Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Bug The Internet

Virus Scanner Auto-Replies - A Good Thing or Obsolete? 123

Posted by Cliff from the excuse-me-sir,-you-have-an-infection dept.
Moryath writes "Used to be, everyone put an auto-responder in their email server's virus scanner. That way, some dingus sends in a virus, you're protected, and they get notified so they scan and fix their system. Of course, all these stupid things ever do is reply to the From: field, and possibly to Abuse@domain, webmaster@domain, etc... as well. Enter viruses like Sobig. We've had them for years in various forms, they spoof the From: field with another email from another victim's contact book, and all of a sudden random people are getting bounces of emails they've never sent. I have actually gotten more bounces today than actual Sobig attachments. So what does the Slashdot crowd think? Is it time for the people running these mail servers to take down those autoresponders? Are they guilty for part of the damage things like SoBig have caused, since their ill-configured mail servers are doubling, tripling, or even quadrupling the amount of traffic one Sobig infection produces?"
This discussion has been archived. No new comments can be posted.

Virus Scanner Auto-Replies - A Good Thing or Obsolete? More

Virus Scanner Auto-Replies - A Good Thing or Obsolete?

Comments Filter:

  • It takes brains (Score:5, Insightful)

    by Kelerain ( 577551 ) <.moc.liamtoh. .ta. .retsampam_cva.> on Thursday August 21, 2003 @08:04PM (#6760484)
    If you aren't smart enough to automate the replies intelegently (based on wether the worm type spoofs emails for example) then don't send anything. Simple as that. Use it right, or don't use it at all.
    • You've summarized, in two sentences, why creating an e-mail setup requiring confirmations won't work, because we can't do it intelligently. Face it, we're going to be dealing with this problem or crap just like it untill A: Something fundamental changes in the setup of the internet or B: There is a simple/clever/obvious/[your adjective here] technoligical breakthrough that has the same affect as A, but with minimal disruption.

      Even though I disagree with the statement about anonymity, I do agree with this po [slashdot.org]

    • Really, if there were a way to run MailScanner (e.g.) straight out of Sendmail (e.g.), instead of after Sendmail is done with it, we could give an error to the person who actually sent the mail during SMTP, instead of having something down the line try to send errors to whatever might be in the From: header.

      I'm not sure which if any MTA's have hooks for this (though I suspect the answer is Postfix) but SoBig, Klez, et. al., have proven that doing it in the MDA is a flawed model.

  • It is ridiculous to send these notices (Score:3, Interesting)

    by Dancin_Santa ( 265275 ) <DancinSanta@gmail.com> on Thursday August 21, 2003 @08:05PM (#6760498) Journal
    There is no tangible benefit to having these notices. The user receiving the notice either knows what it means or doesn't know what it means and either way receiving the notice wouldn't change their behavior regardless.

    Now that my Inbox is overflowing and my ISP's mail server is rejecting emails because I'm over the account size limit, I'm a little more wary of these supposed "user friendly" helping hands that virus scanner companies are building into their products.

  • Yes and Another Thing... (Score:5, Insightful)

    by sybarite ( 566454 ) on Thursday August 21, 2003 @08:07PM (#6760509) Homepage
    To those who admin Windows networks... Please put an exit filter for TCP port 25 on your firewall so only your mail server can send SMTP and not infected workstations.

    • Re:Yes and Another Thing... (Score:4, Insightful)

      by Blkdeath ( 530393 ) on Friday August 22, 2003 @12:50AM (#6762166) Homepage
      To those who admin Windows networks... Please put an exit filter for TCP port 25 on your firewall so only your mail server can send SMTP and not infected workstations.

      That advice should be extended to all end-user networks. Realistically, regular corporate workstations and home DSL/Cable/Dial-Up users should have no reason to talk directly to a foreign SMTP server in the first place.

      • Realistically, regular corporate workstations and home DSL/Cable/Dial-Up users should have no reason to talk directly to a foreign SMTP server in the first place.

        That is incorrect. Web site owners often use the mail server associated with their domain(s) to send and receive email. When I send email to a business partner, I would prefer they see it come from my web site's domain, not my ISP's.

        If my ISP did this, I would just switch to the alternate port number my web host has set up for just that ev

        • That is incorrect. Web site owners often use the mail server associated with their domain(s) to send and receive email. When I send email to a business partner, I would prefer they see it come from my web site's domain, not my ISP's.

          You'll note I said; "regular corporate workstations and home DSL/Cable/Dial-Up users". Why are you running a website on a home user service not intended for it?

