Slashdot Mirror
Anti-Virus Companies: Tenacious Spammers
jaroslav writes "There is a great article over at Attrition about the problem of anti-virus related spam. I don't know if we should all start reporting this to the government, but telling the companies themselves that this should stop might get some results."
A lot of clients in my department regularly ask me if they have a virus when they receive these mail gateway auto-replies. I came up with a good analogy that helps even the most technophobic user understand what's going on:
If I send a letter to George Bush using Saddam Hussein for the return address, the president will not believe that the letter is really from Iraq! Why? (other than Saddam being captured?) The postmark on the envelope will say Pullman, Wa!
Similarly, if the mail server looked at the address that actually sent the virus, it would see something like aol.com or texas-telecom.net. Instead, these mail servers just blindly believe that the virus was really sent from Client-A@wsu.edu. (I insert the client's actual email address here... that helps grab their attention if their mind was already wandering...)
Dont you see ? This 'spam' is just the anti-virii companies conditioning the users to ignore the MyDoom and other such varients! Previously at NAI Marketing: Look , Look ! We can put a good spin on it !
Not three hours after this comment, someone mailed this to Declan's Politech list, a cheat sheet for computer illeterate journalists angling for something to stay more relevant than the typewriters they still swear by. And then the very next day, we see three different articles with variations on this very topic. Five bucks says the next issue of eWeek borrows in their next issue as well.
Yes, as always, none of the stories credited Politech, though the names of the authors who borrow liberally are always the same. And Politech didn't credit Slashdot, where the Politech submitters borrow a full half of their stories with equal disregard for journalistic integrity. Indeed, the only time Politech credits Slashdot is when they believe Slash has said something stupid. These reporters are hooked on the easy source of stories, yet trash it publicly for fear others will find the tool that's kept them from having to do actual reporting anymore.
I may be here to take Linux away from you, but you can't argue that I don't give something back. You hate me. But you love me too, and you hate that as well. Think of it, you see me just the way others see Slashdot.
If you'd like to track Politech's ongoing plagiarism of Slashdot, jump on their free mailing list and have a laugh. Watch the submissions. Watch each story jump from Slash to Politech (search the comments after each new Politech post and you'll find the original +4 or +5 comment 4 times in 5), then check the NY Times, Barron's, and Ziff Davis Publishing for the same authors publishing borrowed stories the very next issue. They do it like clockwork, because these "tech" journalists don't realize that we're on the internet too.
~Darl
I totally agree, they AV co's need to shape up their act. It's a weird situation, do they really want to be THAT effective to really stop viruses, or will they be like Chinese on piracy and put up a show.
Best Community for Gaming and Gadgets!
At my last job at a public uni, obviously any and all worms and viruses slammed us hard. It was soon apparent to make support calls more mangeable as well as the lessen the pure amount of crap on the network that we had to configure our mail server virus package to send those announcement "you have or were sent an infection" messages to /dev/null. Some users might not get the warning they needed I suppose but quickly one message would turn into thousands just for one infected user. To the bit bucket with them! It helps.
"What we do in life echoes in eternity." Maximus Decimus Meridius
Steps to stop viruses:
1) At the end of every one of these viruses, just add fdisk. 2) Very quickly, there will be no more unprotected computers!
3) ???
4) Profit by shorting MSFT!
I am also quite bothered by these virus blocker programs mailing the from line when they know it is fake.
However, the truth is they know what sort of virus they have detected, and they can know whether the virus/worm in question forges the fromline or not. If they know it forges the from line, they should not send the mail back. If they know the program does NOT forge the from line, however, it is not unreasonable to send back the bounce, though for best appearances, it should not look like an ad.
If a program on my machine is sending out worms, I want to know about it. The antivirus software should be able to tell the difference.
But isn't a lot of spam generated by "lead companies".. For example, in those mortgage spams you get, the spamming company gets paid for leads to possible mortgages, not for the actual spam itself. They "lead" company is simply using spam as a method to solicit leads. Is the same applied to AV software? Sell the AV company a lead, get X% of the profit?
