
has no PTR record whatsoever. The only problem with this is that it blocks
approximately 110% of the continent of Asia from sending you mail. (Then
again, I'm of two minds about whether that would be bad...)

Re:Check for valid source before notification

S(ender)P(ermitted)F(rom) is designed to combat FROM forgery. A particularly braindead implementation could send a mail to the FROM address explaining that the message was rejected due to FROM forgery. That kind of idiocy aside, SPF would reject most worm mails alright. Then again, someone who has his virus-scanner send bounces to known forged addresses would probably do the same with SPF.

Re:Check for valid source before notification

[toast0]

the poster you're replying to is suggesting that the smart host use a hostname in helo that is the same hostname that their ip reverse resolves to (and one that lists the ip they connect from)

Let's say I was running a smarthost, the poster would want me to have it set to say
helo cpe-66-75-113-150.socal.rr.com
rather than helo peanutbutter.ruka.org, or helo there, or whatever stupidity my mta could think of

Re:Check for valid source before notification

[cyways]

I thought SPF looked at the envelope From (i.e., the address in the Return-Path header), not the From: header in the message text. In your example the forwarded message would be coming From alumni.your.edu and would presumably be sent from one of your.edu's SPF-registered servers. Having SPF rely on the easily-forgeable From: header wouldn't make much sense.

Don't read this as an endorsement of SPF. I'm still trying to think through all the implications of such a system. But I don't think this line of criticism applies.

Bounce the headers

[aridhol]

Bounce the headers of the message, and possibly some text. Do not bounce any attachments. If the "sender" is real, they will know their own message by that; if it is fake, bandwidth is not overused.

Re:Bounce the headers

[menscher]

Bounce the headers of the message, and possibly some text. Do not bounce any attachments.

I'd actually prefer if you bounced the entire attachment. In the case of virus outbreaks, it's a lot easier to filter out the unwanted bounces based on an attachment, than having to read all the headers and wonder if I (or a user) sent an email to someone with a subject line of "Hi".

Yes, it wastes bandwidth. But it saves human time. If you're that concerned about bandwidth, don't bounce known-spoofed-From:-header virus email at all.

Re:Bounce the headers

[whomeyup]

Drop the attachment but keep the message body. You get enough context to determine if you sent the email _and_ you dont overload networks with useless attachments.

Re:Bounce the headers

[David+Byers]

I've yet to see a single useful bounce generated by an AV scanner, because they insist on sending the bounce to the forged sender.

People using AV scanners need to hook them up to their SMTP servers so the SMTP server can reject the message as it is being sent. That way innocent people won't see a deluge of misdirected bounce messages.

Re:Bounce the headers

That's great. I recieved thousands* of emails telling me that I was infected with the last MS virus. I run Linux. I don't particularly care about the bandwidth, I *do* care about the fact that my inbox was rendered useless for quite a while with all the anti-virus spam.

* (When I say thousands, the actual figure was twenty thousand over three months).

Re:Bounce the headers

[srhuston]

This causes another problem, namely that the SMTP server has to keep the connection open until the virus scanner passes/fails the mail. For some sites, this is not an issue, but for others they would run out of resources quickly (and the next Winders virus-du-jour would bring their mail systems to a screeching halt).

Re:Bounce the headers

[PotPieMan]

They've implemented it very well at the University of Florida. As email is received, a message is accepted only if it does not contain a self-replicating virus. Messages with other types of viruses are accepted, but the attachments are modified to prevent automatic execution and a notification is added to the body.

It probably slows down the SMTP server a bit, but is that really so bad? It effectively limits the throughput of the mail server, should anyone on campus decide to send out a huge number of messages at once (i.e. spam or virus).

See http://open-systems.ufl.edu/services/virus-scan/.

Re:Bounce the headers

Theoretically, if you have the processing power to receive and scan all emails sequentially, you have sufficient processing power to do it inline.

Re:Bounce the headers

I don't want your stupid message body. I didn't send it. Get it through your head. Menscher's comment was about practicability of AUTOMATIC filters, not about bandwidth or legitimacy of bounces. IF you're stupid enough to send bounces to forged addresses, AT LEAST make them full bounces so they can be filtered based on the one unique property of all worm bounces: The worm. Stripped bounces come in all languages of this world and are very hard to filter out automatically if you don't want to delete legitimate bounces as well.

Re:Bounce the headers

[toast0]

I don't see what the problem is with slowing down SMTP servers...

If the virus scanner is overloaded, it's going to be slow getting the mail through the system anyhow, why hide the latency from the external servers?

(Yes, you could argue, what if the external servers end up not getting back to you, or losing the message, but I'd rather let the other server handle the bounce, so it's not on my hands)

Re:Bounce the headers

[retards]

We ain't bouncing shit, because not all senders are real, and thus not deliverable.. don't want them in our queue.

Not exactly

[sahrss]

I have received 4 times as many erroneous bounce notifications, because of MyDoom , than the actual virus, so the bounce messages are much more of a problem!

I agree that the bounces are damaging, but they usually don't multiply the damage; assuming one bounce per virus email, that is only 1x as harmful as the virus itself.

