Slashdot Mirror
Anti-Virus Companies: Tenacious Spammers
jaroslav writes "There is a great article over at Attrition about the problem of anti-virus related spam. I don't know if we should all start reporting this to the government, but telling the companies themselves that this should stop might get some results."
A lot of clients in my department regularly ask me if they have a virus when they receive these mail gateway auto-replies. I came up with a good analogy that helps even the most technophobic user understand what's going on:
If I send a letter to George Bush using Saddam Hussein for the return address, the president will not believe that the letter is really from Iraq! Why? (other than Saddam being captured?) The postmark on the envelope will say Pullman, Wa!
Similarly, if the mail server looked at the address that actually sent the virus, it would see something like aol.com or texas-telecom.net. Instead, these mail servers just blindly believe that the virus was really sent from Client-A@wsu.edu. (I insert the client's actual email address here... that helps grab their attention if their mind was already wandering...)
Dont you see ? This 'spam' is just the anti-virii companies conditioning the users to ignore the MyDoom and other such varients! Previously at NAI Marketing: Look , Look ! We can put a good spin on it !
Not three hours after this comment, someone mailed this to Declan's Politech list, a cheat sheet for computer illeterate journalists angling for something to stay more relevant than the typewriters they still swear by. And then the very next day, we see three different articles with variations on this very topic. Five bucks says the next issue of eWeek borrows in their next issue as well.
Yes, as always, none of the stories credited Politech, though the names of the authors who borrow liberally are always the same. And Politech didn't credit Slashdot, where the Politech submitters borrow a full half of their stories with equal disregard for journalistic integrity. Indeed, the only time Politech credits Slashdot is when they believe Slash has said something stupid. These reporters are hooked on the easy source of stories, yet trash it publicly for fear others will find the tool that's kept them from having to do actual reporting anymore.
I may be here to take Linux away from you, but you can't argue that I don't give something back. You hate me. But you love me too, and you hate that as well. Think of it, you see me just the way others see Slashdot.
If you'd like to track Politech's ongoing plagiarism of Slashdot, jump on their free mailing list and have a laugh. Watch the submissions. Watch each story jump from Slash to Politech (search the comments after each new Politech post and you'll find the original +4 or +5 comment 4 times in 5), then check the NY Times, Barron's, and Ziff Davis Publishing for the same authors publishing borrowed stories the very next issue. They do it like clockwork, because these "tech" journalists don't realize that we're on the internet too.
~Darl
I totally agree, they AV co's need to shape up their act. It's a weird situation, do they really want to be THAT effective to really stop viruses, or will they be like Chinese on piracy and put up a show.
Best Community for Gaming and Gadgets!
At my last job at a public uni, obviously any and all worms and viruses slammed us hard. It was soon apparent to make support calls more mangeable as well as the lessen the pure amount of crap on the network that we had to configure our mail server virus package to send those announcement "you have or were sent an infection" messages to /dev/null. Some users might not get the warning they needed I suppose but quickly one message would turn into thousands just for one infected user. To the bit bucket with them! It helps.
"What we do in life echoes in eternity." Maximus Decimus Meridius
Steps to stop viruses:
1) At the end of every one of these viruses, just add fdisk. 2) Very quickly, there will be no more unprotected computers!
3) ???
4) Profit by shorting MSFT!
Well, ok, I guess anything is possible. Never thought of those possibilities before...
A feeling of having made the same mistake before: Deja Foobar
I am also quite bothered by these virus blocker programs mailing the from line when they know it is fake.
However, the truth is they know what sort of virus they have detected, and they can know whether the virus/worm in question forges the fromline or not. If they know it forges the from line, they should not send the mail back. If they know the program does NOT forge the from line, however, it is not unreasonable to send back the bounce, though for best appearances, it should not look like an ad.
If a program on my machine is sending out worms, I want to know about it. The antivirus software should be able to tell the difference.
My Grandma makes pink prophylactics
She pierces each one with a pin
My Grandpa does cut rate abortions
My God how the money rolls in
KFG
But isn't a lot of spam generated by "lead companies".. For example, in those mortgage spams you get, the spamming company gets paid for leads to possible mortgages, not for the actual spam itself. They "lead" company is simply using spam as a method to solicit leads. Is the same applied to AV software? Sell the AV company a lead, get X% of the profit?
No kidding. I used to pass the emails along to the end users. Not any more. After this last worm (MyDoom), I became fed up with having to explain to the users why they were receiving the emails. As the parent poster did, I just throw them away. Problem solved. As for the people who allow their AV gateways to send back auto responses, they should be shot. Every time I receive one of those emails from postmaster@somewhere, I fire back a nasty email tell them to cut it out.
Anti-virus spammer email viruses ;-)
Some Procmails rules to filter out all those mails might be helpful, those AV's shouldnt be too creative changing those messages all the time...
I can't believe that those working at the anti-virus companies are so stupid so as to have not yet realised that by sending out all of these fallacious "OMG YOU GOT SPAM" hype emails - to the wrong people of all things - just sucks up twice, thrice, a dozen times the bandwidth of the original worm. Yes, worms are a bad thing, but sending out random hysterical emails about it to all and sundry doesn't help one tiny bit.
FloodMT: crapflood Movab
Occasionally I will send a nastygram to the support or abuse department of the system using the stupid virus protection. Usually they can't figure out why I'm annoyed that they told me I'm infected with a virus ... the concept that a virus can forge a FROM escapes their air-filled heads.
...before SCO relocates to Nigeria?
:)
"Dear friend,
I am Darl McBride, a well known businessman..."
Might be more fruitful for them.
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
The author of this article seems to think that the AV companies are the one to blame for this. In fact, every AV product I've ever worked with at the mail server level has allowed you to turn this functionality off. Any decent mail server admin should be doing this themselves. It's the same kind of ignorance and stupidity that allows 3 year old exploits to continue to propagate.
lets infect their company computers with viruses!
Who makes money out of viruses ?
Who makes money out of spam-blocking software ?
(I'll leave the answers as exercices to the readers)
J.
"If I send a letter to George Bush using Saddam Hussein for the return address, the president will not believe that the letter is really from Iraq!"
You sure about that?
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
exactly, these messages are such a big source of confusion...instead of assisting the support structure they end up overburdening it. Your support analysts end up trying to explain the messages instead of being deployed to shut down the offending boxes and educate the moronic repeat offenders...
