Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Do Email Admins Make Viruses Worse?

Posted by Cliff on from the turn-off-your-automated-responders-please dept.

gripdamage asks: "Why are email administrators still sending virus bounce messages, when everyone knows viruses forge the sender? This effectively doubles the amount of email traffic due to the virus (triples in the case that the recipient is also notified). As one of the links says 'any AV software or admins that have it mis-configured [so] that it is continuing to send out notices...to forged senders, deserve to be ridiculed.' I have received 4 times as many erroneous bounce notifications, because of MyDoom , than the actual virus, so the bounce messages are much more of a problem! This is a problem deserving publicity, so that email admins will be shamed into doing the right thing." The problem is that most bounces are automated responses, the simple thing would be to turn them off. Of course, the rational of the automated response is to hopefully notify the infected user of the problem -- what a catch-22! What kind of policy would you recommend when it comes to spam, e-mail and automated responders?

13 of 126 comments (clear)

  1. Bounce the headers by aridhol · · Score: 3, Insightful

    Bounce the headers of the message, and possibly some text. Do not bounce any attachments. If the "sender" is real, they will know their own message by that; if it is fake, bandwidth is not overused.

    --
    I can't say that I don't give a fuck. I've just run out of fuck to give.
    1. Re:Bounce the headers by David+Byers · · Score: 4, Insightful

      I've yet to see a single useful bounce generated by an AV scanner, because they insist on sending the bounce to the forged sender.

      People using AV scanners need to hook them up to their SMTP servers so the SMTP server can reject the message as it is being sent. That way innocent people won't see a deluge of misdirected bounce messages.

  2. The simplest rule I would enforce. by Anonymous Coward · · Score: 3, Insightful

    If you are the admin of a mailserver, NEVER BOUNCE OR REPLY BASED ON ANYTHING EXCEPT THE INFORMATION IN THE ENVELOPE HEADER.

    I am fucking tired of seeing mail bounced to my server and email address, just because my email address (or domain) was in the From: portion of the message. They should be smart enough to take a look at the envelope portion of the header and see there is a difference.

    Also, stop notifying senders that "you may have a virus". At all. If you want to do this for your own users, that's fine - but stop sending this shit to people outside of your domain!

    And third... GAH... Where to begin. I give up.

  3. It's not accidental, it's spam by menscher · · Score: 5, Interesting
    The companies that are doing this know very well that the viruses forge the From: header. If they wanted to warn senders, it would be trivial to put in a check of whether this virus, which they can identify, has the "forges-the-From:-header" bit set, and not respond to those.

    But this doesn't serve their purposes. Their goal, in the event of a virus outbreak, is to advertise. When people are getting viruses, they start looking for AV software, and that's the perfect advertising opportunity.

    I always write back to the postmaster@domain to complain that their software is advertising, and I include a Cc: to the AV vendor, so they can see the negative publicity that results. It might help if everyone else did the same....

  4. Very Disturbing... by bay43270 · · Score: 3, Funny

    I'm very bothered by this. I'm going to send a message about this to everyone I know. I suggest you all do the same.

  5. It's an advertisement by Mr.+Darl+McBride · · Score: 4, Interesting
    Have you ever seen a bounce message that didn't plaster the software's name all over it multiple times?

    It's an advertisement, pure and simple. It's entirely to the software manufacturer's benefit to take the opportunity to advertise to third parties with you as the middleman.

    And it works. I've had grey haired suits forward bounce messages to me to ask about the other products, asking whether we might want that instead of or in addition to the package I'd already put in place for them.

  6. Re:bounces are good by dabuk · · Score: 4, Interesting
    He's not saying not stop all bounces. That would as you say be unhelpful. Instead he's saying why does a virus detection program, that knows a virus forges the from address, send a message to the the "sender" when they never sent the original message.

    I don't administer any of these programs, but I imagine they all do have the ability not to send these messages, but someone's got to change the settings.

  7. It's a subtle form of spam.. by zcat_NZ · · Score: 4, Insightful

    and should be recognised as such.

    AV vendors know damn well that 99% of viruses spoof addresses. More than anyone else, since studying viruses and figuring out what they do is their JOB!!

