Virus Scanner Auto-Replies - A Good Thing or Obsolete? 123
Moryath writes "Used to be, everyone put an auto-responder in their email server's virus scanner. That way, some dingus sends in a virus, you're protected, and they get notified so they scan and fix their system. Of course, all these stupid things ever do is reply to the From: field, and possibly to Abuse@domain, webmaster@domain, etc... as well. Enter viruses like Sobig. We've had them for years in various forms, they spoof the From: field with another email from another victim's contact book, and all of a sudden random people are getting bounces of emails they've never sent. I have actually gotten more bounces today than actual Sobig attachments. So what does the Slashdot crowd think? Is it time for the people running these mail servers to take down those autoresponders? Are they guilty for part of the damage things like SoBig have caused, since their ill-configured mail servers are doubling, tripling, or even quadrupling the amount of traffic one Sobig infection produces?"
It takes brains (Score:5, Insightful)
Yes It takes brains, but who's got them? (Score:1)
Even though I disagree with the statement about anonymity, I do agree with this po [slashdot.org]
Even more brains would do it in the MTA (Score:3, Insightful)
I'm not sure which if any MTA's have hooks for this (though I suspect the answer is Postfix) but SoBig, Klez, et. al., have proven that doing it in the MDA is a flawed model.
Re:Even more brains would do it in the MTA (Score:3, Informative)
Re:Even more brains would do it in the MTA (Score:1)
Parent deserves an Insightful moderation for that comment.
It is ridiculous to send these notices (Score:3, Interesting)
Now that my Inbox is overflowing and my ISP's mail server is rejecting emails because I'm over the account size limit, I'm a little more wary of these supposed "user friendly" helping hands that virus scanner companies are building into their products.
Re:It is ridiculous to send these notices (Score:4, Interesting)
Luckily my direct boss, the VP, doesn't let him pull that kind of crap often, and puts him in his place.
Re:It is ridiculous to send these notices (Score:1)
Re:It is ridiculous to send these notices (Score:2)
Yes and Another Thing... (Score:5, Insightful)
Re:Yes and Another Thing... (Score:4, Insightful)
That advice should be extended to all end-user networks. Realistically, regular corporate workstations and home DSL/Cable/Dial-Up users should have no reason to talk directly to a foreign SMTP server in the first place.
Re:Yes and Another Thing... (Score:2, Informative)
That is incorrect. Web site owners often use the mail server associated with their domain(s) to send and receive email. When I send email to a business partner, I would prefer they see it come from my web site's domain, not my ISP's.
If my ISP did this, I would just switch to the alternate port number my web host has set up for just that ev
Re:Yes and Another Thing... (Score:2, Flamebait)
You'll note I said; "regular corporate workstations and home DSL/Cable/Dial-Up users". Why are you running a website on a home user service not intended for it?
Moreover, what's stopping you from sending an e-mail with your own domain via your ISP's mail server?
Re:Yes and Another Thing... (Score:1)
My, aren't we in a mood tonight? Mommy tuck you in wrong and you woke up on the wrong side of the bed this morning? Or is this how you always react when someone points out an error, by trying to distract from your error with juvenile behavior? Does that ever work?
Had you paid attention to what I said, you would have noticed I mentioned a web host. I would be hard pressed to serve the site to my 15,000 visitors a day off a DSL line. That host has already had to open one port so customers can send email
Re:Yes and Another Thing... (Score:1)
Then why were you comparing your situation to the criteria I set? Since it's obviously not a corporate desktop or home user Cable/DSL/Dial-up account; why did you feel the need to respond?
P.S. Your "juvenile" condescension has been duly noted. If you're going to take Slashdot this personally, perhaps it's not the forum for you. I sug
Re:Yes and Another Thing... (Score:1)
Because it is is a home account, albeit satellite, not dialup or dsl.
Sorry, let me slow down and explain this in simple terms.
I connect to the mail server provided by my web host from my home. I do this by utilizing port 25, which is what the poster you replied to suggested be blocked. If my port 25 is blocked, I can't talk to my email server without circumventing the ISP's block.