          Moreover, what's stopping you from sending an e-mail with your own domain via your ISP's mail server?

          When/if t

          • My, aren't we in a mood tonight? Mommy tuck you in wrong and you woke up on the wrong side of the bed this morning? Or is this how you always react when someone points out an error, by trying to distract from your error with juvenile behavior? Does that ever work?

            Had you paid attention to what I said, you would have noticed I mentioned a web host. I would be hard pressed to serve the site to my 15,000 visitors a day off a DSL line. That host has already had to open one port so customers can send email

            • Had you paid attention to what I said, you would have noticed I mentioned a web host. I would be hard pressed to serve the site to my 15,000 visitors a day off a DSL line.

              Then why were you comparing your situation to the criteria I set? Since it's obviously not a corporate desktop or home user Cable/DSL/Dial-up account; why did you feel the need to respond?

              P.S. Your "juvenile" condescension has been duly noted. If you're going to take Slashdot this personally, perhaps it's not the forum for you. I sug

              • Because it is is a home account, albeit satellite, not dialup or dsl.

                Sorry, let me slow down and explain this in simple terms.

                I connect to the mail server provided by my web host from my home. I do this by utilizing port 25, which is what the poster you replied to suggested be blocked. If my port 25 is blocked, I can't talk to my email server without circumventing the ISP's block.

                I was correcting your mistaken comment that "Realistically, regular corporate workstations and home DSL/Cable/Dial-Up us

                • I connect to the mail server provided by my web host from my home. I do this by utilizing port 25, which is what the poster you replied to suggested be blocked. If my port 25 is blocked, I can't talk to my email server without circumventing the ISP's block.

                  You still haven't presented a valid reason to need to connect to said mail server. Mail would get there all of ten seconds slower if you used your ISP's mail server as a smart relay. It's ok if you don't understand the technical nuances of RFC822 et a

                  • If you can't see the need for a business man to mail business partners from his business address using the mail server he pays for, then I'll not stress your intellect any further.

                    In the meantime, you really should seek some assistance for your social problems. Reacting like a petulant child when your mistakes are pointed out to you is not healthy. Have a good day.

                    http://www.google.com/search?q=stress+reduction+th erapy [google.com]

                  • Comment removed based on user account deletion

                    • most isps will not relay unless they host the site, so what happens when I host with company b and I want company a to let me relay from their mail server? Not going to happen, that's what...

                      That's pretty sweeping. I deal with dozens of ISPs; Cable, DSL, and Dial-Up in Ontario and I don't believe I've ever encountered one that wouldn't permit me to send e-mail from any domains in my control through their server. Generally their relay controls revolve around the source IP address or some form of authenti

                    • Comment removed based on user account deletion
                    • So tell me how a company knows when you own the domain that you are relaying?

                      Did you read his post?

                      Here - let me quote the relevant portion:

                      their relay controls revolve around the source IP address or some form of authentication, not the From: address

                      Who owns said domain is irrelevant. Who's authorized to send mail from said domain is irrelevant. What's relevant is the IP ADDRESS the mail is originating from.

                      The previous poster is correct. Like him, I admin a hosting company. We don't (and I'v
                  • You still haven't presented a valid reason to need to connect to said mail server.

                    You obviously don't travel. I don't want to have to reconfigure my laptop everywhere I go. Have you ever tried asking the front desk at a hotel what the IP address of their SMTP server is? I can just imagine the blank stare you'd get in return.

        • Web site owners often use the mail server associated with their domain(s) to send and receive email.

          I disagree - unless they don't know what they're doing. If you have a co-located server, this might work (because you have exclusive control of the host), but it's still better to use your ISP's mail server.

          When I send email to a business partner, I would prefer they see it come from my web site's domain, not my ISP's.

          What does that have to do with which mail server you use? Do you believe that if it

          • I disagree - unless they don't know what they're doing. (...) If so, you have a severe misunderstanding of SMTP, and I urge you to read the applicable RFCs to better your admin skills.

            Lovely. Someone else with an attitude problem.

            Just out of curiosity, why do you feel the need to be rude and insulting because you (mistakenly) believe you've caught me in an error?

            Do you believe that if it comes from your ISP's mail server, that it has to come from their domain too?