"What we do in life echoes in eternity." Maximus Decimus Meridius
Snubbing The Greatest Band On Earth this way?
Slashdot is influencing the mainstream media? On the one hand, that's pretty cool. But at the same time, that's kind of scary.
When Blaster was going around, I decided I wanted a new email alias on my campus's email system. I chose just my first name, and to my surprise, it gave it to me.
As soon as it was set up, I started getting 50-100 messages from other servers saying that my address was spewing out viruses. Of course, this is impossible, seeing as my computer never even knew that I had this alias. Yet, I kept getting it time and time again.
The problem was, I couldn't delete the alias, and I ended up with hundreds of these messages per day. Incredibly frustrating. They must know that it serves no purpose.
Why don't we all just turn this "feature" of replying to the virus-laden email off? I do the administration of our anti-virus software on the network (Symantec Corporate Ed.), and I just turn that crap off...it's a very simple thing to do. I can't speak for the other anti-virus software, but I would assume you could also turn off email replies in them as well. We ought to be bitching to the network admins, and not to the government.
I get mad when they send me back a "copy" of the original e-mail + virus.
A copy of the original e-mail is included. email.txt 153KB
My throw-away account on Yahoo is always full with "Delivery Failed" 153KB and I have to keep clearing it out every 2 days or it becomes useless for doing it's designed job. Being my spam trap for websites that require my e-mail.
, if those are real email address, for the people that own those accounts. This person has just given away a few free address.
Art by Mindy Herman, my wife.
anyone know how they come up with these names? sounds like a fun job, anti-virus virus namer.
Unfortunatly McAffee requires registration/drm product activation to use it. This means you are hosed and pisses me off.
Of course I can always lie about my email address but my guess is before long they will require for you to recieve an email to use the product like many forums.
Yuck.
I wonder if Norton or I should now say Symantec is any better in regards to this.
http://saveie6.com/
Great analogy. I too used somthing similar to that in the past when I was working for CBE.
This is my signature.
..."It's Good For Marketing". In our eyes, the best AV product is one that sits quietly and takes care of email viruses silently, without adding to the mass email problem.
However, in the eyes of an AV company, a silent, seamless program is the LAST thing they want. These companies want the PHB's to know their product is working, and they want visibility.
This is a classic case of marketing desires winning over technological needs. This is the reason I use open source projects -- they (most of them, anyway) do their job without the need for advertising.
Certainly whoever sets up a server and leaves this enabled is stupid or careless, but I think the companies have some responsibility too. The option should at least be disabled by default. Enabling it should cause some sort of warning. Better yet it shouldn't be there. Why put such a dangerous feature in a program?
Bow down and worship my antiviral pork shoulder and ham!!!!
pleeeeeeease?!!!!
I work at a helpdesk, so I've spent the last couple days repeating how from headers can be forged, ect, ect to users... so I agree with the frustration and do want it to stop.
At the same time, if I unknowingly sent an important document that had a virus and was not recieved, I would want to know. Years ago I remember sending a resume that was infected with a word macro virus - I was glad that I got a bounceback message, since a)I knew I had a virus and b)I knew the place didn't get my resume.
I have blog like everyone else
That virus has generated an insane amount of traffic to my mail server, most of it is very ineffective due to the use of a few standard names. Where on a normal day I would get about 100 mails, where 90 of them were rejected spam, I got over 900 mail attempts today.
He wrote the article from his point of view; mailing it from Pullman, WA; Where he is right now. (I'm assuming he left that point out accidently)
This is my signature.
...that sends "back" (though I never sent it in the first place) the actual VIRUS!
.SCR .PIF or .EXE file, and since I run my PC behind a "linksys" box that blocks all incoming ports, I've never had Code Red or anything like that.
If I had spare time, I'd SUE the AV companies! They're commiting LIBEL and they KNOWINGLY SENT ME A VIRUS!
Anyway, I'd also like to add that I've run Microsoft Windows since the days of Windows 1.03 and I have NEVER had a virus. I don't take unusual precautions, either. I have a virus scanner that I keep updated and run MANUALLY every time I hear about a new one, and it never finds anything (except when I've purposely saved one off for analysis!). I've never been tempted to click on an
One of the companies I'm working for just locks down the network harder and harder each time there's a new virus. For example, they did some tweak so when you log into the domain, some thing runs that prevents you from making a share (though only from the UI--you can still do it from the NET command-line.) I hope someone realizes that they've NEVER actually stopped a virus, even though each time one happens they run around in circles and restrict the network and PCs even more. You just can't prevent against people receiving an EXE in email and running it!
Now I know the argument you get from Mac-crazies--that if the PC had better account management this wouldn't happen. NONSENSE! A user-level program with no special "root" access can easily scan through YOUR mailbox and pick of email addresses and send out email. ON ANY OPERATING SYSTEM, even a properly adminstered Un*x system.
Best Buy can have you arrested
A group of online (what else) hacker friends (not cracker) put together a load of information and evidence that greatly suggested a lot of the worms being generated are done directly, or bankrolled by the big name AntiVirus companies. There was even a link to a website of a major AV company that just about candidly admitted that there are thousands of viruses that exist only inside their "Virus Lab", and not outside of it. Perhaps it is all just Marketing Fluff (mimicking the Biomedical industry) or something. But really, we all know that these worms and viruses don't just *spawn* out of thin air, they must be thought about and written.
Further points mentioned that AV companies pay MS a percentage/commission to open up/keep holes open in the OS and its applications for them.
It was very convincing, i wish i had the URL for that.
And of course, i know, just because it's convincing doesn't mean it's accurate, but there were a lot of points brought up, with evidence and references cited that at least -I-, in my humble knowledge, could not argue against.
Doesn't mean i'm knowledgeable.
As a side-note, i had totally forgotten about the Attrition website... thanks!
do() || do_not();
I've never received any of this type of spam. I only get things to "increase my girth", maybe they're trying to tell me something? I've never had and real problems with spam at my real email account.
That is why you send out these emails, so people will know about and buy your product. A cousin of mine works at Hexaware which does development on at least four of the software products listed and I am certain that the same young men are writing all of it. This is just sensible Indian software design using the power of the Internet to ensure that people know which product is protecting them from harmful worms.