No kidding. I used to pass the emails along to the end users. Not any more. After this last worm (MyDoom), I became fed up with having to explain to the users why they were receiving the emails. As the parent poster did, I just throw them away. Problem solved. As for the people who allow their AV gateways to send back auto responses, they should be shot. Every time I receive one of those emails from postmaster@somewhere, I fire back a nasty email tell them to cut it out.
Occasionally I will send a nastygram to the support or abuse department of the system using the stupid virus protection. Usually they can't figure out why I'm annoyed that they told me I'm infected with a virus ... the concept that a virus can forge a FROM escapes their air-filled heads.
...before SCO relocates to Nigeria?
:)
"Dear friend,
I am Darl McBride, a well known businessman..."
Might be more fruitful for them.
biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
The author of this article seems to think that the AV companies are the one to blame for this. In fact, every AV product I've ever worked with at the mail server level has allowed you to turn this functionality off. Any decent mail server admin should be doing this themselves. It's the same kind of ignorance and stupidity that allows 3 year old exploits to continue to propagate.
"If I send a letter to George Bush using Saddam Hussein for the return address, the president will not believe that the letter is really from Iraq!"
You sure about that?
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
When Blaster was going around, I decided I wanted a new email alias on my campus's email system. I chose just my first name, and to my surprise, it gave it to me.
As soon as it was set up, I started getting 50-100 messages from other servers saying that my address was spewing out viruses. Of course, this is impossible, seeing as my computer never even knew that I had this alias. Yet, I kept getting it time and time again.
The problem was, I couldn't delete the alias, and I ended up with hundreds of these messages per day. Incredibly frustrating. They must know that it serves no purpose.
Why don't we all just turn this "feature" of replying to the virus-laden email off? I do the administration of our anti-virus software on the network (Symantec Corporate Ed.), and I just turn that crap off...it's a very simple thing to do. I can't speak for the other anti-virus software, but I would assume you could also turn off email replies in them as well. We ought to be bitching to the network admins, and not to the government.
Certainly whoever sets up a server and leaves this enabled is stupid or careless, but I think the companies have some responsibility too. The option should at least be disabled by default. Enabling it should cause some sort of warning. Better yet it shouldn't be there. Why put such a dangerous feature in a program?
I work at a helpdesk, so I've spent the last couple days repeating how from headers can be forged, ect, ect to users... so I agree with the frustration and do want it to stop.
At the same time, if I unknowingly sent an important document that had a virus and was not recieved, I would want to know. Years ago I remember sending a resume that was infected with a word macro virus - I was glad that I got a bounceback message, since a)I knew I had a virus and b)I knew the place didn't get my resume.
I have blog like everyone else
...that sends "back" (though I never sent it in the first place) the actual VIRUS!
.SCR .PIF or .EXE file, and since I run my PC behind a "linksys" box that blocks all incoming ports, I've never had Code Red or anything like that.
If I had spare time, I'd SUE the AV companies! They're commiting LIBEL and they KNOWINGLY SENT ME A VIRUS!
Anyway, I'd also like to add that I've run Microsoft Windows since the days of Windows 1.03 and I have NEVER had a virus. I don't take unusual precautions, either. I have a virus scanner that I keep updated and run MANUALLY every time I hear about a new one, and it never finds anything (except when I've purposely saved one off for analysis!). I've never been tempted to click on an
One of the companies I'm working for just locks down the network harder and harder each time there's a new virus. For example, they did some tweak so when you log into the domain, some thing runs that prevents you from making a share (though only from the UI--you can still do it from the NET command-line.) I hope someone realizes that they've NEVER actually stopped a virus, even though each time one happens they run around in circles and restrict the network and PCs even more. You just can't prevent against people receiving an EXE in email and running it!
Now I know the argument you get from Mac-crazies--that if the PC had better account management this wouldn't happen. NONSENSE! A user-level program with no special "root" access can easily scan through YOUR mailbox and pick of email addresses and send out email. ON ANY OPERATING SYSTEM, even a properly adminstered Un*x system.
