Slashdot Mirror
Why Do Email Admins Make Viruses Worse?
gripdamage asks: "Why are email administrators still sending virus bounce messages, when everyone knows viruses forge the sender? This effectively doubles the amount of email traffic due to the virus (triples in the case that the recipient is also notified). As one of the links says 'any AV software or admins that have it mis-configured [so] that it is continuing to send out notices...to forged senders, deserve to be ridiculed.' I have received 4 times as many erroneous bounce notifications, because of MyDoom , than the actual virus, so the bounce messages are much more of a problem! This is a problem deserving publicity, so that email admins will be shamed into doing the right thing." The problem is that most bounces are automated responses, the simple thing would be to turn them off. Of course, the rational of the automated response is to hopefully notify the infected user of the problem -- what a catch-22! What kind of policy would you recommend when it comes to spam, e-mail and automated responders?
(fp!)
This sig no verb.
SPF. If SPF checks out OK, then send the virus notification. If not, don't bother.
Bounce the headers of the message, and possibly some text. Do not bounce any attachments. If the "sender" is real, they will know their own message by that; if it is fake, bandwidth is not overused.
I can't say that I don't give a fuck. I've just run out of fuck to give.
I have received 4 times as many erroneous bounce notifications, because of MyDoom , than the actual virus, so the bounce messages are much more of a problem!
I agree that the bounces are damaging, but they usually don't multiply the damage; assuming one bounce per virus email, that is only 1x as harmful as the virus itself.
Most AV will not bounce the emails (these are the ones you don't see of course), reducing the ratio of (bounced emails) / (total emails) to below 1.
If you are the admin of a mailserver, NEVER BOUNCE OR REPLY BASED ON ANYTHING EXCEPT THE INFORMATION IN THE ENVELOPE HEADER.
I am fucking tired of seeing mail bounced to my server and email address, just because my email address (or domain) was in the From: portion of the message. They should be smart enough to take a look at the envelope portion of the header and see there is a difference.
Also, stop notifying senders that "you may have a virus". At all. If you want to do this for your own users, that's fine - but stop sending this shit to people outside of your domain!
And third... GAH... Where to begin. I give up.
But this doesn't serve their purposes. Their goal, in the event of a virus outbreak, is to advertise. When people are getting viruses, they start looking for AV software, and that's the perfect advertising opportunity.
I always write back to the postmaster@domain to complain that their software is advertising, and I include a Cc: to the AV vendor, so they can see the negative publicity that results. It might help if everyone else did the same....
I'm very bothered by this. I'm going to send a message about this to everyone I know. I suggest you all do the same.
It's an advertisement, pure and simple. It's entirely to the software manufacturer's benefit to take the opportunity to advertise to third parties with you as the middleman.
And it works. I've had grey haired suits forward bounce messages to me to ask about the other products, asking whether we might want that instead of or in addition to the package I'd already put in place for them.
I don't administer any of these programs, but I imagine they all do have the ability not to send these messages, but someone's got to change the settings.
and should be recognised as such.
AV vendors know damn well that 99% of viruses spoof addresses. More than anyone else, since studying viruses and figuring out what they do is their JOB!!
The only possible excuse for this behaviour is that they get FREE ADVERTISING out of it. It's spam advertising AV software and/or mail filters, plain and simple. It should be treated the same way as any other spam.
455fe10422ca29c4933f95052b792ab2
Many admins think that they are lord of the castle, if you suggest a change to the email system, like cancelling the bounce, the first answer is NO like you are stepping in their territory.
I used to work for a place where the admin also got so paranoid with spam that he blocked entire domains like yahoo and hotmail even though there were at least a dozen legitimate customers that used those email services as their primary business email.
It isnt until there is a backlash or fear of losing their castle that some will make a change.
Sometimes you just have to be the loudest voice in complaining and go over their head and reason with their boss. Explain that a flood of redundant emails is bad practice and that in many peoples eyes a bounce message saying "virus found!" with your companies domain makes people think that YOU have the virus. Sounds strange but it happens. You bounce a message and you get a call saying "You guys have a virus... we just got an email about it" coming from the internal staff, then spend the next 15 minutes explaining that they are protected and that the bounce was only informational and still they dont always get it.
Virus protection is best operated SILENTLY! You as an admin can sweat the details but the clients should just "Know they are protected" and not be bothered with details. It's just good management.