What does Michael Jackson know about twenty eight year olds?
There are 20 of them, and they're 8!
TMDA, http://www.tmda.net I know it's a cheap plug, but use a challenge / response method for reception of mail. It's simple, and it's easy. If spammers have to authorize their email and in this case, if anti-virus spam has to be authorized then you have a way to track it. Spam will not cease until it becomes prohibitively expensive for spammers to spam.
that was the best joke on here all day.
Not Off Topic - SCO is the target of the DDoS that MyDoom is propagating.
Maybe I'll removed the blocks when this blows over, maybe I won't, but they sure as hell are going to be ready and waiting for next time something like this kicks off. The worrying part is, it's not just "Mom and Pop" operations either; it's companies who should have a clue like big ISPs and large corporates. What we need is a DNSBL that lists the IPs of compromised hosts and another that lists the IPs of those that generate bounces; I'd be subscribed to both in a heartbeat.
UNIX? They're not even circumcised! Savages!
This is very similar to spoofed IP packets: a firewall might bounce (answer) the packet back to its origin, and if the original packet was broadcasted to a lot of systems, the fake return address gets bombarded with those bounced packets.
The solution: if there's ANYTHING wrong with a packet that makes it unacceptable, simply drop it without any further action.
With e-mail: if scanning it show an infected attachment, simply strip that attachment, and nothing else.
If an e-mail is positively spam, simply throw it away, without comment.
If a destination address doesn't exist, then don't bounce it, but simply throw it away.
The result: infected attachments don't generate extra traffic, spam doesn't get bounced back to bogus addresses, and only e-mails that are correctly addressed, make it to their destination.
And if you really want know whether it got there, there's always the option to request confirmation that it was received.
...by including all sorts of actual e-mail addresses in easy-to-harvest format in all his examples...
homeisp.com's software even admits their complicity in spamming:
"Please note that some viruses forge the headers of the e-mail they send out, making
it look like some one else's address, it's possible your user may not be infected.
As we can not auto-determine if the senders address is forged or not we appologize
if this message reaches you in error, but figure it's better to error in caution.
...this is why they are called 'virii'.
The logic used to illustrate the 'issue', according to Brian Martin, is in itself a definition of a 'virus'. Not an inditement of any one factor.
"A harmful or corrupting agency; "bigotry is a virus that must not be allowed to spread"; "the virus of jealousy is latent in everyone"
These virii depend on us as part of the equation...placing the blame on any single entity is just passing the buck, and not valid in terms of identifying a solution.
The analogy of a woman producing defecting condoms and her husband doing abortions to virus writers (working for anti-virus software companies?) writing and transmitting viruses so that the anti-virus software companies can make their money selling "cures" to viruses and spam doesn't seem far out or OT. Both operate by aiding their supposed enemies to generate business and money for themselves.
I don't know if there is evidence to link virus writers and anti-virus companies, but in the presence of such the analogy is perfectly valid. It's like the mob charging protection to businesses - the protection is from them (or associated thugs), and would be unneeded if they didn't choose to assault businesses.
I don't understand why the anti-virus vendors get all the criticism for including features that notify senders. Why not criticize the admins who install the software with the default settings and never configure it?
All the products we use allow you to modify or disable the non-delivery reports or bounce messages, and we do. We've seen that routing all the bounce messages during a spam or virus outbreak degrades our server performance more than the spam or viruses. We notify our local users when we munge their mail because it was infected, but otherwise, we just deal with it.
Blame the administrator for the way their system is configured, not the software companies for providing features many sites demand.
http://drteknikal.blogspot.com/
This is really weird. I've been on a campaign for the past day or so to the big myDoom "spammers". I've been sending out the following e-mail:
As a mail administrator or antivirus company, you are probably well aware of the current trend in viruses to forge the senders address. Your system has been caught by our system, replying to these forged addresses to notify them that they sent a message containing a virus. This has been causing undue hysteria within my organization, and must stop immediately. In addition, this message was sent unsolicited and without prior business ties, and may be a violation of federal and/org state anti spam laws. Further messages will result in a permanent block on your SMTP server's ability to send mail to ours, and a submittal of your "replies" to several major spam blocking services and black hole lists.
If enough of us do this, maybe these guys will get a clue to turn off the reply feature.
Many of the same companies that produce anti-virus software offer separately or as a bundle with the their A/V software anti-spam and anti-spyware products. If everyone only spent the extra money, and configured that nice [Norton AntiSpam/McAfee SpamKiller/whatever] software to reject such messages.
If you build a better moustrap, it's good business to also sell smarter mice.
Perhaps I'm too grumpy or cynical today.
Let's face it, these people all have a vested interest in making sure that viruses are not eliminated.
In the last Slashdot story about the Mydoom worm, a Computerworld article quoted the damning evidence directly from the horse's mouth:
No one has yet reported an infection by Mydoom.B, said David Perry, global director of education at Cupertino, Calif.-based antivirus vendor Trend Micro Inc. "If 100 people in the world had been infected, we would know," he said. "In fact, almost all of the viruses that have ever been detected never infected anybody ever. We say that there are about 77,000 known viruses, but only about 900 of them have ever infected anyone."
Huh? Pardon me? If they never infected anyone, then what makes them viruses? How were they detected if they never infected anyone - from the original first seeds by the viruswriters themselves? Then why in the hell haven't they tracked the virus writers down? Are these inventions of the AV companies that never existed outside of the AV companies' labs? Only 900 out of 77,000 ever infected anyone - isn't the virus problem then vastly overrated?
Given the above statement and the quite legitimate complaint that started this thread in the first place, I really think everyone should question the AV companies' role in the virus situation.
Scan the email as it leaves your network as well as when it comes in ? Make sure that your SMTP server is the only machine allowed outgoing connections to any/0:25 also. All of this mails are routed via someone's outgoing SMTP server - be it a ISP's server or their own. Stop it before it gets out.
FWIW, one of the examples the author gives as a AV spam -- the one with the content "Mail Transaction Failed" -- is one of the mails MyDoom/Novarg sends out.
But, in a way, the virus is spamming, too.
If Nalgene water bottles are outlawed, only outlaws will have Nalgene water bottles.
Blaming the AV companies for the failure of the IT personnel of other organizations to evaluate and properly configure their mail gateway AV software seems like a load of crap to me.
