Slashdot Mirror
Anti-Virus Companies: Tenacious Spammers
jaroslav writes "There is a great article over at Attrition about the problem of anti-virus related spam. I don't know if we should all start reporting this to the government, but telling the companies themselves that this should stop might get some results."
Not three hours after this comment, someone mailed this to Declan's Politech list, a cheat sheet for computer illeterate journalists angling for something to stay more relevant than the typewriters they still swear by. And then the very next day, we see three different articles with variations on this very topic. Five bucks says the next issue of eWeek borrows in their next issue as well.
Yes, as always, none of the stories credited Politech, though the names of the authors who borrow liberally are always the same. And Politech didn't credit Slashdot, where the Politech submitters borrow a full half of their stories with equal disregard for journalistic integrity. Indeed, the only time Politech credits Slashdot is when they believe Slash has said something stupid. These reporters are hooked on the easy source of stories, yet trash it publicly for fear others will find the tool that's kept them from having to do actual reporting anymore.
I may be here to take Linux away from you, but you can't argue that I don't give something back. You hate me. But you love me too, and you hate that as well. Think of it, you see me just the way others see Slashdot.
If you'd like to track Politech's ongoing plagiarism of Slashdot, jump on their free mailing list and have a laugh. Watch the submissions. Watch each story jump from Slash to Politech (search the comments after each new Politech post and you'll find the original +4 or +5 comment 4 times in 5), then check the NY Times, Barron's, and Ziff Davis Publishing for the same authors publishing borrowed stories the very next issue. They do it like clockwork, because these "tech" journalists don't realize that we're on the internet too.
~Darl
Sadly, I must admit that my companies original virus notification systems sent mail to the sender and receiver whenever it detected a virus. This seemed really cool for awhile, but with the growing trend for spoofed addresses and extremely heavy 'dumps' of mail...
Anyway, we turned it off. A local administrator still gets to know about it, but that's the only place it goes now, and I think the world is a better place for it.
No kidding. I used to pass the emails along to the end users. Not any more. After this last worm (MyDoom), I became fed up with having to explain to the users why they were receiving the emails. As the parent poster did, I just throw them away. Problem solved. As for the people who allow their AV gateways to send back auto responses, they should be shot. Every time I receive one of those emails from postmaster@somewhere, I fire back a nasty email tell them to cut it out.
Some Procmails rules to filter out all those mails might be helpful, those AV's shouldnt be too creative changing those messages all the time...
I think many other sites have turned it off as well. During previous virus outbreaks, I'd get almost as many AV Notifications as I did virues. (Some of these notifications even came with the virus attached! DUH.)
This time, I've only recieved a couple AV messages (as compared to about 300 copies of the virus).
When Blaster was going around, I decided I wanted a new email alias on my campus's email system. I chose just my first name, and to my surprise, it gave it to me.
As soon as it was set up, I started getting 50-100 messages from other servers saying that my address was spewing out viruses. Of course, this is impossible, seeing as my computer never even knew that I had this alias. Yet, I kept getting it time and time again.
The problem was, I couldn't delete the alias, and I ended up with hundreds of these messages per day. Incredibly frustrating. They must know that it serves no purpose.
This is something that's always concerned me when we talk about boycotting companies that advertise with spam...it's completely reasonable to believe that someone in an affilliate program is sending out millions of emails (which you can do for free if you try)in the hopes of pulling down some easy commissions.
I'm not sure what it would take to deal with this though...the company would have to be willing to cooperate for certain, and you'd have to set up some sort of sting if the spammer was at all capable of covering his tracks (have someone go through with a purchase to the point where the affiliate information was made visible)
Chaos, panic, disorder...my work here is done.
I work at a helpdesk, so I've spent the last couple days repeating how from headers can be forged, ect, ect to users... so I agree with the frustration and do want it to stop.