Best Buy can have you arrested
You want scary? How about the daily tech article in my local free newspaper being written by some "MS Lifestyle Representative" or somesuch. They are written like articles, but are blatant ads for MS products. There's no official 'ad' marker for the article, and supposedly it seems like they just want the reader to think its a co-incidence that its written by an MS employee and seems to put forth the laughable notion that whatever your problem, the best solution is an MS product.
That was scary, thinking about the million or so people who read it every day and don't even think of it in their minds as an advertisement with a vested interest in selling MS products.
"Old man yells at systemd"
This is really weird. I've been on a campaign for the past day or so to the big myDoom "spammers". I've been sending out the following e-mail:
As a mail administrator or antivirus company, you are probably well aware of the current trend in viruses to forge the senders address. Your system has been caught by our system, replying to these forged addresses to notify them that they sent a message containing a virus. This has been causing undue hysteria within my organization, and must stop immediately. In addition, this message was sent unsolicited and without prior business ties, and may be a violation of federal and/org state anti spam laws. Further messages will result in a permanent block on your SMTP server's ability to send mail to ours, and a submittal of your "replies" to several major spam blocking services and black hole lists.
If enough of us do this, maybe these guys will get a clue to turn off the reply feature.
Let's face it, these people all have a vested interest in making sure that viruses are not eliminated.
In the last Slashdot story about the Mydoom worm, a Computerworld article quoted the damning evidence directly from the horse's mouth:
No one has yet reported an infection by Mydoom.B, said David Perry, global director of education at Cupertino, Calif.-based antivirus vendor Trend Micro Inc. "If 100 people in the world had been infected, we would know," he said. "In fact, almost all of the viruses that have ever been detected never infected anybody ever. We say that there are about 77,000 known viruses, but only about 900 of them have ever infected anyone."
Huh? Pardon me? If they never infected anyone, then what makes them viruses? How were they detected if they never infected anyone - from the original first seeds by the viruswriters themselves? Then why in the hell haven't they tracked the virus writers down? Are these inventions of the AV companies that never existed outside of the AV companies' labs? Only 900 out of 77,000 ever infected anyone - isn't the virus problem then vastly overrated?
Given the above statement and the quite legitimate complaint that started this thread in the first place, I really think everyone should question the AV companies' role in the virus situation.
FWIW, one of the examples the author gives as a AV spam -- the one with the content "Mail Transaction Failed" -- is one of the mails MyDoom/Novarg sends out.
But, in a way, the virus is spamming, too.
If Nalgene water bottles are outlawed, only outlaws will have Nalgene water bottles.
Blaming the AV companies for the failure of the IT personnel of other organizations to evaluate and properly configure their mail gateway AV software seems like a load of crap to me.
Besides, sending these e-mails arguably provides a positive service, because self-propagating e-mail viruses are everyone's problem, and a bit of vigilance on each person's part is required to prevent one of these viruses from becoming a worldwide problem.
Using a shotgun approach to tell people that a virus is going around helps to inform everyone. Everyone needs to educate him- or herself about virus protection and prevention, so that they can personally know whether their machine could be infected or not.
Also, telling those people to contact their local IT staff just gets the IT staff in gear to help stave off something they should have already been on the ball about. If the IT staff were prepared, then their company's employees would already be in-the-know, and would not harass IT with needless panicky e-mails.
If, on the other hand, the software package sending the spam warnings provides links to their web page, then I'd lean toward considering it to be spam rather than information.
I wonder if we (as a community) should draft an RFC that governs such things as naming conventions and the like. perhaps define all types of viruses give them a designation as to what platform and what they do. The names would sort of be a mixture of all the major vendors.
.A .B .C etc, and a convention for payload style. Mydoom was a mass mailer that also was meant for use in a DDOS.
Something like
$PLATFORM/$VIRUS.$VERSION@$PAYLOAD-STYLE So you'd need a simpl draft coming up with a platform name Win32 for 32-bit windows Mac for mac's yadda yadda, a Virus naming convention so that everyone would be able to tell from looking at the virus as to what it's name should be, $version
So perhaps mydoom should be
Win32/Mydoom.A@MM@DD
-or-
Win32/Happy99.a@M
just thoughts and ideas, what's everyone else think?