Besides, sending these e-mails arguably provides a positive service, because self-propagating e-mail viruses are everyone's problem, and a bit of vigilance on each person's part is required to prevent one of these viruses from becoming a worldwide problem.
Using a shotgun approach to tell people that a virus is going around helps to inform everyone. Everyone needs to educate him- or herself about virus protection and prevention, so that they can personally know whether their machine could be infected or not.
Also, telling those people to contact their local IT staff just gets the IT staff in gear to help stave off something they should have already been on the ball about. If the IT staff were prepared, then their company's employees would already be in-the-know, and would not harass IT with needless panicky e-mails.
If, on the other hand, the software package sending the spam warnings provides links to their web page, then I'd lean toward considering it to be spam rather than information.
I wonder if we (as a community) should draft an RFC that governs such things as naming conventions and the like. perhaps define all types of viruses give them a designation as to what platform and what they do. The names would sort of be a mixture of all the major vendors.
.A .B .C etc, and a convention for payload style. Mydoom was a mass mailer that also was meant for use in a DDOS.
Something like
$PLATFORM/$VIRUS.$VERSION@$PAYLOAD-STYLE So you'd need a simpl draft coming up with a platform name Win32 for 32-bit windows Mac for mac's yadda yadda, a Virus naming convention so that everyone would be able to tell from looking at the virus as to what it's name should be, $version
So perhaps mydoom should be
Win32/Mydoom.A@MM@DD
-or-
Win32/Happy99.a@M
just thoughts and ideas, what's everyone else think?
As well as defining in the RFC that, if a worm is known to spoof the From: field then skip the auto-reponder notice altogether.
/* oops I accidentally made a comment, sorry */
One discussion that's been going on is the creation of a DNSRBL for sites that do this.
Perhaps, however, instead of reinventing the wheel, we could use existing solutions; send a virus-infected email to postmaster@ the offending domain, and/or abuse@ the offending domain.
If you get a bounceback that makes it clear no human will see the message, that meets the criteria for submission to RFC-ignorant
I receive hundreds of these warnings, thanks to being a developer whose mail address is all over the place. I got fed up with these bogus warnings today, so I decided to try to talk to one of the many organizations sending me these virus "warnings". I called the mail admin and the help desk operator of Saxion University and tried to explain to them that these messages are useless. It was a sad discussion.
Yes, they know that the virus is faking the sender's address.
Yes, they know that I am not the sender of the virus, but some unidentified third party.
Yes, they know that this warning is useless for me.
Yes, they do send thousands of these warnings every day. And they know that these are useless, too.
No, there's nothing they are going to do about it.
No, they are not going to turn the warnings off. Because these warnings will be "useful if there is a real virus threat through a mail message." While this particular virus may be faking the mail address, others don't and so they stick to their IT policy.
They basically told me that it's _my_ problem to deal with their useless warnings. "It's just a few mails. Why do you complain?" Ah yeah, a classic spammer's excuse, now used by mail admins for their virus warnings.
I explained them that they should set up a list of mass mailing worms so that they do not send warnings for those that fake the sender address. But no, that's not "an issue" they are going to work on.
Arghl!
------------------
You may like my a cappella music
There is no reason on earth that I can think of for an email system to run code received arbitraily from the web.
personally I shut down these really bad ideas in 1997. Personally I received more than 100 copies of mydoom in the last few days.
So it does appear many people who have legitimate reasons to put my email address in their contact lists have no idea how to be prudent about safe sex in cyberspace. This being said - I am optimistic they are learning.
I believe in a little axiom that says
I'm only going by my experience in anti-virus software, but lets look at it this way:
1) Anti-virus software is on the desktop machine to prevent infection
2) Soon viruses are getting in via email. Anti-virus software writers decide to target the enterprise (where the real money is) and where it makes most logical sense to block viruses now.
3) Some programmer comes up with the idea "Hey! Wouldn't it be great if our software automatically emailed the person who sent the virus in the first place? After all, its 1997 and the only way to get a virus is via a word or excel document attached to the email." The product development approved, not only because education is a huge tool in stopping viruses, but a little (I stress a little) free advertising couldn't hurt.
4) Microsoft introduces new features and more sophisticated viruses are introduced.
5) The option stays on and is set by default because no one re-evaluates it and its just that way.
6) Some cracker gets an ingenious idea to use the feature against itself and cause more harm than good. The feature is exploited to send out thousands of emails per server, which the original designers never intended.
7) Anti-virus writers don't pay attention because you can just turn it off and its not important to them any more. It's the admin's job to know to turn this off. They may tell some people, and they may default it to off in the next version, but its not high on the list.
And even still, you can't just tell someone they are stupid for coding it this way or for not turning it off. Until recently, this option made "Never attribute any action to malice when you can attribute it to stupidity or ignorance."sense. Tell the infected user of their problem so cut down on the spread of virii. Now, as in the biological world, the virus writers figured out how to use a portion of the "immune system" against itself.
It's just the way things happen. I write a virus, you write a counter measure, I write a way to get around it. What's missing here is an email illustrating that the intent of sending out all these emails was deliberate on the part of anti virus writers. The article is assuming intent for no other reason than to scare people. Again, "Never attribute any action to malice when you can attribute it to stupidity or ignorance."
"All great wisdom is contained in .signature files"
Damnit... this is what my original post should have looked like (correction in Italics, somehow this got deleted when I meant to copy):
I believe in a little axiom that says "Never attribute any action to malice when you can attribute it to stupidity or ignorance."
I'm only going by my experience in anti-virus software, but lets look at it this way:
1) Anti-virus software is on the desktop machine to prevent infection
2) Soon viruses are getting in via email. Anti-virus software writers decide to target the enterprise (where the real money is) and where it makes most logical sense to block viruses now.
3) Some programmer comes up with the idea "Hey! Wouldn't it be great if our software automatically emailed the person who sent the virus in the first place? After all, its 1997 and the only way to get a virus is via a word or excel document attached to the email." The product development approved, not only because education is a huge tool in stopping viruses, but a little (I stress a little) free advertising couldn't hurt.
4) Microsoft introduces new features and more sophisticated viruses are introduced.
5) The option stays on and is set by default because no one re-evaluates it and its just that way.