Most AV will not bounce the emails (these are the ones you don't see of course), reducing the ratio of (bounced emails) / (total emails) to below 1.

Re:Not exactly

[mitheral]

That all depends on how many address books you are in and web pages you are on. In extreme case you have addresses like the generic tech support email address that dumps in my mailbox. Because it only receives and is never sent from all bounces are due to forgeries.

Re:Not exactly

[jhunsake]

Except for what happened to me recently, one email was bounced back and forth between two mail servers 27 times before finally being dumped. I don't know exactly what happened, but it was due to them both having virus scanners. I think one was rejecting after the DATA portion.

Re:Not exactly

[metamatic]

assuming one bounce per virus email, that is only 1x as harmful as the virus itself

Actually, the bounces are much more harmful to me than the virus. The virus is totally harmless to me, because I don't run Windows and just filter anything with a Windows-executable attachment to /dev/null. The bounces are a problem because they aren't easy to filter on without also bouncing legitimate delivery failure reports.

Re:Not exactly

Very true...I hadn't thought of that. I was only referring to the general case, as in "harmful to the internet". Thanks :)

Re:Not exactly

Even if you don't think that bounces are more problematic than worm-mails, the ratio is higher than 1:1. The forged addresses are not always valid or active addresses. The bounce may produce more bounces when it is directed at a non-existing or over-quota mailbox. Stripped bounces sometimes produce bounce-loops.

The simplest rule I would enforce.

If you are the admin of a mailserver, NEVER BOUNCE OR REPLY BASED ON ANYTHING EXCEPT THE INFORMATION IN THE ENVELOPE HEADER.

I am fucking tired of seeing mail bounced to my server and email address, just because my email address (or domain) was in the From: portion of the message. They should be smart enough to take a look at the envelope portion of the header and see there is a difference.

Also, stop notifying senders that "you may have a virus". At all. If you want to do this for your own users, that's fine - but stop sending this shit to people outside of your domain!

And third... GAH... Where to begin. I give up.

Re:The simplest rule I would enforce.

[bedessen]

Thank you. I too am tired of seeing "You sent me a virus" messages on mailing lists. That's allmost a sure sign that some braindead software somewhere replied to the "From:" address and not the envelope-FROM address, which is where all automated delivery status messages are to go.

In my opinion, the very best thing is to do scanning at SMTP-time. This is very easy with Exim (with the exiscan-acl patch) and clamav, both 100% GPL. By scanning during the DATA phase of message delivery, you can reply with a 5xx code if it's malware. That way, the bounce is not your problem.

For those of you not familiar with the finer points of SMTP, as soon as you accept the message you are responsible for its delivery. That means if it's for a nonexistant user (as many of these malware floods are) or if it's otherwise determined to be undeliverable, you're reponsible for the bounce. Now, please don't take that as saying I think you should bounce malware, I'm just saying that per SMTP once you accept the message its your responsibility to deliver it, which leads to the quandary of "Do I generate a bounce or not?"

However, if you scan the message BEFOER accepting it (during the DATA phase) then you can reply to the other end that you are not accepting the message. This is sometimes called a hard bounce. It does two things: It ensures the end-to-end reliability that everyone wants out of email[1], and it means you don't have to make a "damned if I do, damned if I don't" decision about bounces.

The biggest downside of this is that it's more resource intensive as you must hold open the connection while you scan, so you tend to have more mail daemons waiting around in memory. It also doesn't work if you're running a "store and forward" front end... Although in that case you might argue that you NEVER want to accept malware, and so scanning at SMTP-time can be justified.

[1]I blame management and administrator-types who don't understand email for the current situation we're in. They came to depend on email so much that they want that end-to-end reliability guarantee. For example, "If we try to send an important document to a client we want to be notified if it wasn't able to be delivered." You know the kind of attitude. "We'd better err on the side of caution rather than risk our important emails being lost without either party realizing it." And so, because of this prevailing meme floating through management, all the AV stuff sends bounces, on the minor chance that it was something important. Mail admins setup their servers to bounce anything that can't be delivered, so that nothing is ever lost.

And so because of that, we're in the current mess. The solution is simple: Stop trying to bo so anal about email and realize that it was never designed to be reliable. Bouncing malware is NEVER a good idea, it just makes extra noise and bandwidth that someone else has to deal with. So either turn off bounces, or scan at SMTP time.

The solution is clear, we just need to sit down and talk some sense into all of these people that continue to flood our inboxes with false bounces.

It's not accidental, it's spam

[menscher]

The companies that are doing this know very well that the viruses forge the From: header. If they wanted to warn senders, it would be trivial to put in a check of whether this virus, which they can identify, has the "forges-the-From:-header" bit set, and not respond to those.

But this doesn't serve their purposes. Their goal, in the event of a virus outbreak, is to advertise. When people are getting viruses, they start looking for AV software, and that's the perfect advertising opportunity.

I always write back to the postmaster@domain to complain that their software is advertising, and I include a Cc: to the AV vendor, so they can see the negative publicity that results. It might help if everyone else did the same....