At the same time, if I unknowingly sent an important document that had a virus and was not recieved, I would want to know. Years ago I remember sending a resume that was infected with a word macro virus - I was glad that I got a bounceback message, since a)I knew I had a virus and b)I knew the place didn't get my resume.
I have blog like everyone else
true, true, but if ya think about it... most ppl buy a pc from a BIG manufacturer, there are plenty of them about. you can pay 1000 easily for a machine that is literally worth 450 for parts and useless software, such as teach yer kids maths, french, etc etc. As part of that 1000 shouldnt they MAKE SURE that there is firewall / av software updated and ready to update, when pc is sent to mr and mrs gimp and their kids? The answer to this is quite simply NO because when they get countless virii aand cant uninstall aol's free 6 year i-net trial connection from their machine they have to send it back to the BIG caring overcharging company to have it errr... ummmm.. "fixed"!?!? I see a niche market.. "send your pc to us directly from the supplier and we will charge a minimal fee to install safety software for you" alternatively, maybe the fdisk solution is THE way forward.. heheheehee! Love, Tony xx
You want scary? How about the daily tech article in my local free newspaper being written by some "MS Lifestyle Representative" or somesuch. They are written like articles, but are blatant ads for MS products. There's no official 'ad' marker for the article, and supposedly it seems like they just want the reader to think its a co-incidence that its written by an MS employee and seems to put forth the laughable notion that whatever your problem, the best solution is an MS product.
That was scary, thinking about the million or so people who read it every day and don't even think of it in their minds as an advertisement with a vested interest in selling MS products.
"Old man yells at systemd"
This is really weird. I've been on a campaign for the past day or so to the big myDoom "spammers". I've been sending out the following e-mail:
As a mail administrator or antivirus company, you are probably well aware of the current trend in viruses to forge the senders address. Your system has been caught by our system, replying to these forged addresses to notify them that they sent a message containing a virus. This has been causing undue hysteria within my organization, and must stop immediately. In addition, this message was sent unsolicited and without prior business ties, and may be a violation of federal and/org state anti spam laws. Further messages will result in a permanent block on your SMTP server's ability to send mail to ours, and a submittal of your "replies" to several major spam blocking services and black hole lists.
If enough of us do this, maybe these guys will get a clue to turn off the reply feature.
Let's face it, these people all have a vested interest in making sure that viruses are not eliminated.
In the last Slashdot story about the Mydoom worm, a Computerworld article quoted the damning evidence directly from the horse's mouth:
No one has yet reported an infection by Mydoom.B, said David Perry, global director of education at Cupertino, Calif.-based antivirus vendor Trend Micro Inc. "If 100 people in the world had been infected, we would know," he said. "In fact, almost all of the viruses that have ever been detected never infected anybody ever. We say that there are about 77,000 known viruses, but only about 900 of them have ever infected anyone."
Huh? Pardon me? If they never infected anyone, then what makes them viruses? How were they detected if they never infected anyone - from the original first seeds by the viruswriters themselves? Then why in the hell haven't they tracked the virus writers down? Are these inventions of the AV companies that never existed outside of the AV companies' labs? Only 900 out of 77,000 ever infected anyone - isn't the virus problem then vastly overrated?
Given the above statement and the quite legitimate complaint that started this thread in the first place, I really think everyone should question the AV companies' role in the virus situation.
FWIW, one of the examples the author gives as a AV spam -- the one with the content "Mail Transaction Failed" -- is one of the mails MyDoom/Novarg sends out.
But, in a way, the virus is spamming, too.
If Nalgene water bottles are outlawed, only outlaws will have Nalgene water bottles.
Blaming the AV companies for the failure of the IT personnel of other organizations to evaluate and properly configure their mail gateway AV software seems like a load of crap to me.
Besides, sending these e-mails arguably provides a positive service, because self-propagating e-mail viruses are everyone's problem, and a bit of vigilance on each person's part is required to prevent one of these viruses from becoming a worldwide problem.