6) Some cracker gets an ingenious idea to use the feature against itself and cause more harm than good. The feature is exploited to send out thousands of emails per server, which the original designers never intended.
7) Anti-virus writers don't pay attention because you can just turn it off and its not important to them any more. It's the admin's job to know to turn this off. They may tell some people, and they may default it to off in the next version, but its not high on the list.
And even still, you can't just tell someone they are stupid for coding it this way or for not turning it off. Until recently, this option made "Never attribute any action to malice when you can attribute it to stupidity or ignorance."sense. Tell the infected user of their problem so cut down on the spread of virii. Now, as in the biological world, the virus writers figured out how to use a portion of the "immune system" against itself.
It's just the way things happen. I write a virus, you write a counter measure, I write a way to get around it. What's missing here is an email illustrating that the intent of sending out all these emails was deliberate on the part of anti virus writers. The article is assuming intent for no other reason than to scare people. Again, "Never attribute any action to malice when you can attribute it to stupidity or ignorance."
"All great wisdom is contained in .signature files"
And on the way out, pounding "I AM AN E-MAIL SPAMMER" signs on their front lawn?
C'mon, admit it. That would feel really good.
Stefan
Just into my HotMail account ... One could assume that Microsoft has no reason to write secure code because it helps a subsidiary SELL services. ... I use Mozilla and Linux
Me
From : MSN
Sent : Wednesday, January 28, 2004 5:00 PM
To : munged
Subject : Fight spammers with new MSN Premium
Get more from your Internet experience with new MSN(R) Premium Internet Software. This all-in-one software works with your existing Internet access to give you persistent protection, advanced communication tools and much more! With MSN Premium, you can:
Limited time offer - 3 months FREE**
* Separate download required.
** Promotional offers only available to new subscribers, in the 50 United States, the District of Columbia, and Puerto Rico. After the trial period (if any), the then current price for your MSN plan will be automatically charged to your credit card until you cancel your account or select an alternative plan. You must agree to the MSN Subscription Agreement to access the service. A major credit card is required. MSN is available only for personal noncommercial use. Internet access service not provided; you must have existing Internet access service. No refunds on prepaid plans, unless cancelled within 30 days. For users of Windows(R) 98 or later operating systems only. Prices subject to change. Additional terms may apply. Offer valid until April 7, 2004.
This special offer is being made available to select MSN Newsletter subscribers. Our relationship with you is very important. In the event that you wish to unsubscribe from future promotional e-mail or special offers from MSN, click here. Once your request is received, we will take prompt action to ensure you do not receive future promotional e-mail from us. By unsubscribing from promotional e-mail messages, you will not affect any newsletters you may have requested nor restrict important customer communications concerning your MSN services. If you have questions about MSN privacy policies, please click here to read our privacy statement. To provide feedback regarding this mailing, please send e-mail to CSmsncommunications@msn.com.
In the article, the author mentioned a mail server bouncing a message to a bad address with the bounce containing the virus.
What if the server recieving the bounce has one of these alerting virus scanners?
Scenario:
1. Virus sends message to non_existant_user@email.com, forging the from address of user123@free-email.com
2. email.com server bounces the message because non_existant_user doesn't exist.
3. free-email.com receives the (virus containing) bounce from email.com
4. AV software bounces the email, sending the virus back to non_existant_user@email.com
5. Goto 2
Anyone else see a problem here?
I used to get high on life, but I developed a tolerance. Now I need something stronger.
Your analogy is flawed.
If I send a letter to George Bush using Saddam Hussein for the return address, the president will not believe that the letter is really from Iraq!
Why would it have to be from Iraq? You just said that the sender was Saddam Hussein, not Iraq. You're mixing up the sender and the origin. Mr Hussein may not have been to WA, but if you mailed the message from (say) Yemen, Saudi Arabia, how would Mr. Bush be able to tell that wasn't from Saddam, just by looking at the postmark?
The postmark on the envelope will say Pullman, Wa!
But what if you use the name "John Ashcroft"? How would Mr. Bush know that Ashcroft didn't mail something while he was out of his office?
if the mail server looked at the address that actually sent the virus, it would see something like aol.com or texas-telecom.net. Instead, these mail servers just blindly believe that the virus was really sent from Client-A@wsu.edu.
And (again) how would the mail server know that Client-A@wsu.edu doesn't have an AOL or texas telecom account?
What I tell my users is simple: "Their mail server is misconfigured, just ignore it."
Personally, I'd be pissed at your parents for naming you "postmaster".
Dewey, what part of this looks like authorities should be involved?
If I send a letter to George Bush using Saddam Hussein for the return address, the president will not believe that the letter is really from Iraq! Why? (other than Saddam being captured?) The postmark on the envelope will say Pullman, Wa ...wait wait wait, you mean the current president or his father? you surely cant mean our currebnt president.
Snubbing a couple of unamusing hacks who wouldn't know music or humor if it snuck up and kicked them in the nads.
didn't mean to misinterpret your post (it looks like it didn't help it any).
It's probably more ambiguous then I implied, but I'm used to a mindset influenced by "If I give the ransom to them, pretty soon I'll have fourteen kidnapped grandchildren." (approximate - I think it was Rockefeller or Ford after one of his grandchildren was kidnapped for ransom). A business person has two contrary instincts - to pay them to minimize trouble, or not to pay so that they don't try to take over the business. The protection depends on only one group doing the protecting - as soon as there are multiple criminal groups of similar power in the area demanding protection, it breaks down (the costs get large enough to be a problem and the service degrades).
The initial point is still at least in part accurate. While the ratio of nonorganized crime activity to organized crime activity determines whether it makes sense for businesses to pay protection (if the mob only offers protection from themselves, it makes no sense to pay them, while if lots of unorganized crime occurs that the mob can suppress better than the police, then it might make sense), at least some of what OC offers protection from is itself.
I don't know if antivirus protection and its continuing existence makes the work of virus writers easier or more profitable, so while virus writing and antivirus software writing could be unconnected, it requires an act of faith on the part of both to figure that they will not kill their market with their output but reach (a profitable) equilibrium with it instead.
Every gateway/mail server AV program I've seen allows you to turn off the email notification.
Email notification was implemented before the days of the email spawning virus. It was used to tell you that an infected item was there and allows you to determine whether you want to attempt to clean it, ask for a new copy, etc.