Re:It's not accidental, it's spam

[4of12]

Interesting.

As an worker bee I've been more in the camp of people who think

"What a brain-dead mail-bouncing program! This is the worst thing since the too conveniently placed Reply-to-all button."

but I always forget the intended audience these advertisements target; higher management with spending decision authority and little direct experience in today's trenches.

Of course, that always to leads to the inevitable awkward Dilbert moment:

Supervisor: "The CIO wants you to check into the feasibility of GlossyWare Pro for combatting MyDoom."
You: "Oh, yeah - right. I've, uh, seen some of their, uh, stuff going around."

Re:It's not accidental, it's spam

[RT+Alec]

I could not agree more (I'd mod you up, but you're already at 5). I also attribute it to admins trying to prove how cool they were (more is better, when it comes to output). But most of these admins probably don't no how to configure the settings to supress the message, so I think your explanation makes more sense.

Re:It's not accidental, it's spam

[lrucker]

Every time I got email generated by Symantec telling me I may have sent a virus to someone (where the mail had a forged From, of course - I don't run mail on Windows), I forward it to Symantec and tell them to fix the bug in their software.

I don't know if they paid attention, but I haven't seen one of those in months.

Very Disturbing...

[bay43270]

I'm very bothered by this. I'm going to send a message about this to everyone I know. I suggest you all do the same.

Re:Very Disturbing...

[QEDog]

I'm very bothered by this. I'm going to send a message about this to everyone I know. I suggest you all do the same.

I'm bothered to by this too. Make sure that when you email everyone, you add a link to SCO's website so even if they don't get MyDoom they can help^H^H^H^H be aware of what is this virus all about.

It's an advertisement

[Mr.+Darl+McBride]

Have you ever seen a bounce message that didn't plaster the software's name all over it multiple times?

It's an advertisement, pure and simple. It's entirely to the software manufacturer's benefit to take the opportunity to advertise to third parties with you as the middleman.

And it works. I've had grey haired suits forward bounce messages to me to ask about the other products, asking whether we might want that instead of or in addition to the package I'd already put in place for them.

Why Do Email Admins Make Viruses Worse?

I'll take because we can for $200?

Report their virus bounce as spam!!

[p2sam]

I report all mistaken anti-virus bounce as spam to DCC, Pyzor, Razor. Since the primary motivation that anti-virus companies set bounce as default is to advertise their product, I consider it unsolicited mail.

Re:Report their virus bounce as spam!!

[DrZaius]

And you are the reason that RBL's cause so much collateral damage.

It's great that you are taking this political stand and sticking it to the virus scanner companies. I'm sure all the email admins out there make the logical jump that their virus scanner messages are causing their IP addresses to show up in RBL's. They'll all disable their virus bounce messages for you.

Actually, now that I think about it, it's more likely that people will assume RBL's are useless and don't work. They'll probably complain to their peers and convince them that RBL's are unreliable.

Way to go, jerk.

Re:Report their virus bounce as spam!!

[FuegoFuerte]

Umm.. dude. I don't know that mych about DCC and Pyzor, but Razor is certainly not a RBL and I'm guessing the first 2 aren't either. Razor does some fuzzy-hash matching or something to reject individual messages as spam, instead of the RBL approach of blocking whole domains. So this wouldn't hurt domains at all, just that one type of message.

Re:Report their virus bounce as spam!!

[metamatic]

What do you mean "collateral damage"? Anti-virus ads in response to e-mail I didn't send *are* spam, by any reasonable definition. They're advertising a commercial product to me, and I didn't ask for the mail.

Re:Report their virus bounce as spam!!

[Vellmont]

And you are the reason that RBL's cause so much collateral damage.
Umm.. Razor, Pyzor and DCC are all programs that create spam SIGNATURES, not RBLs. Reporting a spam virus email to an RBL would be pretty stupid, but that's not what this guy did. Think before you post.

Use Windows Messaging Service

Send a bounce message back using windows messaging service. If they're dumb enough to leave that open, then they're dumb enough to not keep up with the latest virus scares. Otherwise, any competant admin doesn't need to be notified.

It's a subtle form of spam..

[zcat_NZ]

and should be recognised as such.

AV vendors know damn well that 99% of viruses spoof addresses. More than anyone else, since studying viruses and figuring out what they do is their JOB!!

The only possible excuse for this behaviour is that they get FREE ADVERTISING out of it. It's spam advertising AV software and/or mail filters, plain and simple. It should be treated the same way as any other spam.

Re:It's a subtle form of spam..

[GigsVT]

To what end? To get some idiot MCSE admin in trouble because his domain got listed in a bunch of spam databases? It's not his fault the AV company his company bought software from is a bunch of spammers.

Re:It's a subtle form of spam..

[cyborch]

Oh yes it is. He is responsible for it being in place. If we make life bad for idiot MCSE admins they just might get a clue and choose products that do not spam. Getting him in trouble is one way to voice our opinion and try to lessen the market share of bad products. And, it's a better way than MyDoom

Re:It's a subtle form of spam..

