Slashdot Mirror
Anti-Virus Companies: Tenacious Spammers
jaroslav writes "There is a great article over at Attrition about the problem of anti-virus related spam. I don't know if we should all start reporting this to the government, but telling the companies themselves that this should stop might get some results."
I totally agree, they AV co's need to shape up their act. It's a weird situation, do they really want to be THAT effective to really stop viruses, or will they be like Chinese on piracy and put up a show.
Best Community for Gaming and Gadgets!
At my last job at a public uni, obviously any and all worms and viruses slammed us hard. It was soon apparent to make support calls more mangeable as well as the lessen the pure amount of crap on the network that we had to configure our mail server virus package to send those announcement "you have or were sent an infection" messages to /dev/null. Some users might not get the warning they needed I suppose but quickly one message would turn into thousands just for one infected user. To the bit bucket with them! It helps.
"What we do in life echoes in eternity." Maximus Decimus Meridius
I am also quite bothered by these virus blocker programs mailing the from line when they know it is fake.
However, the truth is they know what sort of virus they have detected, and they can know whether the virus/worm in question forges the fromline or not. If they know it forges the from line, they should not send the mail back. If they know the program does NOT forge the from line, however, it is not unreasonable to send back the bounce, though for best appearances, it should not look like an ad.
If a program on my machine is sending out worms, I want to know about it. The antivirus software should be able to tell the difference.
But isn't a lot of spam generated by "lead companies".. For example, in those mortgage spams you get, the spamming company gets paid for leads to possible mortgages, not for the actual spam itself. They "lead" company is simply using spam as a method to solicit leads. Is the same applied to AV software? Sell the AV company a lead, get X% of the profit?
I can't believe that those working at the anti-virus companies are so stupid so as to have not yet realised that by sending out all of these fallacious "OMG YOU GOT SPAM" hype emails - to the wrong people of all things - just sucks up twice, thrice, a dozen times the bandwidth of the original worm. Yes, worms are a bad thing, but sending out random hysterical emails about it to all and sundry doesn't help one tiny bit.
FloodMT: crapflood Movab
Occasionally I will send a nastygram to the support or abuse department of the system using the stupid virus protection. Usually they can't figure out why I'm annoyed that they told me I'm infected with a virus ... the concept that a virus can forge a FROM escapes their air-filled heads.
The author of this article seems to think that the AV companies are the one to blame for this. In fact, every AV product I've ever worked with at the mail server level has allowed you to turn this functionality off. Any decent mail server admin should be doing this themselves. It's the same kind of ignorance and stupidity that allows 3 year old exploits to continue to propagate.
Why don't we all just turn this "feature" of replying to the virus-laden email off? I do the administration of our anti-virus software on the network (Symantec Corporate Ed.), and I just turn that crap off...it's a very simple thing to do. I can't speak for the other anti-virus software, but I would assume you could also turn off email replies in them as well. We ought to be bitching to the network admins, and not to the government.
..."It's Good For Marketing". In our eyes, the best AV product is one that sits quietly and takes care of email viruses silently, without adding to the mass email problem.
However, in the eyes of an AV company, a silent, seamless program is the LAST thing they want. These companies want the PHB's to know their product is working, and they want visibility.
This is a classic case of marketing desires winning over technological needs. This is the reason I use open source projects -- they (most of them, anyway) do their job without the need for advertising.
Certainly whoever sets up a server and leaves this enabled is stupid or careless, but I think the companies have some responsibility too. The option should at least be disabled by default. Enabling it should cause some sort of warning. Better yet it shouldn't be there. Why put such a dangerous feature in a program?
Clearly you don't realize that Slashdot doesn't post original material either. Indeed it's a regular question why /. doesn't simply cut a deal with PBS and reprint Cringely's columns honestly instead of noting nearly each one and then having some schmoe "helpfully" copy it for 'em. Same for almost everything else, by the time it hits /. it's old news in other circles.
That journalists (including Usenet posters, bloggers, bbs users, other online discussion forums plus talk show producers and newsdesk editors) get many of their ideas from their peers is hardly new. That the process is becoming more widely transparent only speaks to the increasing breadth and depth of information resources available to more and more people.