Using a shotgun approach to tell people that a virus is going around helps to inform everyone. Everyone needs to educate him- or herself about virus protection and prevention, so that they can personally know whether their machine could be infected or not.
Also, telling those people to contact their local IT staff just gets the IT staff in gear to help stave off something they should have already been on the ball about. If the IT staff were prepared, then their company's employees would already be in-the-know, and would not harass IT with needless panicky e-mails.
If, on the other hand, the software package sending the spam warnings provides links to their web page, then I'd lean toward considering it to be spam rather than information.
One discussion that's been going on is the creation of a DNSRBL for sites that do this.
Perhaps, however, instead of reinventing the wheel, we could use existing solutions; send a virus-infected email to postmaster@ the offending domain, and/or abuse@ the offending domain.
If you get a bounceback that makes it clear no human will see the message, that meets the criteria for submission to RFC-ignorant
And tell your friendly sysadmins that if they would adopt SPF (Sender Permitted From), mentioned on Slashdot quite a few times now, that we would no longer have the problem of From addresses not patching the "postmark."
There is no reason on earth that I can think of for an email system to run code received arbitraily from the web.
personally I shut down these really bad ideas in 1997. Personally I received more than 100 copies of mydoom in the last few days.
So it does appear many people who have legitimate reasons to put my email address in their contact lists have no idea how to be prudent about safe sex in cyberspace. This being said - I am optimistic they are learning.
Just into my HotMail account ... One could assume that Microsoft has no reason to write secure code because it helps a subsidiary SELL services. ... I use Mozilla and Linux
Me
From : MSN
Sent : Wednesday, January 28, 2004 5:00 PM
To : munged
Subject : Fight spammers with new MSN Premium
Get more from your Internet experience with new MSN(R) Premium Internet Software. This all-in-one software works with your existing Internet access to give you persistent protection, advanced communication tools and much more! With MSN Premium, you can:
Limited time offer - 3 months FREE**
* Separate download required.
** Promotional offers only available to new subscribers, in the 50 United States, the District of Columbia, and Puerto Rico. After the trial period (if any), the then current price for your MSN plan will be automatically charged to your credit card until you cancel your account or select an alternative plan. You must agree to the MSN Subscription Agreement to access the service. A major credit card is required. MSN is available only for personal noncommercial use. Internet access service not provided; you must have existing Internet access service. No refunds on prepaid plans, unless cancelled within 30 days. For users of Windows(R) 98 or later operating systems only. Prices subject to change. Additional terms may apply. Offer valid until April 7, 2004.
This special offer is being made available to select MSN Newsletter subscribers. Our relationship with you is very important. In the event that you wish to unsubscribe from future promotional e-mail or special offers from MSN, click here. Once your request is received, we will take prompt action to ensure you do not receive future promotional e-mail from us. By unsubscribing from promotional e-mail messages, you will not affect any newsletters you may have requested nor restrict important customer communications concerning your MSN services. If you have questions about MSN privacy policies, please click here to read our privacy statement. To provide feedback regarding this mailing, please send e-mail to CSmsncommunications@msn.com.
Call them back. Record the call.
:)
After they're done explaining that they won't do anything, inform them that they are now knowingly sending you unsolicited spam, and ask where you should fax the invoice, as you will be billing them for each unsolicited email that you receive.
Do it as a bluff, or do it with the intent to bill. If you have them on tape saying they know they're bombing innocent third parties with email, they're going to change their ways pretty quickly. Newspapers love that shit
A sampling of the increased wasted bandwidth and resources my system has dealt with in the last week:
24-hour period, number of bounces
Jan 22, 794
Jan 23, 843
Jan 24, 872
Jan 25, 936
Jan 26, 5472
Jan 27, 19426
Jan 28, 20468
I've had more of an increase in AV Company spam than I have in propagation of the worm!