I was correcting your mistaken comment that "Realistically, regular corporate workstations and home DSL/Cable/Dial-Up us
Re:Yes and Another Thing... (Score:1)
You still haven't presented a valid reason to need to connect to said mail server. Mail would get there all of ten seconds slower if you used your ISP's mail server as a smart relay. It's ok if you don't understand the technical nuances of RFC822 et a
Re:Yes and Another Thing... (Score:1)
If you can't see the need for a business man to mail business partners from his business address using the mail server he pays for, then I'll not stress your intellect any further.
In the meantime, you really should seek some assistance for your social problems. Reacting like a petulant child when your mistakes are pointed out to you is not healthy. Have a good day.
http://www.google.com/search?q=stress+reduction+th erapy [google.com]
Re: (Score:1)
Re:Yes and Another Thing... (Score:2)
That's pretty sweeping. I deal with dozens of ISPs; Cable, DSL, and Dial-Up in Ontario and I don't believe I've ever encountered one that wouldn't permit me to send e-mail from any domains in my control through their server. Generally their relay controls revolve around the source IP address or some form of authenti
Re: (Score:1)
Re:Yes and Another Thing... (Score:2)
Did you read his post?
Here - let me quote the relevant portion:
their relay controls revolve around the source IP address or some form of authentication, not the From: address
Who owns said domain is irrelevant. Who's authorized to send mail from said domain is irrelevant. What's relevant is the IP ADDRESS the mail is originating from.
The previous poster is correct. Like him, I admin a hosting company. We don't (and I'v
Re:Yes and Another Thing... (Score:2)
You obviously don't travel. I don't want to have to reconfigure my laptop everywhere I go. Have you ever tried asking the front desk at a hotel what the IP address of their SMTP server is? I can just imagine the blank stare you'd get in return.
Re:Yes and Another Thing... (Score:2)
I disagree - unless they don't know what they're doing. If you have a co-located server, this might work (because you have exclusive control of the host), but it's still better to use your ISP's mail server.
When I send email to a business partner, I would prefer they see it come from my web site's domain, not my ISP's.
What does that have to do with which mail server you use? Do you believe that if it
Re:Yes and Another Thing... (Score:1)
I disagree - unless they don't know what they're doing. (...) If so, you have a severe misunderstanding of SMTP, and I urge you to read the applicable RFCs to better your admin skills.
Lovely. Someone else with an attitude problem.
Just out of curiosity, why do you feel the need to be rude and insulting because you (mistakenly) believe you've caught me in an error?
Do you believe that if it comes from your ISP's mail server, that it has to come from their domain too?
No, I understand that, but some
Re:Yes and Another Thing... (Score:1)
Re:Yes and Another Thing... (Score:2, Interesting)
Re:Yes and Another Thing... (Score:2)
And one of the reasons it, or it's netblock, as most of the RBLs don't seem particularly fine grained, is often that users on their own connections are running mail servers.
Obsolete. (Score:5, Insightful)
Re:Obsolete. (Score:4, Insightful)
For the same reason someone can mail a letter as you or send a fax as you or communicate in any interpersonal forum as you.
Enter digital cryptography. Sign your messages and never worry again.
Re:Obsolete. (Score:1)
Re:Obsolete. (Score:1)
For some reason I read that as erogenously. Been reading tfproject.org too much recently, I guess.
Nate
Emails to abuse@ rarely stop infected users (Score:2, Insightful)
Case in point: Every twenty minutes ago, as of first thing this morning, I have received an email with an evil
As of this writing, I have received no reply, the emails are still coming, the user's account is still active, and I don't even know if they got my email, as
How do you know? (Score:1)
Re:How do you know? (Score:1)
Of course, if it IS spoofing the IP address as well, then that just adds more fuel to the argument that these emails are useless.
Re:How do you know? (Score:2)
Quota filled up on these accounts (Score:1)
Looks like too many people are sending in notifications.
Check out this bounced email error:
host mx11.mindspring.com[207.69.200.82] said:
554 Quota violation for junkmail@mindspring.com
Re:Emails to abuse@ rarely stop infected users (Score:2)
Similar problem with spammers (Score:1)
How can one protect from this?
Re:Similar problem with spammers (Score:3, Interesting)
Track down the spammer, and press charges against them for identity theft.
This is the biggest proof that spam is a social problem. You basically have someone going around saying that they are you. If you want them to stop, you have to deal with them in RL.