            No, I understand that, but some

  • Obsolete. (Score:5, Insightful)

    by hackwrench ( 573697 ) <hackwrench@hotmail.com> on Thursday August 21, 2003 @08:07PM (#6760513) Homepage Journal
    I've been getting tons of bounces and antivirus messages that are a result of someone else with my e-mail address having the virus. Of course, the whole e-mail infrastructure is obsolete: What do you mean someone else can easily send an e-mail as me! Perhaps if they fixed that however antivirus messages would once again be useful. Could someone with modpoints please mod up my post two posts earlier that erroneously got modded 'Troll'?

    • Re:Obsolete. (Score:4, Insightful)

      by Blkdeath ( 530393 ) on Friday August 22, 2003 @12:52AM (#6762181) Homepage
      I've been getting tons of bounces and antivirus messages that are a result of someone else with my e-mail address having the virus. Of course, the whole e-mail infrastructure is obsolete: What do you mean someone else can easily send an e-mail as me!

      For the same reason someone can mail a letter as you or send a fax as you or communicate in any interpersonal forum as you.

      Enter digital cryptography. Sign your messages and never worry again.

      • Nobody can communicate in any interpersonal forum as me, just in those that don't have passwords. As for the other two, it is because authentication has been thought to be too difficult to implement for them.
    • Could someone with modpoints please mod up my post two posts earlier that erroneously got modded 'Troll'?

      For some reason I read that as erogenously. Been reading tfproject.org too much recently, I guess.

      Nate

  • I doubt these email replies are doing any good at all.

    Case in point: Every twenty minutes ago, as of first thing this morning, I have received an email with an evil .pif file (thankfully automatically deleted by my company's email server.) I know where the mails are coming from, and have contacted the abuse@[nameofispdeleted] address with the details.

    As of this writing, I have received no reply, the emails are still coming, the user's account is still active, and I don't even know if they got my email, as
    • How do you know where the e-mails are coming from since the addresses are spoofed?
      • The From: fields are spoofed (and are different on each email) but the IP address of the originating mail server is the same on all of them. Unlike spam, I don't think this virus is spoofing the email header completely, just sending it out with a fake From: address to catch the clueless.

        Of course, if it IS spoofing the IP address as well, then that just adds more fuel to the argument that these emails are useless.
        • Is it possible to spoof the IP address as well? I thought that that was added by the receiving server. Not that it really matters, fake From addresses cause more than enough headaches for me as it is.
    • I also tried to contact ISP to get one user who's infected computer was sending love messages every 10 mins to my email.

      Looks like too many people are sending in notifications.

      Check out this bounced email error:
      host mx11.mindspring.com[207.69.200.82] said:
      554 Quota violation for junkmail@mindspring.com
    • I was hit with ~100 mails each day a year ago when a couple of persons who had my address. I also tried contacting their isp and asked them to contact the users (thier email-quota was full since they sent so much crap). After five or so tries with no reply i grew tired of it and wrote an automated script that forwarded each mail i got to all addresses i could think of in that company, like webmaster@, postmaster@, root@, administrator@, admin@, all@, staff@ etc and after a few days the emails stoped comming
  • I have a similar problem but in this case it is because of spam mail. Some spammer sends spam and puts in the From: the address of some other victim. Then the reply from the spam filter arrives to someone who did not send the mail. I have received several mails lately from Yahoo indicating that my email could not be delivered to several users that don't exist anymore, attached is a spam mail which I didn't send. I contacted yahoo but their support is awful.

    How can one protect from this?

    • How can one protect from this?

      Track down the spammer, and press charges against them for identity theft.

      This is the biggest proof that spam is a social problem. You basically have someone going around saying that they are you. If you want them to stop, you have to deal with them in RL.
  • I am in the same boat you are; I think I received about 50 bounce messages today at work, but maybe one or two copies of the Sobig Trojan. Just tonight I received two copies of the Trojan in my home mail account out of 24 new messages.

    That's the same number of Nigerian money laundering scam emails I received! I had one erroneous bounce tonight.

  • Until IPv6 is implemented you will never be able to ID and prosecute the people who generate these types of attacks/viruses/worms/etc.

    Anything short of IPv6 is simply silly symptom slaying -- as pointless as it is fruitless as it is less-than-effective.

    As was discovered in the "old" BBS days: anonymity is an unnecessary evil: Make folks ID themselves properly and most of your problems (in that regard) go away.