The clueless folks at hostasaurus.com not only believe their "customers" WANT them to keep sending those notifications - they've now blocked me from even replying to their snotty e-mails about it:
(Anyone else want to try to pound a clue into Mr. Hubbard?)
Return-Path:
Received: (qmail 60997 invoked from network); 29 Jan 2004 23:28:15 -0000
Received: from roc-24-24-39-84.rochester.rr.com (HELO UPSTAIRS.fybush.com) (24.24.39.84)
by relay.pair.com with SMTP; 29 Jan 2004 23:28:15 -0000
X-pair-Authenticated: 24.24.39.84
Message-Id:
X-Sender: fybush@gwind.pair.com
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Thu, 29 Jan 2004 18:33:53 -0500
To: "David Hubbard"
From: Scott Fybush
Subject: RE: Your message, "", has been BLOCKED
In-Reply-To:
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 05:38 PM 1/29/2004 -0500, you wrote:
>Scott, thank you for suggestions, I will be
>sure to bring them up at our next staff meeting.
>If you have any more recommendations on how to
>run our operations, even if it is contrary to what
>our customers have requested such as with your
>current suggestion, please feel free to let me
>know.
Thanks. I'm not saying you shouldn't be running a virus catcher on your
mail system - just that it's good practice to disable the auto-reply
function when it catches a worm like the current MyDoom that spoofs the
"from" address. Look at the headers here - what MyDoom is doing is to pull
a random domain name from the host machine's address book (in this case,
"@fybush.com") and then to prepend it with a dictionary-attack list of
random user names (in this case, I believe it picked "Dave," which isn't a
valid username on my domain), then to send it TO another randomly-chosen
user name (in this case, "jody") at a randomly-chosen domain name (in this
case, "stormprotection.com.") An auto-reply like the one your system sends
out is of value ONLY if the virus that's caught is one that doesn't spoof
the "from" address, and I can't remember the last time I got one of those.
It's not a question of keeping your customers happy in this scenario, since
- if I'm reading the headers right - there isn't even a real customer at
the address this particular worm was being sent to. It's a question of not
adding to what's already an overload of e-mail traffic by sending
auto-replies that BY THEIR VERY NATURE are useless to the recipient.
Doesn't that make at least a little bit of sense?
I ran into this. Received a spam from ?? advertising insurance brokering.
The most objectionable thing was that the spammer had forged the return address to reference MY domain. Possibly I was going to be flooded with people screaming "Stop it!".
I was upset. I went to the referenced web site, to see if I could track down the owner. No such luck; the web site ONLY permitted sales. I then created a dummy sales request, with a return to a throw-away hotmail email. Sure enough, I had a quotation several minutes later. I then choose one of the insurance vendors which had been quoted, and called them.
They took it from there -- the web site was not authorized to sell that insurance (very illegal in my jurisdiction). But, the "vendor" (spam payloader?) was GONE. Had to do all his/her business within several hours!
And, how does the "spam payloader" actually get paid? It would be commissions, but those would have to route through another party. It strikes me as expensive to set this up, and only have it operational for 3 to 12 hours?!
Indeed, just over half the time I have bothered to look, the "spam payload" has been "defanged" by the time I have gone to look (usually 1 to 2 hours after my mail server receives the spam).
Getting rid of commission sales would help; but I am not sure that is the right answer. Maybe someone needs to invent a "smart pill".
Ratboy.
Just another "Cubible(sic) Joe" 2 17 3061
For some reason, executives get mad when they realize that customers are not being responded to, even when they send us a virus. It's the same thing as saying "Oh, we got your email alright. We just don't care about you...".
It might be some sort of legal accountability thing too. Imagine a conversation like this:
Customer: "I sent that proposal 10 minutes before the deadline. Did you get it?"
Employee: "Uh, no."
Customer: "Well, I have proof that I sent it, I'm going to sue you for a million dollars!"
Employee: "Oh Crap!"