Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anti-Virus Companies: Tenacious Spammers

Posted by CmdrTaco on from the more-bounces-than-worms-in-my-inbox dept.

jaroslav writes "There is a great article over at Attrition about the problem of anti-virus related spam. I don't know if we should all start reporting this to the government, but telling the companies themselves that this should stop might get some results."

9 of 329 comments (clear)

  1. A good analogy... by calebb · · Score: 4, Informative

    A lot of clients in my department regularly ask me if they have a virus when they receive these mail gateway auto-replies. I came up with a good analogy that helps even the most technophobic user understand what's going on:

    If I send a letter to George Bush using Saddam Hussein for the return address, the president will not believe that the letter is really from Iraq! Why? (other than Saddam being captured?) The postmark on the envelope will say Pullman, Wa!

    Similarly, if the mail server looked at the address that actually sent the virus, it would see something like aol.com or texas-telecom.net. Instead, these mail servers just blindly believe that the virus was really sent from Client-A@wsu.edu. (I insert the client's actual email address here... that helps grab their attention if their mind was already wandering...)

  2. Re:Stupid admins cause this by gnuman99 · · Score: 2, Informative

    No excuse - this "feature" should be turned OFF by default. Heck, it should not exist in the first place.

  3. I've gotten AV email... by callipygian-showsyst · · Score: 3, Informative

    ...that sends "back" (though I never sent it in the first place) the actual VIRUS!

    If I had spare time, I'd SUE the AV companies! They're commiting LIBEL and they KNOWINGLY SENT ME A VIRUS!

    Anyway, I'd also like to add that I've run Microsoft Windows since the days of Windows 1.03 and I have NEVER had a virus. I don't take unusual precautions, either. I have a virus scanner that I keep updated and run MANUALLY every time I hear about a new one, and it never finds anything (except when I've purposely saved one off for analysis!). I've never been tempted to click on an .SCR .PIF or .EXE file, and since I run my PC behind a "linksys" box that blocks all incoming ports, I've never had Code Red or anything like that.

    One of the companies I'm working for just locks down the network harder and harder each time there's a new virus. For example, they did some tweak so when you log into the domain, some thing runs that prevents you from making a share (though only from the UI--you can still do it from the NET command-line.) I hope someone realizes that they've NEVER actually stopped a virus, even though each time one happens they run around in circles and restrict the network and PCs even more. You just can't prevent against people receiving an EXE in email and running it!

    Now I know the argument you get from Mac-crazies--that if the PC had better account management this wouldn't happen. NONSENSE! A user-level program with no special "root" access can easily scan through YOUR mailbox and pick of email addresses and send out email. ON ANY OPERATING SYSTEM, even a properly adminstered Un*x system.

    --
    Best Buy can have you arrested
    1. Re:I've gotten AV email... by John+Hasler · · Score: 2, Informative

      A "user-level" program can't run at all on a Unix system with /home mounted noexec.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  4. Re:Yes, but is it off by default? by stevenbdjr · · Score: 3, Informative
    The option should at least be disabled by default.

    It is with most newer versions of products (Trend, Sophos, Sybari, to name a few). Older versions had this on by default, but when they were released, viruses weren't forging FROM headers the way they are now. Additionally, when upgrading versions, the old settings tend to get preserved, thus perpetuating the problem.

    I also wouldn't go so far as to call this a dangerous feature. It was designed to be a useful tool to help STOP the spread of viruses. I think a better compromise would be to enable notification back to the sender only if the detected virus is know NOT to be a FROM forger, with the option to disable it completely.

  5. Re:Stupid admins cause this by Aero+Leviathan · · Score: 2, Informative

    On my copy of McAfee, it was off by default.

    --
    ~ Aero
  6. Re:I totally agree. by Abm0raz · · Score: 2, Informative

    sucks up twice, thrice, a dozen times the bandwidth of the original worm

    Nice to talk out your ass. yes they are annoying, but lets go over some numbers from my system I run:

    I run a MailMarshal 5.5 system. It is configured to block all executable attachments. A blocked attachment is parked for 7 days and a text only notification without attaching the original message is sent back to the "sender". If the sender replies according to the instructions (which is to add 1 randomly generated 6 letter word to the subject and delete it from the body) then the original message is released and the sender added to the MailMarshal whitelist so they get no more messages. Our McAfee virus scanner is after it and just deletes any virii that get through. Now for the numbers:
    1. MyDoom emails in: 411
    2. Bandwidth of said emails at 32.3KB average: 106202 Kb transferred
    3. Automated replies I sent out: 398
    4. Bandwidth of replies (original message NOT attached) at 1.7KB: 5,412Kb
    5. Amount of emails in that were replies from other companies mistakenly saying my users had sent them the virus: 239
    6. Bandwidth at 33.8KB = 64,626Kb

    So, I've sent out nearly twice as many blocked message notifications than the other with an option to whitelist receivers that are mistakenly ID'd. My emails have taken 11x LESS bandwidth as their error messages and nearly 20x less than the virus messages themselves.

    The problem isn't necessarily always the software and hype without research is even worse.

    -Ab

    --
    Nothing fails quite like prayer.
  7. Re:Who are you people? by Holdstrong · · Score: 3, Informative
    "You try explaining why an urgent email the Managing Director sent from his home PC didn't reach an important client and didn't send back an error message. It might not be your fault he got a virus, but it's sure as hell not his fault the company didn't get that billion-dollar contract."

    You could start by explaining to your boss that in some situations email is not THAT reliable. And if a billion follar contract rests on the successful delivery of an email, he'd better pick up the phone and call someone to make sure it was recieved.

  8. Re:configuration of the virus announcement functio by rkww · · Score: 2, Informative
    However RFC 2821 states:

    "If an SMTP server has accepted the task of relaying the mail and later finds that the destination is incorrect or that the mail cannot be delivered for some other reason [such as its containing a virus], then it MUST construct an "undeliverable mail" notification message and send it to the originator of the undeliverable mail (as indicated by the reverse-path). Formats specified for non-delivery reports by other standards (see, for example, [24, 25]) SHOULD be used if possible."