  • As far as I am aware, mailscanner (http://mailscanner.info/) has a list of viruses it quietly deletes, and notifies for other viruses. Wouldn't it make sense to spread this usage to other antivirus platforms? i.e. to reserve the reporting of viruses for viruses whose origin can be predicted with some confidence?
  • They're nothing but spam promoting a hackney fix to a broken security model. Virus scanners aren't the right answer, switching OS's is. Just treat them as spam [spamcop.net].
  • I am getting more unwanted 'virus notifications' from this virus than any spam to date.

    Here's my question:
    Why doesn't a spammer use these auto-notify ISP (like AOL) and send spam that way?
    ie. I send my advert (with known virus attached) with faked header
    To: whocares@aol.com
    From: victem@real.address.com
    The victem reads the email because (a) it is a legit email and (b) looks important.
    They win the pleasure of reading -- bounced adverts.
    • Yea, I've gotten those. After opening the first one, i just delete them now. I think maybe a smarter thing would be to use a rotating list of To/From addresses... out of their e-mail list. That way, some mail gets through and the one's that don't get bounced to someone they want to read it. Since they're already sending you two or more of the same e-mail, they can rotate the list to ensure full 'coverage' of their victims.
  • Please stop doing this!!!

    PLEASE!!

    Seriously. All it does is spam unaffected individuals, considering that in the post Klez days, all e-mail viruses spoof the sending address, clogging up e-mail servers and causing more annoyances than spam!

    When you start getting these, you can get at least 200 a day. It's not a good thing.

  • In the RFC lies the answer (Score:5, Interesting)

    by linuxwrangler ( 582055 ) on Thursday August 21, 2003 @08:45PM (#6760805)
    Sobig greets the other server with the netbios name of the infected computer. This does not conform to rfc2821 which requires a fully qualified domain name. My mailserver does not accept connections from hosts that do not properly identify themselves as the RFC requires. Haven't seen a single Sobig here - the server rejected them all.

    Now bounced messages from other mailservers...that's another issue.

    If mail admins simply set their servers to require FQDN greetings then Sobig would be stopped dead. By rejecting the message my mailserver expects the connecting MTA to generate any necessary bounce which Sobig, of course, does not do. No delivery. No bounce messages. No problem.

    So how about it all you mail admins out there. How about demanding a bit of RFC compliance from connecting MTAs. Perhaps this virus will provide the moral authority you need to tighten up your servers.
    • Until the next one figures out to use the RFC.

      That's not a long-term answer.

    • What if the next virus use a full qualified domain name? Standard compliance is good as the first line of defence against really stupid junk, but it's easy to break even for a virus, just by being compliant.
    • I'd be happy to help in this, but I'm not entirely sure how to do this in exim4.
    • I've had to allow unresolvable FQDNs in the HELO, because a few of the companies that my employer deals with have morons in their IT department. Those morons have managed to configure mail servers using *internal* names that don't resolve outside of their network. Now, if I didn't care about getting paid, I suppose we could continue rejecting mail from fake domains, but I like getting a paycheck. At least I can still reject invalid sender domains, etc.

      I really wish that large companies (like that big gr

      • I've had to allow unresolvable FQDNs in the HELO, because a few of the companies that my employer deals with have morons in their IT department. Those morons have managed to configure mail servers using *internal* names that don't resolve outside of their network.

        Then allow only addresses that either 1. are a FQDN or 2. are one of the servers managed by morons working for companies that your employer deals with.

        • That means that there's always at least one initial bounced mail (probably more) when we start dealing with a new moron company. That doesn't make for a good first impression - the people at said moron company just assume that we don't know what we're oding. That's *also* one more list that I have to maintain, which is bad because I'm lazy and human. Anything that I have to constantly watch is a Bad Thing. If we didn't get new clients frequently, though, the "one list to rule them all" scheme might be a
    • Linuxwranger, how about *you* making your mailserver RFC compliant:

      What you propose is an explict breach of RFC 2821 as detailed in section 4.1.4

      An SMTP server MAY verify that the domain name parameter in the EHLO command actually corresponds to the IP address of the client. However, the server MUST NOT refuse to accept a message for this reason if the verification fails: the information about verification failure is for logging and tracing only.
    • my mailserver checks against 5 RBL's and has a "bad reverse" dns check too ( qmail 1.03 ) and i have not gotten a single solitary sobig virus or bounced message...

      gawdam fbsd rules..

  • I've gotten no fewer than 50 of the things this week. Most of them have come from systems that are set up to copy the postmaster of the domain. After several nastygrams, most of which bounced(!), I had to set up a temporary blacklist for those domains. If they really need to get through, they can give us a call.