Indeed this is what the Google News service relies on - clusters of stories on topics. Those stories aren't always about "breaking news", quite often they're simply topics that have suddenly become widely discussed: Successful Memes.
So yes, if one reads a number of news sources, particularly ones focused on specific topics, one will indeed often note a topic begin in one place, jumps from source to source, evolve, and oftentimes come full circle. Furthermore if one back-tracks a story it rarely "began" where most of us first became aware of it but had already bubbled up through several layers of reportage.
Welcome to the Global Village where what was old is new again.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
Maybe I'll removed the blocks when this blows over, maybe I won't, but they sure as hell are going to be ready and waiting for next time something like this kicks off. The worrying part is, it's not just "Mom and Pop" operations either; it's companies who should have a clue like big ISPs and large corporates. What we need is a DNSBL that lists the IPs of compromised hosts and another that lists the IPs of those that generate bounces; I'd be subscribed to both in a heartbeat.
UNIX? They're not even circumcised! Savages!
This is very similar to spoofed IP packets: a firewall might bounce (answer) the packet back to its origin, and if the original packet was broadcasted to a lot of systems, the fake return address gets bombarded with those bounced packets.
The solution: if there's ANYTHING wrong with a packet that makes it unacceptable, simply drop it without any further action.
With e-mail: if scanning it show an infected attachment, simply strip that attachment, and nothing else.
If an e-mail is positively spam, simply throw it away, without comment.
If a destination address doesn't exist, then don't bounce it, but simply throw it away.
The result: infected attachments don't generate extra traffic, spam doesn't get bounced back to bogus addresses, and only e-mails that are correctly addressed, make it to their destination.
And if you really want know whether it got there, there's always the option to request confirmation that it was received.
My point is less about the sender knowing they have a virus, and more about the sender knowing their document wasn't recieved. Even once they find out they have a virus, the average user won't know that their document wasn't recieved. And there are a lot of people out there who don't have up to date virus software or don't bother updating it - think home users whose computer came with a 3 month subscription that expired two years ago.
I have blog like everyone else
I wonder if we (as a community) should draft an RFC that governs such things as naming conventions and the like. perhaps define all types of viruses give them a designation as to what platform and what they do. The names would sort of be a mixture of all the major vendors.
.A .B .C etc, and a convention for payload style. Mydoom was a mass mailer that also was meant for use in a DDOS.
Something like
$PLATFORM/$VIRUS.$VERSION@$PAYLOAD-STYLE So you'd need a simpl draft coming up with a platform name Win32 for 32-bit windows Mac for mac's yadda yadda, a Virus naming convention so that everyone would be able to tell from looking at the virus as to what it's name should be, $version
So perhaps mydoom should be
Win32/Mydoom.A@MM@DD
-or-
Win32/Happy99.a@M
just thoughts and ideas, what's everyone else think?
As well as defining in the RFC that, if a worm is known to spoof the From: field then skip the auto-reponder notice altogether.
/* oops I accidentally made a comment, sorry */
I might point out that it isn't necessary at all for Grandpa to have any idea what Grandma is up to for the scenario to hold true.
I might also point out that mob controled neighborhoods are peaceful and law abiding, exceptiong the activities of the mob.
When a store owner pays to have his store not trashed he expects his store not to get trashed.
The mob looks upon anyone trashing stores in "their territory" as challanging their authority and devaluing their "service."
When order (as opposed to law) meets the illegal the issue on either the practical side or the philosophical side is rarely straightforward or simple.
KFG
I believe in a little axiom that says
I'm only going by my experience in anti-virus software, but lets look at it this way:
1) Anti-virus software is on the desktop machine to prevent infection
2) Soon viruses are getting in via email. Anti-virus software writers decide to target the enterprise (where the real money is) and where it makes most logical sense to block viruses now.
3) Some programmer comes up with the idea "Hey! Wouldn't it be great if our software automatically emailed the person who sent the virus in the first place? After all, its 1997 and the only way to get a virus is via a word or excel document attached to the email." The product development approved, not only because education is a huge tool in stopping viruses, but a little (I stress a little) free advertising couldn't hurt.
