Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Bug The Internet

Why Do Email Admins Make Viruses Worse? 126

Posted by Cliff from the turn-off-your-automated-responders-please dept.
gripdamage asks: "Why are email administrators still sending virus bounce messages, when everyone knows viruses forge the sender? This effectively doubles the amount of email traffic due to the virus (triples in the case that the recipient is also notified). As one of the links says 'any AV software or admins that have it mis-configured [so] that it is continuing to send out notices...to forged senders, deserve to be ridiculed.' I have received 4 times as many erroneous bounce notifications, because of MyDoom , than the actual virus, so the bounce messages are much more of a problem! This is a problem deserving publicity, so that email admins will be shamed into doing the right thing." The problem is that most bounces are automated responses, the simple thing would be to turn them off. Of course, the rational of the automated response is to hopefully notify the infected user of the problem -- what a catch-22! What kind of policy would you recommend when it comes to spam, e-mail and automated responders?
This discussion has been archived. No new comments can be posted.

Why Do Email Admins Make Viruses Worse? More

Why Do Email Admins Make Viruses Worse?

Comments Filter:

  • It doesn't seem to be the admin themselves (Score:3, Interesting)

    by dacarr ( 562277 ) on Tuesday January 27, 2004 @06:26PM (#8105209) Homepage Journal
    Rather, it seems to be the AV screen they install. I just moments ago got one that indicated that I sent a copy of Mydoom to a user on Lucasfilm's network, which is kind of funny since I run Linux....

    (fp!)

  • bounces are good (Score:2, Informative)

    by Mod Me God ( 686647 )
    If i send a mail to billabab@hotmail.com but meant to send it to millybob@hotmail.com, than i appreciate a bounce. A good virus spoof will make it too hard to differentiate genuine and false return addresses.
    • Of course this refers to a general virus spoof reply, rather than a specifically identified virus (when this is identified), but I sure don't advocate an advisory on stopping bounces/autoreplies.

    • Re:bounces are good (Score:4, Interesting)

      by dabuk ( 573028 ) on Tuesday January 27, 2004 @06:31PM (#8105287)
      He's not saying not stop all bounces. That would as you say be unhelpful. Instead he's saying why does a virus detection program, that knows a virus forges the from address, send a message to the the "sender" when they never sent the original message.

      I don't administer any of these programs, but I imagine they all do have the ability not to send these messages, but someone's got to change the settings.

      • I am very much in agreement, bouncing to postmaster@ would be much more useful.
        • ABSOLUTELY NOT!

          I run a mail server with 13000 users! Getting every bounce of these things to postmaster no matter who sent it would make me route postmaster to /dev/null
          • I run a system with _two_ users and I get so many bogus bounces that I have to send all bounces to /dev/null.
            • There are some 30ish users on the system I run. I get very few bounces to postmaster. My abuse on the other hand is sent to /dev/null but my postmaster is luckily kept relatively safe from harm... I apply my baynesian (sp?) filters to my postmaster mailbox, tho. That helps a lot.
          • > I run a mail server with 13000 users! Getting every bounce of these things to
            > postmaster no matter who sent it would make me route postmaster to /dev/null

            Dude, why don't you just route the "Warning: someone forging your address in
            the From field sent us a virus!" messages to /dev/null? Nobody wants them.
    • Unfortunately, I receive so many "bad" bounces (most of them due to spammers using my email address in the "sender" field) that I've had to filter all bounces out. This means that now I have no idea whether my own emails reached their destination or not...

  • Check for valid source before notification (Score:3, Informative)

    by Baron_Yam ( 643147 ) on Tuesday January 27, 2004 @06:26PM (#8105213)
    SPF. If SPF checks out OK, then send the virus notification. If not, don't bother.

    • Re:Check for valid source before notification (Score:4, Informative)

      by linuxwrangler ( 582055 ) on Tuesday January 27, 2004 @07:12PM (#8105760)
      It won't. It was recently discussed to death on the Postfix mailing list. It's a nice idea and I encourage more such brainstorming but SPF breaks too many things.

      An easy example: mail forwarders. Lots of places like you@alumni.your.edu forward mail to your "real" account.