    There is absolutely no excuse for this after the publicity this trojan has been given. If nothing else, the AV software should be programmed to skip the sending of these emails if it's known t
  • To date, I've gotten ZERO soBig or other new and currently hot virus's/trojans. On the otherhand I have gotten no less than 8 bogus bounce messages (averaging 50 percent aol related) every 30-40 minutes.

    I don't know whats worse the actual messages that we are getting or having to explain to scared, confused, or otherwise ignorant users why they keep getting messages regarding e-mails they never sent. I really wonder...

    Which consumes more time, cleaning a infected users computer? Or explaining to a user (s

  • Do it right (Score:3, Interesting)

    by Permission Denied ( 551645 ) on Thursday August 21, 2003 @08:59PM (#6760918) Journal
    Most of the auto-responders I've seen simply send a note with the subject of the message to the From: address. A few might include part of the body of the message.

    These are absolutely useless as you can't figure out what machine originally sent out the message without the full Received headers. I've not seen one virus auto-responder include the full Received headers. The right thing to do would be to include the entire message as an RFC 2047 MIME attachment.

    My reasoning is that these auto-reply messages occasionally get to the right person: namely, me. I then look at the infected IP address and if it's one of ours, send someone out to fix it. This is what I do for messages that get sent to undeliverable addresses where the remote site sends a bounce containing the full original message. A lot of these end up coming to one of my addresses since my addresses are widely advertised within our organization and are likely in many people's web cache and address books.

    Past this, I don't see any reason for the auto-replies. They'll never get back to the person whose machine was infected, but they might get to me. It's easier to find out about the problem from some bounce and fix it immediately than it is to have some end-user from some other organization complain to you and then having to explain to this person how to send a message containing full headers (which is actually difficult and non-intuitive in most Windows MUAs).

    • Past this, I don't see any reason for the auto-replies.

      I've considered the possibility that, even though most modern viruses spoof the from: address, there is some marketing value in saying that Norton AntiVirus Super Gate 5000 found a virus in your message.

      After all, Norton says that you sent a virus. Maybe Norton knows something that you don't, huh? Maybe you ought to go out there and buy a copy of Norton AntiVirus yourself just to be sure you're protected. After all, Norton catches all these other
      • I wouldn't put it past the marketing department to consider something like that.

        I've been looking through my mail and I realize that you are absolutely right. Most of these messages contain the product name in the subject line.

        Funny thing is, whenever I see one of these messages, I think: "OK, Norton AntiVirus SuperGate 5000 must be written by dimwits if they didn't think to include full headers; thus, I should stay away from all Symantec products."

  • I manage the catch-all computer account for my University's domain (help@, postmaster@, root@, abuse@, webmaster@, etc). Since Monday we've been getting 50-100 of these damn virus scanner replies per hour, as well as questions from many users asking who the hell sent this from their account? Its annoying, frustrating, and a complete waste of time and bandwidth. Our mail server virus scanners will only reply to the *to:* address of an infected message to let them know it was cleaned/deleted, as it should be.
  • Obviously any half-decent virus-scanner can tell that this is sobig.f, and they know that it spoofs the headers. Why auto-reply? Free advertising! Most users will say "ooh... we should get that for our company" rather than saying "what crappy software that is that spams the wrong people".

    Makes me wonder... the antivirus companies are knowingly and willfully causing a DDoS of spam to our accounts. Can they be sued at $50/message for that?

    • Parent needs to be modded UP. I suppose the original intent was benevolent, as it would be a useful service if only the message could be bounced to the actual infectee, not an innocent third party.

      I guess one can argue that these misdirected bounce messages qualify as spam, except they are not mass-mailed (as the AV software makers would claim), they're supposedly "targeted". However, they are incontrovertible evidence of bugs in the AV software that generates them, and as such could be forwarded to the so

    • Whatever they're running on the SMTP server side at my ISP seems to be doing appropriate things. I can't tell whose software it is, they may prefer to keep it obscure.

      When it finds anything (and it caught all of the Sobig.F stuff) I get a notice email with subject like:

      VIRUS (Worm.Sobig.F) IN MAIL TO YOU (from (spoofed sender from [xxx.yyy.zzz.www]))

  • Chez moi (Score:4, Interesting)

    by dozer ( 30790 ) on Thursday August 21, 2003 @09:21PM (#6761055)
    My numbers in the last 24 hours:

    2018 Sobig.F-infected messages. ClamAV+Amavis recognized all of them and sent them straight to the Spam.SobigF folder. I never even saw them. Beautiful.