No answer, only sympathy (Score:1)
That's the same number of Nigerian money laundering scam emails I received! I had one erroneous bounce tonight.
Merely "addressing" symptoms (Score:2, Insightful)
Until IPv6 is implemented you will never be able to ID and prosecute the people who generate these types of attacks/viruses/worms/etc.
Anything short of IPv6 is simply silly symptom slaying -- as pointless as it is fruitless as it is less-than-effective.
As was discovered in the "old" BBS days: anonymity is an unnecessary evil: Make folks ID themselves properly and most of your problems (in that regard) go away.
Re:Merely "addressing" symptoms (Score:3, Insightful)
If you look at the 6Bone list archives [regex.info] you'll see there was a recent thread on how spammers are already exploiting IPv6 open relays [regex.info].
IPv6 is no panacea.
Re:Merely "addressing" symptoms (Score:2)
"The source IP didn't change for any of the message attempts."
I don't know whether or not the spammer mentioned in the message had tried to spoof or not.
Anyway, thanks for the info, interesting messages.
selective infection reports (Score:1)
They're nothing but spam (Score:2)
SpamCop doesn't want viruses (Score:1)
Just treat [virus infected emails] as spam [spamcop.net].
This is against SpamCop's rules [spamcop.net], which forbid use of the reporting service on "virus infected emails ... regardless of whether you know the originating party or not."
Tell AOL I've never sent anyone an email (Score:1)
Here's my question:
Why doesn't a spammer use these auto-notify ISP (like AOL) and send spam that way?
ie. I send my advert (with known virus attached) with faked header
To: whocares@aol.com
From: victem@real.address.com
The victem reads the email because (a) it is a legit email and (b) looks important.
They win the pleasure of reading -- bounced adverts.
Re:Tell AOL I've never sent anyone an email (Score:1)
Please Please Please Please Please.. (Score:2)
PLEASE!!
Seriously. All it does is spam unaffected individuals, considering that in the post Klez days, all e-mail viruses spoof the sending address, clogging up e-mail servers and causing more annoyances than spam!
When you start getting these, you can get at least 200 a day. It's not a good thing.
In the RFC lies the answer (Score:5, Interesting)
Now bounced messages from other mailservers...that's another issue.
If mail admins simply set their servers to require FQDN greetings then Sobig would be stopped dead. By rejecting the message my mailserver expects the connecting MTA to generate any necessary bounce which Sobig, of course, does not do. No delivery. No bounce messages. No problem.
So how about it all you mail admins out there. How about demanding a bit of RFC compliance from connecting MTAs. Perhaps this virus will provide the moral authority you need to tighten up your servers.
Re:In the RFC lies the answer (Score:2, Insightful)
That's not a long-term answer.
Re:In the RFC lies the answer (Score:3, Interesting)
HOWTO in exim4? (Score:2)
Re:HOWTO in exim4? (Score:2, Informative)
use SAUCE:http://www.chiark.greenend.org.uk/~ian/sauc
Re:HOWTO in exim4? (Score:2)
Re:In the RFC lies the answer (Score:2)
I really wish that large companies (like that big gr
Whitelist the "moron" servers (Score:1)
I've had to allow unresolvable FQDNs in the HELO, because a few of the companies that my employer deals with have morons in their IT department. Those morons have managed to configure mail servers using *internal* names that don't resolve outside of their network.
Then allow only addresses that either 1. are a FQDN or 2. are one of the servers managed by morons working for companies that your employer deals with.
Re:Whitelist the "moron" servers (Score:2)
Re:In the RFC lies the answer (Score:2)
What you propose is an explict breach of RFC 2821 as detailed in section 4.1.4
Re:In the RFC lies the answer (Score:1)
gawdam fbsd rules..
Lose the bloody things (Score:1)
There is absolutely no excuse for this after the publicity this trojan has been given. If nothing else, the AV software should be programmed to skip the sending of these emails if it's known t
Spam & Average users (Score:1)
I don't know whats worse the actual messages that we are getting or having to explain to scared, confused, or otherwise ignorant users why they keep getting messages regarding e-mails they never sent. I really wonder...