      Now let's say your ISP starts enforcing SPF. Your friend at AOL sends a message to you@alumni.your.edu which gets forwarded to you@yourisp.com. Your ISP's server notes that this message from someone at aol.com is being sent from a server other than one listed in AOL's spf list and rejects it.

      People have suggested workarounds like sender rewriting but each of those suggestions breaks something else. You really don't want to see all the problems it causes for mailing lists.

      For now, I'd settle for enforcing strict compliance with RFCs and good practice (helo must be a FQDN that can be forward and reverse dns matched with the connecting IP would be an excellent start - I can't believe how many large corporations can't get this one right).

      • Re:Check for valid source before notification (Score:4, Interesting)

        by Alizarin Erythrosin ( 457981 ) on Tuesday January 27, 2004 @08:37PM (#8106904)
        And it doesn't even solve the problem of bouncing a virus infected email back to the person who is listed in the "from" address. Because with most new viruses, that person isn't the infected one most of the time.

        I think that's what the submitter is complaining about. Anti-virus solutions sending bounce messages for virus infected emails to the people in the "from".

      • I know a fair number of people disagree with me, but I'm willing to deal with the fallout of SPF - it doesn't break anything I care about that can't be fixed.

        If enough people agree with me, it'll end up being the defacto standard.

      • > For now, I'd settle for enforcing strict compliance with RFCs

        Indeed. I'd pay money to get my ISP to block messages that don't have a
        valid Subject: header.

        > helo must be a FQDN that can be forward and reverse dns matched with the
        > connecting IP would be an excellent start

        I've considered merely rejecting mail from sending servers whose IP address
        has no PTR record whatsoever. The only problem with this is that it blocks
        approximately 110% of the continent of Asia from sending you mail. (Then
        aga

      • I thought SPF looked at the envelope From (i.e., the address in the Return-Path header), not the From: header in the message text. In your example the forwarded message would be coming From alumni.your.edu and would presumably be sent from one of your.edu's SPF-registered servers. Having SPF rely on the easily-forgeable From: header wouldn't make much sense.

        Don't read this as an endorsement of SPF. I'm still trying to think through all the implications of such a system. But I don't think this line of c

  • Bounce the headers (Score:4, Insightful)

    by aridhol ( 112307 ) <ka_lac@hotmail.com> on Tuesday January 27, 2004 @06:27PM (#8105216) Homepage Journal
    Bounce the headers of the message, and possibly some text. Do not bounce any attachments. If the "sender" is real, they will know their own message by that; if it is fake, bandwidth is not overused.
    • Bounce the headers of the message, and possibly some text. Do not bounce any attachments.

      I'd actually prefer if you bounced the entire attachment. In the case of virus outbreaks, it's a lot easier to filter out the unwanted bounces based on an attachment, than having to read all the headers and wonder if I (or a user) sent an email to someone with a subject line of "Hi".

      Yes, it wastes bandwidth. But it saves human time. If you're that concerned about bandwidth, don't bounce known-spoofed-From:-header

    • Re:Bounce the headers (Score:4, Insightful)

      by David Byers ( 50631 ) on Tuesday January 27, 2004 @07:11PM (#8105750)
      I've yet to see a single useful bounce generated by an AV scanner, because they insist on sending the bounce to the forged sender.

      People using AV scanners need to hook them up to their SMTP servers so the SMTP server can reject the message as it is being sent. That way innocent people won't see a deluge of misdirected bounce messages.

      • This causes another problem, namely that the SMTP server has to keep the connection open until the virus scanner passes/fails the mail. For some sites, this is not an issue, but for others they would run out of resources quickly (and the next Winders virus-du-jour would bring their mail systems to a screeching halt).
        • They've implemented it very well at the University of Florida. As email is received, a message is accepted only if it does not contain a self-replicating virus. Messages with other types of viruses are accepted, but the attachments are modified to prevent automatic execution and a notification is added to the body.

          It probably slows down the SMTP server a bit, but is that really so bad? It effectively limits the throughput of the mail server, should anyone on campus decide to send out a huge number of me
        • I don't see what the problem is with slowing down SMTP servers...

          If the virus scanner is overloaded, it's going to be slow getting the mail through the system anyhow, why hide the latency from the external servers?