    On the other hand, I've had to wade through and delete 100+ erroneous messages telling me that I sent out a virus infected mail. The hell I did. I'm being buried in these warnings and -- because there's no standard way of generating warnings -- I can't filter them!

    So, yeah, if you're sending virus warnings for inbound mail, you're essentially spamming people. ME. Cut it out. Only send virus warnings to your internal users if at all.

    Thank you.
    • For us (running a mail server for our workgroup of 5 people, including tech support), it's been 1200 received (and caught by Amavis), and about 3000 bounces, notices, etc., thanks to these damn whiney AV's.
  • I used to work at the local electronics retailer doing computer upgrades/repairs. Customers would bring in their computers and pay $40 to get rid of a nasty virus that had infected their computer. After checking their system and doing a full virus scan many times the system would come up clean. Customers would get these e-mails and with good reason, think that they had a virus on their system. Of course, when they do their virus scan and it comes up clean they panic because they still receive the messag
    • And no wonder, when the autoresponses are so insistent that the wrong person has a virus. This is one of several dozen I've received:

      Network Tallahassee has recently installed Declude Virus. This software intercepts viruses passing through the gateway to our network.

      Your computer very recently (in the last few minutes) sent an email with the following characteristics.

      Virus Name: W32/Sobig.F
      Attachment: your_details.pif
      Subject: Re: Re: My details
      To: sales@1-businesscardpros.com

      The email con

  • Recently, in the past few days, I've especially been getting pounded with virus bounces, virus emails, and virus notices. I really don't care. I automatically delete all of those along with all spam that gets past my filters. Then, I get right on to working. I'm sure many people are the same. Heck, I'm using pine on a remove Linux machine to check my mail. There's no way that my home machine can possibly even be infected. Furthermore, like the post suggests is the headers are usually forged these days anywa
  • Here's what we need:

    A very * SIMPLE * to understand guide on the web:

    "Idiots guide to email viruses that used a spoofed From: field"

    This way, we can kindly send the URL to this guide to the mail admins who have not yet shut off the fscking auto-responders!

    The problem I'm facing is explaining to the admins that I *REALLY* do not have a virus on my computer and that it is a SPOOFED "From:" address!

    Optimally, this guide should have (again VERY simple) language-neutral diagrams which explain the process CL
    • We need a COMPLETE "netiquette" guide for idiots. So when they say: 'what is this?' or 'why is that?' you can just reply : "Here read this book. If you have any further questions, you can ask them, but first, please Read it!"

  • My Reply (Score:5, Insightful)

    by Nishi-no-wan ( 146508 ) on Friday August 22, 2003 @01:21AM (#6762355) Homepage Journal
    Just got notified today that I had sent someone SOBIG.F. This was my reply:

    I just received a notice from your Notes server that you received a virus (SOBIG.F) from my address. I would like to let you or your administrator know that the address on that is forged. Your virus checker should look at the headers and report to the ISP from which the infected mail originated, not to the "From" header.

    I've been 100% Microsoft Free since January 1, 2000. Unless SOBIG.F has found a way to worm into FreeBSD, I doubt very strongly if this message came from any domain I control.

    P.S. While having an automated system to notify possible infections to senders is a nice idea, most worms today spoof the From and ReplyTo headers. Without the Received headers there is no way that I can help track down the infected party, making sending this to the person in the "From" header a waste of time (especially for Windows users who then have to check to see if they are infected or not, when the chances are that they aren't). If your company is serious about tracking down the source of infected mail, they will use the IP address (not the DNS name associated with it as that, too, can be spoofed) in the Received headers to track down the originating ISP and report the infection to them, along with the timestamp and time zone received. ISPs can then use their logs to track down who had said IP address at that time in their time zone.

    If your system administration isn't concerned enough to take the time to do it right, then including the full header information of the offending message in your notification would be useful for those of us who do take the time. (There are risks involved with this, as you may be notifying a Black Hat about a compromised machine - i.e. the computer that originally sent the infected message.)

    Thank you for your time and forwarding this to your system administrator.

    • Wow, you are entirely too polite. Here's one of my replies:

      To: MMS3 Admin <mmsadmin@acme.nsc.com>
      Subject: Re: Security Note - Inbound Virus Cleaned
      Cc: Dan.Ellis@nsc.com, postmaster@nsc.com

      At 10:55 AM -0700 8/19/03, MMS3 Admin wrote:
      >CAUTION: National Semiconductor has detected Computer Viruses in an
      >email message you recently sent to our location. The infected message
      >was cleaned and delivered to recipients at this organization. However it
      >is urgent that you run a desktop Virus Manager p

    • Because the best way to fix virus infections is to email the poor guy assigned to abuse email a condescending two-page screed about how his boss's boss's boss's choice of antivirus software is fucktarded!