Boredom's not a burden anyone should bear.
We have a semi-homebrew mail filter based on open source tech like customized spamassassin and mimedefang.
1) Messages which are obvious worms are not bounced at all, just dropped. This requires us to update the list of which AV hits are worms and which are just attachments in an otherwise legit mail. Obviously this isn't always kept up to date, but when a worm is wide-spread we make sure it isn't generating bounces. The bounces clog up the queue anyway.
2) Other messages are bounced, but only text portions, everything else is stripped out.
I believe it's better to err on the side of bouncing. I hate it when I send somebody a large attachment or a subject line with numbers in it, or something that trips a virus or spam filter, and the message is *silently dropped*. You want to kill email? Make it so you have to call the person on the phone to see if they got your message!
I was a little confused with all these posters talking about "free advertising" but then I realize you're talking about the off-the shelf products.. our system doesn't advertise anything except the name of the org and why the message was bounced at our servers.
So, if I had to choose, I'd say stick with the bounces. I'm not (very) worried about bandwidth, I'm worried about people losing control of their desktops to worms.
And don't ever send a bounce.
Send bounces only for mails not detected as either virus spam.
That would make everybody happy.
I've gotten about a ton of bounces like that. But they've all been sent to the (forged) sender of the virus, so they're worse than useless.
The only acceptable way to generate a bounce of a virus message is as part of the SMTP dialog. That way the sending *server* will get the message, and it won't bother me.
While you go off and re-think your proposal, I'll just head over here and delete the last hundred or so of those cleaned bounce saying hey douchebad, you're infected.
ABSOLUTELY NOT!
/dev/null
I run a mail server with 13000 users! Getting every bounce of these things to postmaster no matter who sent it would make me route postmaster to
Are we certain that they are bounces and not just viruses pretending to be bounces? The pattern of the messages I've received suggest to me that the viruses are trying to conceal themselves (poorly) as bounce messages.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Problem here is that if you mark, defang and deliver some people will get hundreds of e-mails in their inbox which consist entirely of the attachment removed due to virus infection message. They inevitably come back to the mail administrator and report it as a problem: 'all of my e-mail is getting the attachments removed'. Far better just to log the event and place the infected e-mail into the bit bucket, never to bother anyone again. This approach doesn't cause lots of 'shells' being sent to the recipient and does not toss lots of NDR messages to the alegged sender (who probably did not originate it anyways given the methodology being used by the newer mass-mailer worms). Robert H
As I've seen it, there's multiple camps for what to do with email bourne viruses. Those that say strip the attachment, and those that say can the whole thing. I have always belonged to the "can it" group, and Mydoom is a good example. Before our virus scanner started catching them, I got at least 5 emails about how a hacker must have broken into the email system, because they got this message returned to them that they didn't send, etc. If the mail had a virus in it, just can the message.
Next, is what to do after you've tossed the mail: to notify or not to notify. Well, I'm the type that believes that *someone* should get a notification if an email is tossed (ie, mail should never disappear without some sort of DSN going somewhere). So in the case of non-mass-mailing viruses, I send a notice back to the sender telling them their mail was canned, and why.
So my question to other mail admins (which I recently posed to the amavis-new list), is why not rely on the virus scanner's naming schemes? I use f-prot here, and all viruses that fake sender email addresses end with "@mm" (for Mass-Mailer). So I told amavis to not notify the sender if the virus name contains "@mm", but to notify the sender if it does not.
Result? I've blocked over 8000 copies of Mydoom in the last 24 hours, and not sent a single mail to the "sender"s, but when one of the professors sent a mail out with a Word document attached that had a macro virus in it, he got a mail back saying the message was stopped and why.
Simple, elegant... but why don't others do similar setups?
Three dits, four dits, two dits, dah!
Radio, radio, rah rah rah!
And you are the reason that RBL's cause so much collateral damage.
It's great that you are taking this political stand and sticking it to the virus scanner companies. I'm sure all the email admins out there make the logical jump that their virus scanner messages are causing their IP addresses to show up in RBL's. They'll all disable their virus bounce messages for you.
Actually, now that I think about it, it's more likely that people will assume RBL's are useless and don't work. They'll probably complain to their peers and convince them that RBL's are unreliable.
Way to go, jerk.
-- DrZaius - Minister of Sciences and Protector of the Faith