Any anti-virus company who actually knowingly forged a virus and purposely spread it to the public, would be a dead company in a matter of a few weeks. What anti-virus competitor wouldn't want to spread this news and what fool would buy an antivirus product from such a company?
You try explaining why an urgent email the Managing Director sent from his home PC didn't reach an important client and didn't send back an error message. It might not be your fault he got a virus, but it's sure as hell not his fault the company didn't get that billion-dollar contract.
However, if you don't mind a bit of constructive criticism, might I suggest you take into account that many of the administrators who will receive your mail are likely to be addressing the same sort of problem, and that rewording it to take some of the bite/threat out of it might be advantageous? This sounds like it might ruffle some feathers ("must stop immediately", "may be a violation of federal and/or state anti spam laws", "submittal of your \"replies\" to several major spam blocking services and black hole lists"), particularly among the system administrators who have more ego and less social.
Maybe a "we're all in the same boat, no doubt you've noticed the kind of effort it takes to calm co-workers receiving these messages" type of message would be more persuasive? The option to block and report them to RBL is still there, and certainly still worth exercising if they don't stop sending these blasted messages, but a little sugar never hurts.
I have a feeling the AV community is going to reevaluate their policy on this anyway. Best case in my opinion would be to standardize a AV bounce header across the companies (for filtering purposes) and eliminating the choice to send bounces unless the virus does not spoof the From: header.
I never vote for anyone. I always vote against.
-- W.C. Fields
Has ANYBODY ever seen a worm that propagated itself via e-mail and reliably used the proper "from" address? I know there are exceptions but 99.9% of the anti-virus spam is completely out of line. You have to assume either these companies are totally incompetent, or they're using this as an excuse to promote themselves and their services, which is basically spamming in any definition of the word.
Typically, the sender of a letter does not cross national boundaries to send said letter. However, it is certainly possible. This situation is analogous to someone sending work email from their yahoo account, which you also raise.
Mr Hussein may not have been to WA, but if you mailed the message from (say) Yemen, Saudi Arabia, how would Mr. Bush be able to tell that wasn't from Saddam, just by looking at the postmark?
And that would be better faking. He never claimed that spoofing couldn't be done better, just that when it's that clear it's obviously fake.
But what if you use the name "John Ashcroft"? How would Mr. Bush know that Ashcroft didn't mail something while he was out of his office?
He didn't. It's his analogy, his right.
And (again) how would the mail server know that Client-A@wsu.edu doesn't have an AOL or texas telecom account?
Irrelevant. Yes that can happen, but when it's a virus in question, most times it's a faked header.
Also, by your analysis, his analogy of comparing postmarks is quite valid. In both realms, spoofing is possible, which may or may not be effective. Additionally, in both cases, there are some legitimate reasons for the postmark (ie, relaying server) not matching the return address.
What I tell my users is simple: "Their mail server is misconfigured, just ignore it."
Which is actually completely wrong. And you complain about his analogy...
"As for the people who allow their AV gateways to send back auto responses, they should be shot. Every time I receive one of those emails from postmaster@somewhere, I fire back a nasty email tell them to cut it out."
our sysadmin was getting bombarded, mostly from one ISP. when they wouldn't stop this insane practice of replying to the "sender" he started bouncing all the bounces back to their abuse and support addresses. finally, they stopped.
-- Does anybody know where the 'any' key is on the keyboard?
You're sending out fewer bytes, but just as many messages as the virus. The poor user forged into the "From:" is getting bothered by you just as much as if they got the stupid virus.
Know what I do when I get one of these irritating confirmation messages? I confirm. Then you (or your user) gets the stupid virus, and in future when my name gets forged, I won't get your idiotic confirmation message (but you or your user will get the virus).
If you reconfigure to just dump those suspect messages in the bit bucket, you'll irritate me less, and get less viruses through to your mailbox.
As a mail administrator I do appreciate the point that this article is making. However, it does overlook the fact that a lot of the examples it gives are down to how the software is configured. For example, MailMarshall is not even an anti-virus product - it is a content management product. We use it as an extremely effective anti-Spam measure. It is possible to tie it in with anti-virus software, and it can be configured to send back the message shown in the article. But that's not what it does by default. We use this particular feature to mail the senders of suspected Spam which we have quarrantined - if they reply we review the message and release it if it is genuine (we get replies in about 0.01% of cases).
I have no connection with MailMarshall other than as a user - for anti-virus we use Trend ScanMail. This also does not send warnings back to the senders of viruses by default. It can be configured to do so, but that's the mail administrator's decision. So don't blame the software out of hand. It's just as likely that these systems have been configured by the administrators to send back messages. Any half-decent software will let you disable this facility.
A sampling of the increased wasted bandwidth and resources my system has dealt with in the last week:
24-hour period, number of bounces
Jan 22, 794
Jan 23, 843
Jan 24, 872
Jan 25, 936
Jan 26, 5472
Jan 27, 19426
Jan 28, 20468
I've had more of an increase in AV Company spam than I have in propagation of the worm!
Those are 2 different countries, fool.
"Every time I receive one of those emails from postmaster@somewhere, I fire back a nasty email tell them to cut it out."
Next up, viruses which forge email from postmaster addresses...
"The virus that YOU SENT was successfully blocked by the infallible greatness of $PRODUCT. Please find attached a copy of the virus that YOU SENT"
You are talking about DOS/Windows virii of yore which spread(slowly compared to worms) thru files via floppy disks, emails. But all the mass mailing virii/worms are mailed by a malicious program running in the background. They don't infect the attachments that you send with your real emails or any other emails you send manually.
Comment removed based on user account deletion
It would be great if search engines included an indication of the probability and type of infection one risks by clicking on a link. (Just because google, for example, offers up a link now, doesn't mean you're safe going there.) As they say, an ounce of prevention is worth a pound of cure.
I was going to say the same thing!
This just clogs up the Internet. These virus warnings are even more pesty. All "Virus Warnings" --> /dev/null Can you spell U N I X?
Right, I was receiving 5000 worms per hour at the peak. These 'nice' warnings make things only worse.
...are like jackals feeding on corpses.