      Don't you guys have a "network" (read: your Alienware and you mom's Compaq plugged into a cable modem) to maintain? Stop whining on Slashdot about it.

  • Check the relay domains in the message headers.
    If they don't match the 'From:' domain, don't bother with the autoresponder.

    That way a from of "foo@foo.com" and a relay header of "mailserver.bar.com" is pretty likely a spoofed address.

    Caveat: I've not recieved the new variant of the SoBig virus yet, so I can't tell about the headers.

    The procmail scanner / html sanitiser I have installed from impsec.org [impsec.org] does this automatically (and weeds out a lot of that obnoxious html crap as well).
    • Not always. I send mail where the 'from' address is on a different network than the one I'm sending from. I have multiple ISPs, and I use one for email and one for connecting.
    • Check the relay domains in the message headers.
      If they don't match the 'From:' domain, don't bother with the autoresponder.

      woah, thats not a good solution. you're assuming that each mailserver only serves 1 domain and that it's in that domain. my mailserver (as in, belongs to me) is responsible for about 4 domains yet is only in 1. my personal vanity domain goes through that server but if you look through the headers, the only mention of my vanity domain is in the frmo field as thats who the mail came fro
  • If the virus is spoofing the from addresses using entries from the real sources address book then it would be useful from any notification that is sent out to include the full headers of the original message ... then at least you might have a chance of working out who it is really from so you can inform them (assuming that as your address is in their address book its someone you know).

    I've had quite a few bounces where the spoofed address has been mine but remarkably few actual copies of the virus hitting

  • The correct way to do this (Score:4, Interesting)

    by epsalon ( 518482 ) <slash@alon.wox.org> on Friday August 22, 2003 @04:28AM (#6763048) Homepage Journal
    The virus checker should verify if the virus spoofs from addresses.
    If not, send a warning to the 'from' address.
    Otherwise, check the first "received" header and use whois to find the admin of that IP range and notify him/her.
    Also, we're in despearate need of an RFC for returned mail messages so they could be easily filtered.
    • The virus checker should verify if the virus spoofs from addresses.

      which it does by...? the thing is, how do you detect if the address is spoofed atm? the proposed RMX standard might help if everybody implemented it but will they?

      dave
      • which it does by...
        The identity of the virus caught. For example, if you've detected it as SoBig.F, what's the problem marking SoBig.F as a "spoofer" as opposed to LoveBug which is a non-spoofer.
  • My domain mailservers have been overwhelmed the last few days with bounces from the sobig worm. All those obsolete and fucking annoying auto-replies are being generated because someone with a windoze infected PC has my email in thier address book, more like several hundred people, clients, losers, friends, etc.

    With several M$ worms now spoofing the From: header, its time to target anyone who still uses an AV scanner which sends out auto-replies. Treat them like spammers, complain to their upstream ISPs abo
    • I'm with you on this one.

      I've had zero viruses. My mail filters already pick out all Windoze-only content and delete the e-mail. Even if they didn't, I don't own any Windoze machines.

      However, the flood of incorrect bounce messages and virus warnings is harder to filter. I've had to resort to bouncing every e-mail from mailer-daemon@aol.com, for example.

  • Having had my mailbox overflow... (Score:3, Interesting)

    by dpbsmith ( 263124 ) on Friday August 22, 2003 @11:13AM (#6765140) Homepage
    ...with bogus "bounced mail" messages, I'd say, yes, it's time for a change.

    I've yet to receive Sobig.F in a direct mail from another person (i.e. the people who send me email apparently have clean systems).

    But I've now received between fifty and a hundred copies of the Sobig.F, all in bounce messages from servers. So apparently I've sent email a lot of people who a) have the Sobig.F virus, and b) have a lot of bad email addresses in their address books.

    Each of these messages is about 100K in size. That can fill up a mailbox quickly.

    But why should any server include the attachments when they bounce a message. Why? Why? Even in the absense of viruses, all I need to know is enough to identify the message that didn't get through.
  • Sure, they probably mean well but if you have no breans and mean well, you are most likely part of the problem.