If your system sends me mail that I didn't ask for and isn't legitimate, it's your fault. You deserve to be blacklisted and if that hurts your customers you had better fix your act up quick. This goes for these virus bounce messages, for all the lame bounces I get from being joe-jobbed, and for all the viruses themselves that get emailed to me by people who can't figure out that MS Outlook is lame and find a real email client. There are days when I get more bounce messages from being joe-jobbed than all other types of spam combined.

Bounce messages are worse than useless.

Re:It's a subtle form of spam..

[metallicagoaltender]

And you're honestly going to tell me that SysAdmins always have final say over what software gets purchased? If that's your experience, I consider you very lucky, because most of us have PHBs that may take our advice, or may ignore us and buy whichever package has the nicest marketing materials.

Re:It's a subtle form of spam..

[tepples]

If the company you worked for began to advertise its own products in unsolicited bulk e-mail, would you quit?

Re:It's a subtle form of spam..

[mitheral]

It seems unlikely any of this software doesn't allow you to turn this "feature" off. If nothing else you could disable the ports it's using to send the messages.

Re:It's a subtle form of spam..

[cyborch]

I will consider myself VERY lucky then, because I can honestly say that all the (3) companies I have worked as a sysadmin for have let me have given me veto rights on any software that should go on our production servers :)

Re:It's a subtle form of spam..

[zcat_NZ]

Depends who you consider is to blame; the AV companies, certainly, since they know full-well that bouncing the mail is at best pointless.

The idiot MSCE and/or PHB? Yes, absolutely.

Is there any difference between running 'spammy' AV software and hosting viagra-marketing spammers? If there is any difference I would think that the site running spammy AV software is more at fault, not less.

Problem is

[jptechnical]

Many admins think that they are lord of the castle, if you suggest a change to the email system, like cancelling the bounce, the first answer is NO like you are stepping in their territory.

I used to work for a place where the admin also got so paranoid with spam that he blocked entire domains like yahoo and hotmail even though there were at least a dozen legitimate customers that used those email services as their primary business email.

It isnt until there is a backlash or fear of losing their castle that some will make a change.

Sometimes you just have to be the loudest voice in complaining and go over their head and reason with their boss. Explain that a flood of redundant emails is bad practice and that in many peoples eyes a bounce message saying "virus found!" with your companies domain makes people think that YOU have the virus. Sounds strange but it happens. You bounce a message and you get a call saying "You guys have a virus... we just got an email about it" coming from the internal staff, then spend the next 15 minutes explaining that they are protected and that the bounce was only informational and still they dont always get it.

Virus protection is best operated SILENTLY! You as an admin can sweat the details but the clients should just "Know they are protected" and not be bothered with details. It's just good management.

Re:Problem is

[sartin]

One proven technique for dealing with the administrator overlord type on virus notifications is to send them a polite message responding to every single bogus bounce you get. Also kindly forwarding a copy of each infected message you receive can help them realize the bogosity of the useless extra work created by needless notifications.

Where I'm working now, I have no need for such tactics.

Accept and remove, or bounce?

[toygeek]

That really IS an interesting question. What is worse, bouncing it, or accepting it?

If an admin were to bounce it then the only way to take care of it *correctly* would be to parse the header and send it to the ISP of the luser who is infected. They will (hopefully) notify the owner of the affected machine, and THAT user gets to fix their machine. Or, they can boost the economy a little and hire someone to do it or go buy some AV software.

Now a better way in my opinion would be to blackhole all emails received. Why? Less processing. Less bandwidth. Propogation of the worm is stopped dead in its tracks. Those that have it will get rid of it soon enough (in theory) and the congestion caused by the worm will be less than if they were bounced.

Then, there are those like me who are still learning what being a sysadmin is, and rely on pre-made tools like this one:

http://www.impsec.org/email-tools/procmail-secur it y.html

As I understand it, it will either bounce OR blackhole the whole email.

Looks like I have some reading to do!

All comments, constructive critisism, and pointers are welcome!

Re:Accept and remove, or bounce?

[jonadab]

> What is worse, bouncing it, or accepting it?

There's no reason to do either. Just drop it into the bit bucket. You don't
save any bandwidth by rejecting it, since by the time you've detected the
virus you have already incurred the bandwidth burden. So just route it
direct to the dustbin.

Dumb AV software

[ka9dgx]

I'm stuck with an older version of Symantec Antivirus (because the current one doesn't run on Exchange Server 5.5), and I can't just delete the fscking message, I have to explain, over and over, just how the user doesn't have to worry... it's already taken care of.

I hate being forced into supposed "up"grades.

--Mike--

Re:Dumb AV software

[mnewton32]

Don't you mean dumb email server software?

Re:Dumb AV software

You're running a dead-end end-of-lifed e-mail server, what do you expect?

Either get something secure and supported, or switch to open source.

You could switch to Domino, keep the Outlook client, and reduce your server costs into the bargain.

What about CLEAN bounces?

[bluephone]

Why not strip the virus from the bounce, like some (too few) servers do? Even better, why not have the AV scanner integrate with the mail server, so that the bounce doesn't just bounce, but also SAYS "Hey, douchebag, you're infected!" Make the bounce message USEFUL.