4) Microsoft introduces new features and more sophisticated viruses are introduced.
5) The option stays on and is set by default because no one re-evaluates it and its just that way.
6) Some cracker gets an ingenious idea to use the feature against itself and cause more harm than good. The feature is exploited to send out thousands of emails per server, which the original designers never intended.
7) Anti-virus writers don't pay attention because you can just turn it off and its not important to them any more. It's the admin's job to know to turn this off. They may tell some people, and they may default it to off in the next version, but its not high on the list.
And even still, you can't just tell someone they are stupid for coding it this way or for not turning it off. Until recently, this option made "Never attribute any action to malice when you can attribute it to stupidity or ignorance."sense. Tell the infected user of their problem so cut down on the spread of virii. Now, as in the biological world, the virus writers figured out how to use a portion of the "immune system" against itself.
It's just the way things happen. I write a virus, you write a counter measure, I write a way to get around it. What's missing here is an email illustrating that the intent of sending out all these emails was deliberate on the part of anti virus writers. The article is assuming intent for no other reason than to scare people. Again, "Never attribute any action to malice when you can attribute it to stupidity or ignorance."
"All great wisdom is contained in .signature files"
In the article, the author mentioned a mail server bouncing a message to a bad address with the bounce containing the virus.
What if the server recieving the bounce has one of these alerting virus scanners?
Scenario:
1. Virus sends message to non_existant_user@email.com, forging the from address of user123@free-email.com
2. email.com server bounces the message because non_existant_user doesn't exist.
3. free-email.com receives the (virus containing) bounce from email.com
4. AV software bounces the email, sending the virus back to non_existant_user@email.com
5. Goto 2
Anyone else see a problem here?
I used to get high on life, but I developed a tolerance. Now I need something stronger.
Your analogy is flawed.
If I send a letter to George Bush using Saddam Hussein for the return address, the president will not believe that the letter is really from Iraq!
Why would it have to be from Iraq? You just said that the sender was Saddam Hussein, not Iraq. You're mixing up the sender and the origin. Mr Hussein may not have been to WA, but if you mailed the message from (say) Yemen, Saudi Arabia, how would Mr. Bush be able to tell that wasn't from Saddam, just by looking at the postmark?
The postmark on the envelope will say Pullman, Wa!
But what if you use the name "John Ashcroft"? How would Mr. Bush know that Ashcroft didn't mail something while he was out of his office?
if the mail server looked at the address that actually sent the virus, it would see something like aol.com or texas-telecom.net. Instead, these mail servers just blindly believe that the virus was really sent from Client-A@wsu.edu.
And (again) how would the mail server know that Client-A@wsu.edu doesn't have an AOL or texas telecom account?
What I tell my users is simple: "Their mail server is misconfigured, just ignore it."
The auto-response from AV software isn't spam, its the server trying to warn you that an attachment you might have cared about didn't make it to the destination.
In order for most of those filters to work, they have to be updated with new virus definitions. At the time they identify this new virus, they can also identify whether the header information is legitimate and worth responding to. In the case of anti-spam companies that ignore this information, they ARE spamming and contributing to the problem. There is no excuse.
If you are an anti-virus company and you update your system to recognize MyDoom, you know that the from address is not accurate. So if you bounce e-mails to the source, you are incompetent, a spammer, or both.
1) At the end of every one of these viruses, just add fdisk.
Now that would be funny!
I can just imagine the fresh, clean feeling the world would have for a short time afterwards...
[I hate viruses not just because of all the stupid AV marketing spam that results, but because my company (like many I suppose) is obsessed with anti-virus crap. I have windows on a few machines at work, which are never ever used for anything except local debugging, but none-the-less I'm required to run four anti-virus programs on them simultaneously, which sit there and thrash the disk for an hour at ever bootup, and my manager is constantly coming and nattering at me "did you check your anti-virus for updates today"; I get the feeling he's a big victim....]
We live, as we dream -- alone....