The point about notification e-mails being spam is right, and i personally think the world is ready for all sysadmins to change their av software to no longer send that notification. I would like to see some good arguments for not making that change today, anyone? .. back to my topic, i always try keep my e-mail adresses away from
people i assume could become a victim of the next W32 worm. One reason
for this is simply because i fear theses persons could be responsible
for spreading my e-mail address to a large number of spamlists.
The W32 worm could be using that persons address book to spoof the
virus as send from my e-mail address as taken from the address book,
and thus put my mail address in a lot of maillog files on a lot of
servers around the world, and in a lot of notification e-mails which
will spread through yet other maillogs.
If i was looking for good source of valid e-mail addresses to spam,
i would grep from maillogs during outbreaks, i am sure there will be
even more valid e-mail addresses than just the normal recipients
which would be harvested too of course... just my point of view of
another link between spam and virusses.
Never received one of these types of anti-virus spam in my mailboxes.
I do receive hundreds of spam per day all because of he yahoo-idiots at Yahoo who conviently changed everyones preferences to SEND ME EVERY PIECE OF SPAM YOU POSSIBLY CAN TO MY PRIVATE EMAIL THAT I REGISTER ON YAHOO WITH.
And then Yahoo lets bulk mail spam even the Yahoo mailbox until it fills and then they bitch about my Yahoo mailbox being full!!!!
These people are dangerous to all lifeforms.
I once had nice clean mailboxes. After using Yahoo I spend a lot of time cleaning up the result of a real spammer(yahoo and associates).
I disagree. Shooting them is letting them off too easily. I can't believe that there are still incompotent morons out there calling themselves mail admins that still auto-ack the envelope sender. Wait. Strike that. I have known to many incompotent mail admins in my time to say that they can't still exist. Sad, but true I'm afraid.
I propose authoring a RFC on this very topic. Something should make clear what can and can not be trusted in a RFC2822 message. Once we have that we can create an RFC-Ignorant blacklist of the non-compliant MTAs. I dream of this happening some day!
Fred the Moron who clicks on the attachment and starts the chain of spam should be flung into the 'Lake of Fire' for being such a stupid asshole. His girlfriend who got spammed as a result should cut off sex to him for the rest of his natural lifespan.
Fred is the problem. The world must be loaded with Freds. My intrusion detectors are going wild from MyDoom thanks to Fred The Moron.
"logon to THIS fred".
DUH...
:) Didnt you see THE NET?
:)
security software companies make all of the worst trojans/viruses
Someone check and see if Sandra Bullock is ok, because Dennis Miller is on MSNBC (LAME-O)... They must have gotten to him
They probably control all of the media... Oh my... No... NO!.. Not LOU DOBBS TOO!!!
Next, we'll all find out that we're being exploited by corperate america...
Anyone Know Kung-fu? Shit we're going to need it.
Get that faggot from Dogstar QUICK!
You know, I used to use McAfee, realized it was crap. Then I switched to Norton, which ate my system resources like a wild boar. Then I got Avast! anti-virus. While perhaps not ranking among the best known anti-viral programs, I cerintly like it far more than anything I have ever used. It doesn't take up much system resources, has all the good features and none of the bad that Symantec has, and a lot of extra things that are actually cool and helpful instead of intrusive and annoying. It's worth a look for anyone interested in getting a new anti-virus, as it has all the features of the big names, and is free to non-profit individuals. I've used it for almost a year now, and I've never once gotten any of this spam, though it has caught email before. Kinda sounds like a commercial, but I'm serious. Another good alternative is Panda anti-virus, but that's pay. If you get System Mechanic 4 Pro, thou, it comes with it, which is cool since System Mechanic is probably my favourite all-in-one clean up utility, thou not the best in every area. Anyway, i think that maybe these big anti-virus companies are getting a bit full of themselves, perhaps they need to realize that people don't want to put up with a stupid protected recycling bin that doesn't always go away correctly, or dumb spam emails.
to find the virus and found none. But the US and England launched a DDoS attack on Irag.gov anyway.
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
That's not a configuration of the server, and if it is, it's a misconfiguration shared by every mail server in the world. Mail servers send mail where they're told, that's their job. The misconfiguration in this case is with the anti-virus program which erroneously tells the mail server to kick the virus-laden mail back to the poor schmuck on the header.
But that is NOT the server's fault.
Fixing this would actually be easy by adding a "forged sender"-flag to all that other information in their virus databases, or by simply configuring the e-mail by worm, which they could also use to advertise free disinfection tools, providing a service many people would use and remember. Leaving the e-mail content for a worm empty could default to not sending mail and everyone's happy.
That's true. But again, considering that your proposed solution is fixing the AV program, that indicates the problem isn't with sendmail.
By default this is caused by sender notifications being turned on. This shows that the people implementing the products use the default configurations.
Its is very easy - and should be the default - to have sender notifications disabled.
The clueless folks at hostasaurus.com not only believe their "customers" WANT them to keep sending those notifications - they've now blocked me from even replying to their snotty e-mails about it:
(Anyone else want to try to pound a clue into Mr. Hubbard?)
Return-Path:
Received: (qmail 60997 invoked from network); 29 Jan 2004 23:28:15 -0000
Received: from roc-24-24-39-84.rochester.rr.com (HELO UPSTAIRS.fybush.com) (24.24.39.84)
by relay.pair.com with SMTP; 29 Jan 2004 23:28:15 -0000
X-pair-Authenticated: 24.24.39.84
Message-Id:
X-Sender: fybush@gwind.pair.com
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Thu, 29 Jan 2004 18:33:53 -0500
To: "David Hubbard"
From: Scott Fybush
Subject: RE: Your message, "", has been BLOCKED
In-Reply-To:
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 05:38 PM 1/29/2004 -0500, you wrote:
>Scott, thank you for suggestions, I will be
>sure to bring them up at our next staff meeting.
>If you have any more recommendations on how to
>run our operations, even if it is contrary to what
>our customers have requested such as with your
>current suggestion, please feel free to let me
>know.
Thanks. I'm not saying you shouldn't be running a virus catcher on your
mail system - just that it's good practice to disable the auto-reply
function when it catches a worm like the current MyDoom that spoofs the
"from" address. Look at the headers here - what MyDoom is doing is to pull
a random domain name from the host machine's address book (in this case,
"@fybush.com") and then to prepend it with a dictionary-attack list of
random user names (in this case, I believe it picked "Dave," which isn't a
valid username on my domain), then to send it TO another randomly-chosen
user name (in this case, "jody") at a randomly-chosen domain name (in this
case, "stormprotection.com.") An auto-reply like the one your system sends
out is of value ONLY if the virus that's caught is one that doesn't spoof
the "from" address, and I can't remember the last time I got one of those.