Re:What about CLEAN bounces?

[linuxwrangler]

You apparently don't understand the problem. The virus FORGES the sender address so the bounce goes to a third party, not to the person who was infected.

Re:What about CLEAN bounces?

[David+Byers]

I've gotten about a ton of bounces like that. But they've all been sent to the (forged) sender of the virus, so they're worse than useless.

The only acceptable way to generate a bounce of a virus message is as part of the SMTP dialog. That way the sending *server* will get the message, and it won't bother me.

While you go off and re-think your proposal, I'll just head over here and delete the last hundred or so of those cleaned bounce saying hey douchebad, you're infected.

Re:What about CLEAN bounces?

[bluephone]

True, I get lots of bounces when I've never sent mail there (nor been wormed), but for folks who are infected, and do get bounces, a bounce with info saying "This bounced due to a worm you are infected with" would be more helpful to the clueless newbies with "Lookout!" Express...

Re:What about CLEAN bounces?

Read AND think. The worm forges the From address. The anti-virus software knows this. EVERY SINGLE AV-provider lists this property in the virus database. If a worm is known to forge the From address, NOT A SINGLE BOUNCE will reach the actually infected system. NOT ONE. Get it?

Re:What about CLEAN bounces?

[jhunsake]

No, he doesn't get it, and neither do a lot of other people. And none of them should have a job that requires even the most basic of logical thinking.

Rational?

I think you mean rationale.

we just bounce the headers

We have a semi-homebrew mail filter based on open source tech like customized spamassassin and mimedefang.

1) Messages which are obvious worms are not bounced at all, just dropped. This requires us to update the list of which AV hits are worms and which are just attachments in an otherwise legit mail. Obviously this isn't always kept up to date, but when a worm is wide-spread we make sure it isn't generating bounces. The bounces clog up the queue anyway.

2) Other messages are bounced, but only text portions, everything else is stripped out.

I believe it's better to err on the side of bouncing. I hate it when I send somebody a large attachment or a subject line with numbers in it, or something that trips a virus or spam filter, and the message is *silently dropped*. You want to kill email? Make it so you have to call the person on the phone to see if they got your message!

I was a little confused with all these posters talking about "free advertising" but then I realize you're talking about the off-the shelf products.. our system doesn't advertise anything except the name of the org and why the message was bounced at our servers.

So, if I had to choose, I'd say stick with the bounces. I'm not (very) worried about bandwidth, I'm worried about people losing control of their desktops to worms.

Re:we just bounce the headers

[jonadab]

> I'm not (very) worried about bandwidth

That's because you're only bouncing the text parts. I don't mind that quite
so much (though it still annoys me, getting hundreds of bounces for messages
that I didn't send, just because a bunch of idiots who think it's a good
idea to use Outlook have me in their address book). The real problem is
the AV packages that bounce the entire message, including the attachment.
That adds up to quite a lot of bandwidth. During the last big Outlook virus
outbreak I found that my dialup connection was barely able to keep up with
retrieving my mail as fast as it was arriving, due to all the huge attachments.
(I'm apparently in quite a lot of Outlook users' address books, for some
reason.) At least a third of that consisted of bounced copies.

I long for the days when I used to explain to people why it was impossible to
get a virus by email. Okay, so a lot of the software we had back then sucked;
the browsers sucked quite badly -- but oh, email was better then.

third option

[Tumbleweed]

Bit Bucket (*woosh!*) He shoots, he scores!

Yes, ye olde bit bucket - silent but deadly. Virus-infected emails check in, but they don't check out (or get delivered). Saves disk space, too.

What's the to do with spam and viruses at the ISP?

[vojtech]

The answer is quite simple:

• mark
• defang
• deliver (if recipient exists)

And don't ever send a bounce.

Send bounces only for mails not detected as either virus spam.

That would make everybody happy.

My pet peeve

[Chemical+Serenity]

I just had to flush out 40,000 of those damn Worm.SCO.A mails, and they're still crunching along...

Amavis (running clamav) has an option in there to specify which virii should be dropped instead of replied to, although it's manual so until you know how your virus software will ID things you'll probably dump replies. Maybe it'd be handy for AV database maintainers to add a flag, like a 'from header spoofer, please don't reply or you'll just make things worse' boolean.

Bouncing viruses

[HTH+NE1]

Are we certain that they are bounces and not just viruses pretending to be bounces? The pattern of the messages I've received suggest to me that the viruses are trying to conceal themselves (poorly) as bounce messages.

Re:Bouncing viruses

You are correct. Symantec has this information posted on their site about the recent outbreak.

Re:Bouncing viruses

[elemental23]

I thought the topic was mailer-daemon bounces too but I think they're actually talking about mail bounced by inbound mail virus scanners. These seem to bounce virus-infected e-mail with a note along the lines of "Your message was not delivered because it contained a virus. The message was cleaned by Norton Anti Virus." Hence the spam accusations.

Calling it spam is a little harsh, but these messages are definitely unnecessary and annoying, especially considering many viruses nowdays forge their sender addresses.