Which consumes more time, cleaning a infected users computer? Or explaining to a user (s
Do it right (Score:3, Interesting)
These are absolutely useless as you can't figure out what machine originally sent out the message without the full Received headers. I've not seen one virus auto-responder include the full Received headers. The right thing to do would be to include the entire message as an RFC 2047 MIME attachment.
My reasoning is that these auto-reply messages occasionally get to the right person: namely, me. I then look at the infected IP address and if it's one of ours, send someone out to fix it. This is what I do for messages that get sent to undeliverable addresses where the remote site sends a bounce containing the full original message. A lot of these end up coming to one of my addresses since my addresses are widely advertised within our organization and are likely in many people's web cache and address books.
Past this, I don't see any reason for the auto-replies. They'll never get back to the person whose machine was infected, but they might get to me. It's easier to find out about the problem from some bounce and fix it immediately than it is to have some end-user from some other organization complain to you and then having to explain to this person how to send a message containing full headers (which is actually difficult and non-intuitive in most Windows MUAs).
Marketing purposes? (Score:2)
I've considered the possibility that, even though most modern viruses spoof the from: address, there is some marketing value in saying that Norton AntiVirus Super Gate 5000 found a virus in your message.
After all, Norton says that you sent a virus. Maybe Norton knows something that you don't, huh? Maybe you ought to go out there and buy a copy of Norton AntiVirus yourself just to be sure you're protected. After all, Norton catches all these other
Re:Marketing purposes? (Score:2)
I've been looking through my mail and I realize that you are absolutely right. Most of these messages contain the product name in the subject line.
Funny thing is, whenever I see one of these messages, I think: "OK, Norton AntiVirus SuperGate 5000 must be written by dimwits if they didn't think to include full headers; thus, I should stay away from all Symantec products."
for God's sake, stop them! (Score:1)
It's not a mistake, it's SPAM (Score:2, Insightful)
Makes me wonder... the antivirus companies are knowingly and willfully causing a DDoS of spam to our accounts. Can they be sued at $50/message for that?
Re:It's not a mistake, it's SPAM (Score:1)
I guess one can argue that these misdirected bounce messages qualify as spam, except they are not mass-mailed (as the AV software makers would claim), they're supposedly "targeted". However, they are incontrovertible evidence of bugs in the AV software that generates them, and as such could be forwarded to the so
Re:It's not a mistake, it's SPAM (Score:1)
Whatever they're running on the SMTP server side at my ISP seems to be doing appropriate things. I can't tell whose software it is, they may prefer to keep it obscure.
When it finds anything (and it caught all of the Sobig.F stuff) I get a notice email with subject like:
Chez moi (Score:4, Interesting)
2018 Sobig.F-infected messages. ClamAV+Amavis recognized all of them and sent them straight to the Spam.SobigF folder. I never even saw them. Beautiful.
On the other hand, I've had to wade through and delete 100+ erroneous messages telling me that I sent out a virus infected mail. The hell I did. I'm being buried in these warnings and -- because there's no standard way of generating warnings -- I can't filter them!
So, yeah, if you're sending virus warnings for inbound mail, you're essentially spamming people. ME. Cut it out. Only send virus warnings to your internal users if at all.
Thank you.
Re:Chez moi (Score:2)
Average Internet Users are Clueless! (Score:1)
Re:Average Internet Users are Clueless! (Score:1)
Useless (Score:1)
What is the Social Anti-Anti Virus? (Score:2)
A very * SIMPLE * to understand guide on the web:
"Idiots guide to email viruses that used a spoofed From: field"
This way, we can kindly send the URL to this guide to the mail admins who have not yet shut off the fscking auto-responders!
The problem I'm facing is explaining to the admins that I *REALLY* do not have a virus on my computer and that it is a SPOOFED "From:" address!
Optimally, this guide should have (again VERY simple) language-neutral diagrams which explain the process CL
Re:What is the Social Anti-Anti Virus? (Score:1)
My Reply (Score:5, Insightful)
Re:My Reply (Score:2)
Re:My Reply (Score:2)
Don't you guys have a "network" (read: your Alienware and you mom's Compaq plugged into a cable modem) to maintain? Stop whining on Slashdot about it.
this is not rocket science (Score:2)
If they don't match the 'From:' domain, don't bother with the autoresponder.