It's not a question of keeping your customers happy in this scenario, since
- if I'm reading the headers right - there isn't even a real customer at
the address this particular worm was being sent to. It's a question of not
adding to what's already an overload of e-mail traffic by sending
auto-replies that BY THEIR VERY NATURE are useless to the recipient.
Doesn't that make at least a little bit of sense?
You read it on slashdot, four months ago. I'm sure you could find many previous references if you looked hard enough. This is nothing new. It's hardly insightful of you a whole whopping two days ago to call anti-virus messages advertising and spam -- this has been generally known ever since mass mailers clued in and started spoofing addresses, which was years ago.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
"If an SMTP server has accepted the task of relaying the mail and later finds that the destination is incorrect or that the mail cannot be delivered for some other reason [such as its containing a virus], then it MUST construct an "undeliverable mail" notification message and send it to the originator of the undeliverable mail (as indicated by the reverse-path). Formats specified for non-delivery reports by other standards (see, for example, [24, 25]) SHOULD be used if possible."
However the writers of the RFC didn't foresee spoofed 'from' addresses, so it might be time for an update.
To actually be helpful, the AV program should step through the Received: lines, comparing them with a site-configured list of trusted servers. The "abuse@ISP" of the first step beyond the trusted-server chain gets the nastygram. In this regard, virus-mail handling is no different from any other UBE/UCE.
Example: One of my email accounts, on earthlink.net, gets some mail via an alias set in IEEE's computer.org domain, so the mail servers at computer.org go in my configuration's trusted-server list. I get other mail directly via earthlink's servers; those also go in my trusted-server list.
As I step down through the Received: lines in a given email, each one has a from phrase and a by phrase, and maybe a for phrase which can be ignored. The first from phrase where the hostname doesn't match anything in my trusted-server list is where I stop: in most cases, that machine is the source of the email. Any Received: lines beyond that one are usually bogus ones put in by the originator (and sometimes ISPs like cox.net will be fooled by them and reject a spam-complaint as "not ours" because of them).
There are exceptions: AOL, for instance, will pass a given email through several postal servers on its way out of their domain, so you have to keep stepping until you hit what looks like a client account (with 'ipt' in the hostname). In most cases, though, the first host beyond the chain-of-trust is the guilty party, and then it's simple enough to compose an abuse@ISP address from that.
In all of the above, the only hostname that matters is the one obtained by reverse-lookup, or your own lookup of the source's IP. A spam source will dependably lie about itself, in some case even offering the receiver's own domain name in the HELO greeting, and current viruses do the same.
Until the AV programs are smartened enough to do the above anti-spam chain-sequencing, they're worse than useless.
MAIL FROM:<>"
Maybe their first name was "abuse"?
When setting virus notification messages on Trend it helpfully asks if you want to apply the same settings to the Notification to Admin, Notification to Sender and Notification to Recipient. I assume most people want to set a Notification to Admin message - so unless you click around the default "Apply to All" you'll also end up sending notifications to the "sender" and recipient of the virus.
Also, with attachment blocking Trend will try to send a message to All the recipients of the message - so when someone sends a garbage executable to one of my users and inlcudes a hundred people in the To field, Trend will helpfully try to send an Attachment Blocked message to those 99 other people who it actually didn't block the attachment for! Telling my users that attachments were stripped from their mails is helpful, but incorrectly telling 100s of other people negates this usefulness.
...require Tenacious D.
Usually, this nonsense only hits the user who installs the program, but anti-virus programs take it to the next level.
A nice goal for Open Source desktop software should be to eliminate this stuff. Open Source programs don't need this drivel; they're not selling anything.
I'm taking a break from filing 0.02" off a piece of aluminum. Next time, I allow a bigger tolerance.
For some reason, executives get mad when they realize that customers are not being responded to, even when they send us a virus. It's the same thing as saying "Oh, we got your email alright. We just don't care about you...".
It might be some sort of legal accountability thing too. Imagine a conversation like this:
Customer: "I sent that proposal 10 minutes before the deadline. Did you get it?"
Employee: "Uh, no."
Customer: "Well, I have proof that I sent it, I'm going to sue you for a million dollars!"
Employee: "Oh Crap!"
Its not just the AV SPAM, everyone sooner or
later will have their email address used as
the "Reply-to" or "From" address in a spam.
The email admins who allow bounces on SPAM should be shot with slow bullets.
parent up mod! up mod parent! up parent mod!
****Gfx Scrollbar Special case hit!!*****
The worst cases are when corporations actually deliberately MIS-educate consumers; a case in point: TV ads by the Clorox Co. in 2002 that attempted to convince people that ONLY their brand of sodium hypochlorite solution (bleach) was capable of killing germs!
The anti-virus companies are actually very late players to this particular game.
I understand the RFC requires a bounce or ndr.
I understand our software products (GFI Mail Essentials, Symantec Anti-Virus Corporate Edition, Symantec Anti-Virus and Filtering for Microsoft Exchange) all allow the bounces and NDRs to be modified or disabled.
Because these products register themselves with the SMTP transport or with Exchange as an event sink, they can alter the default behavior and allow you to do things that are not entirely consistent with the rfc. Which is exactly what everyone is on about.
Remember, this is a thread about the anti-virus software generated bounces and non-delivery reports, not about smtp at the rfc level. You are correct, but your point is irrelevant.
http://drteknikal.blogspot.com/
Ah... but they've gotten s/smarter/dumber. Apparently some server-level programs (Declude for sure, as I've gotten over a hundred in the last few days from them alone) have decided to start sending postmaster@domain.com a warning as well. I get loads and loads of mail now from these stupid autoresponders that say that "our mail server has sent a virus" even though we run anti-virus software ourselves (WITH NOTIFICATION OFF!!!) and a quick look at the headers reveals the real IP address that it came from, just with our domain name attached, and of course in the reply field as well. I've crafted a stationary now to reply to these morons with. Only problem is that they're only a notch below the morons that put this feature in the software, and they'll probably try telling me that I'm the one that's wrong!