Re:Bouncing viruses

These are the known "fake-bounce" forms of the Mydoom worm (as listed by F-Secure):

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

The message contains Unicode characters and has been sent as a binary attachment.

Mail transaction failed. Partial message is available.

Everything else is a real bounce to a forged address.

Drop bounces based on SMTP id

[Radical+Rad]

The best solution would allow notification to users who actually send a virus unknowingly yet drop all bogus bounce messages. The server receiving the bounce should look up the SMTP id from the bounced message and compare it against messages that have been sent out recently. Drop the bounce unless it matches something from the last three days. Having records of smtp id, sender, and recipient could also be helpful in investigations of where a virus originated from.

Re:Drop bounces based on SMTP id

[buysse]

It's an interesting idea, but it's difficult at best. Every mail server out there has a different idea of how to format a bounce message. There are a few that don't bloody include full headers (!). Still, if you could make it work...

Re:Drop bounces based on SMTP id

[Radical+Rad]

I guess you are saying, how would we know at the receiving end whether a particular message was a bounce? This is true. For a 100% solution all smtp software makers would have to agree to share a common signal and to include the headers from the bounced message which most already do anyway. That would pretty much require an update to the RFC.

My suggestion is to aim for 90% coverage by watching for the formats from the half dozen biggest vendors, after all, the goal is just to put a damper on the secondary traffic caused by viruses. As long as they include the headers then picking out something like <20040127031244.FC91349445@mail-02.flugelheimer.co m> (assuming I am flugelheimer.com) and comparing it with my database is trivial.

Re:Drop bounces based on SMTP id

Your solution causes even more problems than SPF. Receiving and sending SMTP servers are not necessarily the same machine or even related. The point of the article is that the anti-virus software knows that a particular worm forges the sender address. If such a worm is detected, there is absolutely no reason at all to send anything in any direction. There simply isn't a practical way to reach the actual sender.

Re:Drop bounces based on SMTP id

[Radical+Rad]

Your solution causes even more problems than SPF.

It doesn't cause any problems at all. If you thought it did then you would have listed them instead of being vague.

Receiving and sending SMTP servers are not necessarily the same machine

If you don't know that different machines can access the same database then you don't know enough about networking to comment in this forum.

Re:Drop bounces based on SMTP id

[jhunsake]

I think you are clueless one. I send email from all over the place, all with my university address in the From line. Explain to me how the university servers are going to access the mail servers of my isp at home, or my isp at work, or the isp at my friends house?

Re:Drop bounces based on SMTP id

[Radical+Rad]

Your From line should contain the account on the email server you are sending from. If you want recipients to reply to a different address then put that address in the Reply-To field.

This is from RFC822:
4.3.1. RETURN-PATH

This field is added by the final transport system that
delivers the message to its recipient. The field is intended
to contain definitive information about the address and route
back to the message's originator.

Note: The "Reply-To" field is added by the originator and
serves to direct replies, whereas the "Return-Path"
field is used to identify a path back to the origina-
tor.

While the syntax indicates that a route specification is
optional, every attempt should be made to provide that infor-
mation in this field.

If I am clueless yet I know what I am talking about and you don't then how smart can you be? :)

And by the way what are the hostnames of all these open relays that you are sending forged From headers through? I will submit them to the blackhole lists so you won't be sending any more spam through them.

Re:Drop bounces based on SMTP id

[jhunsake]

You obviously cannot distinguish between the concepts of "should" and "must". Nice try though.

Re:Drop bounces based on SMTP id

[fatboy]

Your From line should contain the account on the email server you are sending from. If you want recipients to reply to a different address then put that address in the Reply-To field.

This is from RFC822:
4.3.1. RETURN-PATH

Ah yes! And we know all those virus writers strictly adhere to RFC822.

Re:Drop bounces based on SMTP id

Your post doesn't make any sense. What did you mean by it?

good idea,

[Pegasus]

that about av database to have a flag for replying ... lets see what clamav mailing lists have to say about it.

Spam filters anyone?

[Saiai+Hakutyoutani]

I just filter out the automated responses. Hopefully, I won't be getting that many important ones.

Another question: why not filter?

[astrashe]

Why don't we expect ISPs to filter email for viruses?

I know it would be expensive, that it would require people to do more work and buy more servers. But I don't see any other way of shutting down these mail virus storms.

This virus doesn't exploit any real holes. It depends on unsophisticated users doing something dumb. I don't think we're ever going to live in a world in which it won't be possible to trick unsophisticated users into doing something dumb. Does that mean we have to suffer through this crap indefinitely?

We can (and should) criticize Microsoft for creating an OS culture in which most people run everything with Administrator privs. But even if they fixed that, I'm not sure that this sort of thing would stop happening. The tricks virus writers use would just have to get better.

If all, or even most, ISPs filtered mail for viruses, they'd be much less of a problem.

I used to run a small ISP. When we started out, everyone had open relay SMTP servers. But gradually over time, the culture changed, and it was recognized that you had to close your relays if you wanted to be a good net citizen. ISPs that didn't had trouble getting other people to take their mail.