    The only possible excuse for this behaviour is that they get FREE ADVERTISING out of it. It's spam advertising AV software and/or mail filters, plain and simple. It should be treated the same way as any other spam.

    --
    455fe10422ca29c4933f95052b792ab2
  8. Re:Check for valid source before notification by linuxwrangler · · Score: 3, Informative

    It won't. It was recently discussed to death on the Postfix mailing list. It's a nice idea and I encourage more such brainstorming but SPF breaks too many things.

    An easy example: mail forwarders. Lots of places like you@alumni.your.edu forward mail to your "real" account.

    Now let's say your ISP starts enforcing SPF. Your friend at AOL sends a message to you@alumni.your.edu which gets forwarded to you@yourisp.com. Your ISP's server notes that this message from someone at aol.com is being sent from a server other than one listed in AOL's spf list and rejects it.

    People have suggested workarounds like sender rewriting but each of those suggestions breaks something else. You really don't want to see all the problems it causes for mailing lists.

    For now, I'd settle for enforcing strict compliance with RFCs and good practice (helo must be a FQDN that can be forward and reverse dns matched with the connecting IP would be an excellent start - I can't believe how many large corporations can't get this one right).

    --

    ~~~~~~~
    "You are not remembered for doing what is expected of you." - Atul Chitnis
  9. Bouncing viruses by HTH+NE1 · · Score: 4, Interesting

    Are we certain that they are bounces and not just viruses pretending to be bounces? The pattern of the messages I've received suggest to me that the viruses are trying to conceal themselves (poorly) as bounce messages.

    --
    Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
  10. "Simple" solution? by srhuston · · Score: 3, Interesting

    As I've seen it, there's multiple camps for what to do with email bourne viruses. Those that say strip the attachment, and those that say can the whole thing. I have always belonged to the "can it" group, and Mydoom is a good example. Before our virus scanner started catching them, I got at least 5 emails about how a hacker must have broken into the email system, because they got this message returned to them that they didn't send, etc. If the mail had a virus in it, just can the message.

    Next, is what to do after you've tossed the mail: to notify or not to notify. Well, I'm the type that believes that *someone* should get a notification if an email is tossed (ie, mail should never disappear without some sort of DSN going somewhere). So in the case of non-mass-mailing viruses, I send a notice back to the sender telling them their mail was canned, and why.

    So my question to other mail admins (which I recently posed to the amavis-new list), is why not rely on the virus scanner's naming schemes? I use f-prot here, and all viruses that fake sender email addresses end with "@mm" (for Mass-Mailer). So I told amavis to not notify the sender if the virus name contains "@mm", but to notify the sender if it does not.

    Result? I've blocked over 8000 copies of Mydoom in the last 24 hours, and not sent a single mail to the "sender"s, but when one of the professors sent a mail out with a Word document attached that had a macro virus in it, he got a mail back saying the message was stopped and why.

    Simple, elegant... but why don't others do similar setups?

    --
    Three dits, four dits, two dits, dah!
    Radio, radio, rah rah rah!
  11. Re:Check for valid source before notification by Alizarin+Erythrosin · · Score: 3, Interesting

    And it doesn't even solve the problem of bouncing a virus infected email back to the person who is listed in the "from" address. Because with most new viruses, that person isn't the infected one most of the time.

    I think that's what the submitter is complaining about. Anti-virus solutions sending bounce messages for virus infected emails to the people in the "from".

    --
    There are only 10 kinds of people in this world... those who understand binary and those who don't
  12. Re:Report their virus bounce as spam!! by DrZaius · · Score: 3, Interesting

    And you are the reason that RBL's cause so much collateral damage.

    It's great that you are taking this political stand and sticking it to the virus scanner companies. I'm sure all the email admins out there make the logical jump that their virus scanner messages are causing their IP addresses to show up in RBL's. They'll all disable their virus bounce messages for you.

    Actually, now that I think about it, it's more likely that people will assume RBL's are useless and don't work. They'll probably complain to their peers and convince them that RBL's are unreliable.

    Way to go, jerk.

    --
    -- DrZaius - Minister of Sciences and Protector of the Faith