    A few of these dumbo servers even sent me the virus attachment, thinking it was sending it back.
    So not only are they creating a huge extra load and therewith helping the virus create havoc, they are also helping it distribute!!!.
    How dumb can you get?

    Just imagine this doom scenario:
    Two such servers have the same moronic settings/programs and start sending eachother's attachments back :->
    Server

  • The virus software should know. (Score:4, Interesting)

    by Above ( 100351 ) on Friday August 22, 2003 @03:10PM (#6767613)
    The companies that make virus scanners have detailed definitions of each virus. They need to include in that a flag "spoofs from address". If it does, sending autoreplies only adds to the problem, if not, returning a message to the sender is probably ok. They are just too lazy to add a flag to the definitions they send out, and put a simple "if()" around the mail code. It's stupid.

  • Dumb virus scanners are spammers (Score:3, Insightful)

    by Animats ( 122034 ) on Friday August 22, 2003 @03:18PM (#6767693) Homepage
    Any virus scanner that doesn't verify the message header (look at how SpamCop does this) but replies to it is basically spamming.

    Incidentally, anything that bounces a message should return the entire message header. Most of these mail bounces don't return enough info to identify the real source.

  • Is there any practical difference between an open relay box that spams you and a virus-compromised box that sends you viruses plus potentially future spam from the compromise?

    Should virus-compromised machines that send out undesired emails be RBL'ed like open relays?

  • Pointless (Score:3, Interesting)

    by shamino0 ( 551710 ) on Friday August 22, 2003 @05:54PM (#6769160) Journal
    Agreed. These auto-responders are pointless.

    In addition to generating tons of traffic that nobody pays attention to, it has the effect of panicking those users who don't understand what the virus is about.

    A relative of mine uses AOL on a Macintosh. There is no way his system can be infected with Sobig, but I had to spend nearly a half hour explaining it to him. He kept on pointing to the "your system has a virus" messages in his mailbox as proof that he is infected and that he needs a better virus scanner (because the one he has doesn't say he has it.)

    The majority of computer users are like this relative, not like you and me.

  • As a admin of a domain that usually receives about 10K mail a day, and with the sobig outbreak nearing 200000K emails/day, i would say that i can collect a very nice collection of email addresses that i got virus notifications from (since the sender address is forged to one of my domain) by looking at the logs, and if a was a malicios person, i could use that to spam them, or worse.

    The virus notifications disclose your private email address, without telling you about that. This should be the button to push

  • For the love of GOD!! (Score:3, Insightful)

    by The AtomicPunk ( 450829 ) on Sunday August 24, 2003 @12:00PM (#6777746)
    1) Exchange virus scanner plugins have GOT to stop blindly sending replies to whatever email address the message loosely appears to come from. This is absurd - viruses that forge email addresses have been the NORM for what, 2? 3 years now?

    2) Why can't someone write a virus that DESTROYS Outlook address books and turns off Auto-Learn, so that all the future viruses only have about 1% of the number of potential victims as current viruses?

    I have postfix rejected 16,000 viruses a day, and 500-600 "You have a virus" emails, but I still get several hundred "You have a virus" mails per day that sneak by the filters because of unique subjects, content, etc.

  • Any non-trivial application is misconfigurable (Score:3, Insightful)

    by Medievalist ( 16032 ) on Tuesday August 26, 2003 @09:54AM (#6793174)

    Long before Sobig.F hit the net, I configured our mailscanners to skip sending autoreplies to senders of sobig* virii (the asterisk being a wildcard to catch all variants). I also don't autoreply to Klez, Yaha, Bugbear, Braid-A, or WinEvar since they all forge their source mail addresses.

    Think about it; Linux can be misconfigured to do bad things (tm) - is this a reason to stop using it? No, it's a reason to identify those who can configure it properly and put them in charge of doing so. It's also a reason to have someone conscientious on the payroll - hiring consultants to configure services that represent security risks is just asking for a reaming.

    Same thing with virus scanners. It is appropriate to autorespond to certain virii, and not to others. A more appropriate question might have been "should antivirus products identify mail-spoofing virii in their API?" or "should virus scanners default to not auto-responding, and require additional configuration to implement this feature?".

    + Yes I used the word virii on purpose. I like the distinction between computer virii and biological viruses because it is useful in my work. And I don't give a damn about latin declensions or Tom Christiansen's opinion on the matter.

Slashdot Top Deals

Love may laugh at locksmiths, but he has a profound respect for money bags. -- Sidney Paternoster, "The Folly of the Wise"

Close