I know this isn't the same thing, because closing a relay is a one time config change and doesn't require you to run beefier servers. For large ISPs, filtering mail would cost real money.

I just don't see an alternative, though.

I have a wildcard email forward on my domain, and I'm going to get a couple of hundred copies of this virus today.

Re:What's the to do with spam and viruses at the I

[R_Harrold]

Problem here is that if you mark, defang and deliver some people will get hundreds of e-mails in their inbox which consist entirely of the attachment removed due to virus infection message. They inevitably come back to the mail administrator and report it as a problem: 'all of my e-mail is getting the attachments removed'. Far better just to log the event and place the infected e-mail into the bit bucket, never to bother anyone again. This approach doesn't cause lots of 'shells' being sent to the recipient and does not toss lots of NDR messages to the alegged sender (who probably did not originate it anyways given the methodology being used by the newer mass-mailer worms). Robert H

"Simple" solution?

[srhuston]

As I've seen it, there's multiple camps for what to do with email bourne viruses. Those that say strip the attachment, and those that say can the whole thing. I have always belonged to the "can it" group, and Mydoom is a good example. Before our virus scanner started catching them, I got at least 5 emails about how a hacker must have broken into the email system, because they got this message returned to them that they didn't send, etc. If the mail had a virus in it, just can the message.

Next, is what to do after you've tossed the mail: to notify or not to notify. Well, I'm the type that believes that *someone* should get a notification if an email is tossed (ie, mail should never disappear without some sort of DSN going somewhere). So in the case of non-mass-mailing viruses, I send a notice back to the sender telling them their mail was canned, and why.

So my question to other mail admins (which I recently posed to the amavis-new list), is why not rely on the virus scanner's naming schemes? I use f-prot here, and all viruses that fake sender email addresses end with "@mm" (for Mass-Mailer). So I told amavis to not notify the sender if the virus name contains "@mm", but to notify the sender if it does not.

Result? I've blocked over 8000 copies of Mydoom in the last 24 hours, and not sent a single mail to the "sender"s, but when one of the professors sent a mail out with a Word document attached that had a macro virus in it, he got a mail back saying the message was stopped and why.

Simple, elegant... but why don't others do similar setups?

Re:"Simple" solution?

[ldspartan]

I'd guess because all of us don't run AV systems that tag things as having forged From headers. I run ClamAV, and I don't believe it has any such functionality.

--
lds

Re:"Simple" solution?

[jhunsake]

Simple, elegant... but why don't others do similar setups?

Laziness.

Can't just black-hole every sus email.

[Kris_J]

Mail Scanner has the option to not send bounce messages if the virus is in a particular list. However, it also has the option to strip any attachments that fall into the .exe, .pif, .scr, etc list of dangerous extensions without bothering to check if there's a virus in there or not -- which is very handy when a new one beats the patterns to your server. In this case the scanner does not know if the From: line is likely faked or not and must send a message indicating that the email has not been passed on complete, so the sender knows they have to do something about it.

Trust me, given the number of automated responses that go to invalid addresses and bounce back on the admins, we wouldn't leave it on if there wasn't some value in it.

Re:Can't just black-hole every sus email.

[WoTG]

I agree! Blocking dangerous attachments is very important these days. Viruses move far too quickly for virus signatures to be of much use. Be proactive and block those executables - it's not a total solution (e.g. macro viruses in Office files) but it's a good start. Anyone who actually needs an .exe is probably capable of getting it an alternate way (FTP, web, courier).

FWIW, Symantec Mail Gateway Anti-virus (that's not the proper name, but you get the idea) can be configured in this way. Most mail scanners probably can...

Re:Can't just black-hole every sus email.

[Kris_J]

Hmm, what I posted earlier wasn't entirely correct. Turns out that our anti-virus portion of MailScanner had gotten knocked-off during the last sendmail update. MailScanner will happily block an attachment for more than one reason, and by default it no longer sends an automated response if it detects a virus.

This still means that attachments rejected in the hours before the virus pattern arrives will get a bounce message, but they'll dry up as soon as the pattern's in place. Nicer.

Silent Failure

[nuggz]

If a suspect message is found it should notify the sender.

I send emails to some companies, they block all sorts of files. I tried to send a zip file that the customer, which was blocked.
I immediately got a message refused notice.

This allowed me to inform the customer that they would not get what I was trying to send, and we made alternate arrangements.
If they didn't send out the failure my customer would have been screwed, and I wouldn't have even known. When stuff doesn't happen in business you get blamed even when it is their fault.

In a large company,or even a small one, the workers and even managers can not overturn IS/IT polcies.

Re:Silent Failure

[mph]

If a suspect message is found it should notify the sender.

That's all well and good, but in the case of these Windows worms, the person listed in the headers is not the sender. Furthermore, the antivirus companies know that they're bouncing it to someone who is not the sender. They don't care, because it's advertising their product.

Re:Silent Failure

[Tridus]

My domain's email does basically the same thing. I have neither the money or the processor power to virus scan everything, so I just set it up to not allow attachments that are executable in Windows.

The problem is that if somebody sends an executable file, they need to know its not going to be delivered. So it bounces.