As well as defining in the RFC that, if a worm is known to spoof the From: field then skip the auto-reponder notice altogether.
/* oops I accidentally made a comment, sorry */
I believe in a little axiom that says
I'm only going by my experience in anti-virus software, but lets look at it this way:
1) Anti-virus software is on the desktop machine to prevent infection
2) Soon viruses are getting in via email. Anti-virus software writers decide to target the enterprise (where the real money is) and where it makes most logical sense to block viruses now.
3) Some programmer comes up with the idea "Hey! Wouldn't it be great if our software automatically emailed the person who sent the virus in the first place? After all, its 1997 and the only way to get a virus is via a word or excel document attached to the email." The product development approved, not only because education is a huge tool in stopping viruses, but a little (I stress a little) free advertising couldn't hurt.
4) Microsoft introduces new features and more sophisticated viruses are introduced.
5) The option stays on and is set by default because no one re-evaluates it and its just that way.
6) Some cracker gets an ingenious idea to use the feature against itself and cause more harm than good. The feature is exploited to send out thousands of emails per server, which the original designers never intended.
7) Anti-virus writers don't pay attention because you can just turn it off and its not important to them any more. It's the admin's job to know to turn this off. They may tell some people, and they may default it to off in the next version, but its not high on the list.
And even still, you can't just tell someone they are stupid for coding it this way or for not turning it off. Until recently, this option made "Never attribute any action to malice when you can attribute it to stupidity or ignorance."sense. Tell the infected user of their problem so cut down on the spread of virii. Now, as in the biological world, the virus writers figured out how to use a portion of the "immune system" against itself.
It's just the way things happen. I write a virus, you write a counter measure, I write a way to get around it. What's missing here is an email illustrating that the intent of sending out all these emails was deliberate on the part of anti virus writers. The article is assuming intent for no other reason than to scare people. Again, "Never attribute any action to malice when you can attribute it to stupidity or ignorance."
"All great wisdom is contained in .signature files"
And on the way out, pounding "I AM AN E-MAIL SPAMMER" signs on their front lawn?
C'mon, admit it. That would feel really good.
Stefan
In the article, the author mentioned a mail server bouncing a message to a bad address with the bounce containing the virus.
What if the server recieving the bounce has one of these alerting virus scanners?
Scenario:
1. Virus sends message to non_existant_user@email.com, forging the from address of user123@free-email.com
2. email.com server bounces the message because non_existant_user doesn't exist.
3. free-email.com receives the (virus containing) bounce from email.com
4. AV software bounces the email, sending the virus back to non_existant_user@email.com
5. Goto 2
Anyone else see a problem here?
I used to get high on life, but I developed a tolerance. Now I need something stronger.
Personally, I'd be pissed at your parents for naming you "postmaster".
Dewey, what part of this looks like authorities should be involved?
The auto-response from AV software isn't spam, its the server trying to warn you that an attachment you might have cared about didn't make it to the destination.
In order for most of those filters to work, they have to be updated with new virus definitions. At the time they identify this new virus, they can also identify whether the header information is legitimate and worth responding to. In the case of anti-spam companies that ignore this information, they ARE spamming and contributing to the problem. There is no excuse.
If you are an anti-virus company and you update your system to recognize MyDoom, you know that the from address is not accurate. So if you bounce e-mails to the source, you are incompetent, a spammer, or both.
You could start by explaining to your boss that in some situations email is not THAT reliable. And if a billion follar contract rests on the successful delivery of an email, he'd better pick up the phone and call someone to make sure it was recieved.
A sampling of the increased wasted bandwidth and resources my system has dealt with in the last week:
24-hour period, number of bounces
Jan 22, 794
Jan 23, 843
Jan 24, 872
Jan 25, 936
Jan 26, 5472
Jan 27, 19426
Jan 28, 20468
I've had more of an increase in AV Company spam than I have in propagation of the worm!