Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Do Email Admins Make Viruses Worse?

Posted by Cliff on from the turn-off-your-automated-responders-please dept.

gripdamage asks: "Why are email administrators still sending virus bounce messages, when everyone knows viruses forge the sender? This effectively doubles the amount of email traffic due to the virus (triples in the case that the recipient is also notified). As one of the links says 'any AV software or admins that have it mis-configured [so] that it is continuing to send out notices...to forged senders, deserve to be ridiculed.' I have received 4 times as many erroneous bounce notifications, because of MyDoom , than the actual virus, so the bounce messages are much more of a problem! This is a problem deserving publicity, so that email admins will be shamed into doing the right thing." The problem is that most bounces are automated responses, the simple thing would be to turn them off. Of course, the rational of the automated response is to hopefully notify the infected user of the problem -- what a catch-22! What kind of policy would you recommend when it comes to spam, e-mail and automated responders?

5 of 126 comments (clear)

  1. bounces are good by Mod+Me+God · · Score: 1, Informative

    If i send a mail to billabab@hotmail.com but meant to send it to millybob@hotmail.com, than i appreciate a bounce. A good virus spoof will make it too hard to differentiate genuine and false return addresses.

    --
    --

    FreeNET user? Comfortable with the adverse selection?
  2. Check for valid source before notification by Baron_Yam · · Score: 2, Informative

    SPF. If SPF checks out OK, then send the virus notification. If not, don't bother.

    1. Re:Check for valid source before notification by linuxwrangler · · Score: 3, Informative

      It won't. It was recently discussed to death on the Postfix mailing list. It's a nice idea and I encourage more such brainstorming but SPF breaks too many things.

      An easy example: mail forwarders. Lots of places like you@alumni.your.edu forward mail to your "real" account.

      Now let's say your ISP starts enforcing SPF. Your friend at AOL sends a message to you@alumni.your.edu which gets forwarded to you@yourisp.com. Your ISP's server notes that this message from someone at aol.com is being sent from a server other than one listed in AOL's spf list and rejects it.

      People have suggested workarounds like sender rewriting but each of those suggestions breaks something else. You really don't want to see all the problems it causes for mailing lists.

      For now, I'd settle for enforcing strict compliance with RFCs and good practice (helo must be a FQDN that can be forward and reverse dns matched with the connecting IP would be an excellent start - I can't believe how many large corporations can't get this one right).

      --

      ~~~~~~~
      "You are not remembered for doing what is expected of you." - Atul Chitnis
  3. we just bounce the headers by Anonymous Coward · · Score: 2, Informative

    We have a semi-homebrew mail filter based on open source tech like customized spamassassin and mimedefang.

    1) Messages which are obvious worms are not bounced at all, just dropped. This requires us to update the list of which AV hits are worms and which are just attachments in an otherwise legit mail. Obviously this isn't always kept up to date, but when a worm is wide-spread we make sure it isn't generating bounces. The bounces clog up the queue anyway.

    2) Other messages are bounced, but only text portions, everything else is stripped out.

    I believe it's better to err on the side of bouncing. I hate it when I send somebody a large attachment or a subject line with numbers in it, or something that trips a virus or spam filter, and the message is *silently dropped*. You want to kill email? Make it so you have to call the person on the phone to see if they got your message!

    I was a little confused with all these posters talking about "free advertising" but then I realize you're talking about the off-the shelf products.. our system doesn't advertise anything except the name of the org and why the message was bounced at our servers.

    So, if I had to choose, I'd say stick with the bounces. I'm not (very) worried about bandwidth, I'm worried about people losing control of their desktops to worms.

  4. Re:What about CLEAN bounces? by David+Byers · · Score: 2, Informative

    I've gotten about a ton of bounces like that. But they've all been sent to the (forged) sender of the virus, so they're worse than useless.

    The only acceptable way to generate a bounce of a virus message is as part of the SMTP dialog. That way the sending *server* will get the message, and it won't bother me.

    While you go off and re-think your proposal, I'll just head over here and delete the last hundred or so of those cleaned bounce saying hey douchebad, you're infected.