That creates the problem the article poster is complianing about, but I'm not really sure which is worse. The last thing I want is somebody thinking an email got delivered when it actually didn't.

Re:Silent Failure

[yuri+benjamin]

If a suspect message is found it should notify the sender.

Yes. I agree. Notify the sender.
However, just because my address is in the from: field, that doesn't mean that I'm the sender, so don't notify me.
Good luck in finding the sender, though.

Re:Silent Failure

If you're not AV-scanning incoming mail, then you should reject the mail during the SMTP dialog. As a consequence, the (actual) sending SMTP server generates the bounce. In the case of a worm SMTP engine, nothing is generated. The worm just moves on.

Username/Password

[canadianjoe]

Ok, so I actually like my ISP's setup. They require a username/password combo to send any emails through their SMTP server, and include the sender's username in the header info. Makes it really easy to track down who is doing the spamming.

Disclaimer: I also work for them, so it makes my job as a first-line phone jockey easy to track down internal spammers.

Reject after DATA, do not bounce

I use Exim 4 on my mail server. Being a small VDS with a lot of other work to do, I don't virus-scan incoming mail. I do block messages with Windows executables attached using an Exim ACL, NOT by doing some sort of post-processing after accepting the message for delivery. If a message contains an undesirable attachment, it is rejected before the SMTP transaction ever completes. If you're using my server for your own outgoing mail, you get the following error:

rejected after DATA: This message contains an attachment of undesirable type: scr

If you're using another server to send mail to mine, your server generates a bounce message. Since most worms use their own SMTP engine, as it would be difficult for them to do otherwise. This generates no bounce message when a worm triggers it, and an error dialog or bounce if an attempt at legitimate mail does. There's no reason antivirus software can't work the same way.

What Not to Do

[violet16]

During the last Sobig outbreak, I recieved over 100 bounces per day from a single ISP in New Zealand. I e-mailed them to stop, pointing out that Sobig forged its "From" header.

They apologized and informed me I wouldn't receive any more bounces -- because their servers would now silenty delete all e-mail from my account.

I wanted to write back and point out that (a) this didn't help all the other people they were bouncing Sobig too, and (b) I might actually want to e-mail someone using them as an ISP one day -- but I couldn't, because they had blocked me.

AV Auto-reply is the work of Satan

[Judg3]

Says I, as I attempt to manuver my way through about 1500 emails I've received in the last 4 HOURS on the OOo mod list

Known, suspected, and from isn't always wrong

[nuggz]

I think they strongly suspect it, they don't know.

Secondly only sometimes is the from false.

Someone might actually send the virus to someone else an email asking "What is this file you sent me".

For me silent failure is broken.
I have many times sent someone an email that they needed, only to find out it isn't getting through due to any of a multitude of reasons.
The worst is when their mailserver, which they don't control, blindly chucks email for stupid wrong reasons.

Re:Known, suspected, and from isn't always wrong

You're shrugging off thousands of misdirected bounces per correct bounce. The choice is this: Either anti-virus scanners stop sending bounces to forged addresses or many people will simply drop *all* bounces on the floor as early as possible. It's simply impossible to automatically tell a junk-bounce from a legitimate bounce with reasonable definition. "Notification d'etat de la distribution", "Lieferstatusbenachrichtigung", "Avis de remise : remise non effectuee", "Error en el Sistema de Correo - Mail Retornado". All of these bounces are triggered by the Mydoom worm, but some are due to standard mail problems (quota, unknown recipient) and others are due to worm content. Point in case is: Under no circumstances should bounces be sent to an address which is known to be forged (or most likely forged). Your mail system should be configured to reject mail before the end of the SMTP dialog, at least if it rejects due to normal mail problems. On the other hand, if it rejects after it has accepted the mail for delivery (non-inline virus scan), then by all means avoid sending bounces unless you know that the sender isn't forged.

Re:Known, suspected, and from isn't always wrong

[mph]

I think they strongly suspect it, they don't know.

It's not rocket science to figure out how a new worm works. They know that they fake the senders.

Someone might actually send the virus to someone else an email asking "What is this file you sent me".

That's not the same as a message sent by the worm, and should not be detected as such. The software should not just look at the attachment, but at the whole email. The real worm email would not include that question.

For me silent failure is broken.

For me, getting hundreds or thousands of these bounce messages every time there's a new worm is broken. Why am I paying for the sins of Windows users? And now, if mail I send someone actually does bounce, I'll never notice it because I'll delete it with all the other "bounce" messages. How's that for broken?

I have many times sent someone an email that they needed, only to find out it isn't getting through due to any of a multitude of reasons.

And... were those emails worms? No? Then what's your point? Of course you should get a bounce message if legitimate email bounces. And if you weren't getting all those worm bounces at the same time, you'd even notice the real bounce!

Intelligent virus scanners / SPF

[Pascal666]

How hard would it be to create a virus scanner for email servers that can keep track of if a virus forges the from and if so not send the bounce message?

Whis whole issue is another reason to implement Sender Permitted From (SPF). If everyone ran SPF this type of virus would not be able to spread.

-Pascal