That way a from of "foo@foo.com" and a relay header of "mailserver.bar.com" is pretty likely a spoofed address.
Caveat: I've not recieved the new variant of the SoBig virus yet, so I can't tell about the headers.
The procmail scanner / html sanitiser I have installed from impsec.org [impsec.org] does this automatically (and weeds out a lot of that obnoxious html crap as well).
Re:this is not rocket science (Score:2)
Re:this is not rocket science (Score:2)
If they don't match the 'From:' domain, don't bother with the autoresponder.
woah, thats not a good solution. you're assuming that each mailserver only serves 1 domain and that it's in that domain. my mailserver (as in, belongs to me) is responsible for about 4 domains yet is only in 1. my personal vanity domain goes through that server but if you look through the headers, the only mention of my vanity domain is in the frmo field as thats who the mail came fro
Give more information (Score:1)
I've had quite a few bounces where the spoofed address has been mine but remarkably few actual copies of the virus hitting
The correct way to do this (Score:4, Interesting)
If not, send a warning to the 'from' address.
Otherwise, check the first "received" header and use whois to find the admin of that IP range and notify him/her.
Also, we're in despearate need of an RFC for returned mail messages so they could be easily filtered.
Re:The correct way to do this (Score:2)
which it does by...? the thing is, how do you detect if the address is spoofed atm? the proposed RMX standard might help if everybody implemented it but will they?
dave
Re:The correct way to do this (Score:2)
The identity of the virus caught. For example, if you've detected it as SoBig.F, what's the problem marking SoBig.F as a "spoofer" as opposed to LoveBug which is a non-spoofer.
Autoresponder traffic half as much as worms (Score:2)
With several M$ worms now spoofing the From: header, its time to target anyone who still uses an AV scanner which sends out auto-replies. Treat them like spammers, complain to their upstream ISPs abo
Re:Autoresponder traffic half as much as worms (Score:2)
I've had zero viruses. My mail filters already pick out all Windoze-only content and delete the e-mail. Even if they didn't, I don't own any Windoze machines.
However, the flood of incorrect bounce messages and virus warnings is harder to filter. I've had to resort to bouncing every e-mail from mailer-daemon@aol.com, for example.
Having had my mailbox overflow... (Score:3, Interesting)
I've yet to receive Sobig.F in a direct mail from another person (i.e. the people who send me email apparently have clean systems).
But I've now received between fifty and a hundred copies of the Sobig.F, all in bounce messages from servers. So apparently I've sent email a lot of people who a) have the Sobig.F virus, and b) have a lot of bad email addresses in their address books.
Each of these messages is about 100K in size. That can fill up a mailbox quickly.
But why should any server include the attachments when they bounce a message. Why? Why? Even in the absense of viruses, all I need to know is enough to identify the message that didn't get through.
They are also helping it distribute!!! (Score:1)
A few of these dumbo servers even sent me the virus attachment, thinking it was sending it back.
So not only are they creating a huge extra load and therewith helping the virus create havoc, they are also helping it distribute!!!.
How dumb can you get?
Just imagine this doom scenario:
Two such servers have the same moronic settings/programs and start sending eachother's attachments back
Server
The virus software should know. (Score:4, Interesting)
Dumb virus scanners are spammers (Score:3, Insightful)
Incidentally, anything that bounces a message should return the entire message header. Most of these mail bounces don't return enough info to identify the real source.
Compromised box == open relay? (Score:2, Interesting)
Is there any practical difference between an open relay box that spams you and a virus-compromised box that sends you viruses plus potentially future spam from the compromise?
Should virus-compromised machines that send out undesired emails be RBL'ed like open relays?
Pointless (Score:3, Interesting)
In addition to generating tons of traffic that nobody pays attention to, it has the effect of panicking those users who don't understand what the virus is about.
A relative of mine uses AOL on a Macintosh. There is no way his system can be infected with Sobig, but I had to spend nearly a half hour explaining it to him. He kept on pointing to the "your system has a virus" messages in his mailbox as proof that he is infected and that he needs a better virus scanner (because the one he has doesn't say he has it.)
The majority of computer users are like this relative, not like you and me.
Privacy issues (Score:1)
The virus notifications disclose your private email address, without telling you about that. This should be the button to push
For the love of GOD!! (Score:3, Insightful)
2) Why can't someone write a virus that DESTROYS Outlook address books and turns off Auto-Learn, so that all the future viruses only have about 1% of the number of potential victims as current viruses?
I have postfix rejected 16,000 viruses a day, and 500-600 "You have a virus" emails, but I still get several hundred "You have a virus" mails per day that sneak by the filters because of unique subjects, content, etc.
Any non-trivial application is misconfigurable (Score:3, Insightful)
Long before Sobig.F hit the net, I configured our mailscanners to skip sending autoreplies to senders of sobig* virii (the asterisk being a wildcard to catch all variants). I also don't autoreply to Klez, Yaha, Bugbear, Braid-A, or WinEvar since they all forge their source mail addresses.
Think about it; Linux can be misconfigured to do bad things (tm) - is this a reason to stop using it? No, it's a reason to identify those who can configure it properly and put them in charge of doing so. It's also a reason to have someone conscientious on the payroll - hiring consultants to configure services that represent security risks is just asking for a reaming.
Same thing with virus scanners. It is appropriate to autorespond to certain virii, and not to others. A more appropriate question might have been "should antivirus products identify mail-spoofing virii in their API?" or "should virus scanners default to not auto-responding, and require additional configuration to implement this feature?".
+ Yes I used the word virii on purpose. I like the distinction between computer virii and biological viruses because it is useful in my work. And I don't give a damn about latin declensions or Tom Christiansen's opinion on the matter.
Re:What they need are SMART replies (Score:4, Insightful)
But that doesn't work either. I use a pobox.com mail forwarding address. My outgoing mail never has their servers in the headers, but it is a legit "From:" line, and mail delivered there does make it back to me.
On the other hand, for the last company I worked at there were a number of mail aliases for directing mail to different teams or departments. Some of these were easy to guess, others were pretty obscure. None of them were, as far as I know, ever used as the From: line on an outgoing email: of the handful of people that knew how to munge their mail headers to spoof this, I can't picture anyone bothering to do this.
Nonetheless, all of these mail aliases got a steady stream of spam, and as far as I could tell, they must have been in somebody's Outlook address book, because we'd regularly get "helpful" messages like:
But the thing is, we weren't an Outlook company, so [a] there was no question that it was someone internal that had the virus, and [b] there was almost no possibility that one of these internal addresses should have been out in the public unless an employee deliberately forwarded something (which, I suppose, must be exactly what happened).
In any case, the point is, spoofing the From: line is trivial if you have the right tools, and determining if a spoofed address is legit is impossible without manual verification by sending a message to the recipient. My pobox.com address is legit, but may not appear to be so; allstaff@widgets.com is probably never legit, but it doesn't look any different than the pobox.com address.
Moreover, covering your tracks is easy -- just choose a random From: line and tack on some random Received: headers to make it appear as if the message really did come from where it claims. Such a message might be detectable by a human scanning the headers, but the whole "store & forward" architecture of the internet mail system demands that each receiving server has to trust what another host claims about prior headers -- so the whole system is vulnerable to anybody running a maliciously configured server.
So to give my opinion on the original article's question, no, I don't think auto-responses for mail viruses make sense anymore. The current wave has generated at least as much bandwidth waste from the "helpful" replies as from the virus itself -- as anyone on a gnu.org mailing list (to pick a random example) would have noticed lately. (Really, of all people to be feeling the side effects of a Windows issue -- GNU.org?)
It might arguably be okay to send mail to abuse@..., etc, but even then, [a] the spoofing problem is still there, so you don't know which of the Received: lines is legit, and [b] contacting these addresses won't necessarily do any good. Most of the people propagating the current worm seem to be home users, and so are connected via one or another ISP; what ISP is going to take on the tech support expense of walking all their users through how to patch their systems? Few, if any have the resources to do this.
For better or worse, the only solution I see is mandatory updates from the software vendor. As long as people continue to use Outlook but refuse to update it, the proposal from Microsoft to possibly force home users to install patches is the only solution I can think of that seems to have any chance of helping. It'll be interesting to see if & how they do that.
Re:What they need are SMART replies (Score:2)
pobox.com does run an outgoing SMTP server which you could use...