          (Yes, you could argue, what if the external servers end up not getting back to you, or losing the message, but I'd rather let the other server handle the bounce, so it's not on my hands)

    • Re:Bounce the headers (Score:1, Interesting)

      by Anonymous Coward

      That's great. I recieved thousands* of emails telling me that I was infected with the last MS virus. I run Linux. I don't particularly care about the bandwidth, I *do* care about the fact that my inbox was rendered useless for quite a while with all the anti-virus spam.

      * (When I say thousands, the actual figure was twenty thousand over three months).

    • We ain't bouncing shit, because not all senders are real, and thus not deliverable.. don't want them in our queue.

  • Not exactly (Score:2, Insightful)

    by sahrss ( 565657 )
    I have received 4 times as many erroneous bounce notifications, because of MyDoom , than the actual virus, so the bounce messages are much more of a problem!

    I agree that the bounces are damaging, but they usually don't multiply the damage; assuming one bounce per virus email, that is only 1x as harmful as the virus itself.

    Most AV will not bounce the emails (these are the ones you don't see of course), reducing the ratio of (bounced emails) / (total emails) to below 1.
    • That all depends on how many address books you are in and web pages you are on. In extreme case you have addresses like the generic tech support email address that dumps in my mailbox. Because it only receives and is never sent from all bounces are due to forgeries.
    • Except for what happened to me recently, one email was bounced back and forth between two mail servers 27 times before finally being dumped. I don't know exactly what happened, but it was due to them both having virus scanners. I think one was rejecting after the DATA portion.
    • assuming one bounce per virus email, that is only 1x as harmful as the virus itself


      Actually, the bounces are much more harmful to me than the virus. The virus is totally harmless to me, because I don't run Windows and just filter anything with a Windows-executable attachment to /dev/null. The bounces are a problem because they aren't easy to filter on without also bouncing legitimate delivery failure reports.

  • The simplest rule I would enforce. (Score:3, Insightful)

    by Anonymous Coward on Tuesday January 27, 2004 @06:28PM (#8105230)
    If you are the admin of a mailserver, NEVER BOUNCE OR REPLY BASED ON ANYTHING EXCEPT THE INFORMATION IN THE ENVELOPE HEADER.

    I am fucking tired of seeing mail bounced to my server and email address, just because my email address (or domain) was in the From: portion of the message. They should be smart enough to take a look at the envelope portion of the header and see there is a difference.

    Also, stop notifying senders that "you may have a virus". At all. If you want to do this for your own users, that's fine - but stop sending this shit to people outside of your domain!

    And third... GAH... Where to begin. I give up.
    • Thank you. I too am tired of seeing "You sent me a virus" messages on mailing lists. That's allmost a sure sign that some braindead software somewhere replied to the "From:" address and not the envelope-FROM address, which is where all automated delivery status messages are to go.

      In my opinion, the very best thing is to do scanning at SMTP-time. This is very easy with Exim (with the exiscan-acl patch) and clamav, both 100% GPL. By scanning during the DATA phase of message delivery, you can reply with a

  • It's not accidental, it's spam (Score:5, Interesting)

    by menscher ( 597856 ) <menscher+slashdot@u i u c . e du> on Tuesday January 27, 2004 @06:28PM (#8105241) Homepage Journal
    The companies that are doing this know very well that the viruses forge the From: header. If they wanted to warn senders, it would be trivial to put in a check of whether this virus, which they can identify, has the "forges-the-From:-header" bit set, and not respond to those.

    But this doesn't serve their purposes. Their goal, in the event of a virus outbreak, is to advertise. When people are getting viruses, they start looking for AV software, and that's the perfect advertising opportunity.

    I always write back to the postmaster@domain to complain that their software is advertising, and I include a Cc: to the AV vendor, so they can see the negative publicity that results. It might help if everyone else did the same....

    • Interesting.

      As an worker bee I've been more in the camp of people who think

      "What a brain-dead mail-bouncing program! This is the worst thing since the too conveniently placed Reply-to-all button."

      but I always forget the intended audience these advertisements target; higher management with spending decision authority and little direct experience in today's trenches.

      Of course, that always to leads to the inevitable awkward Dilbert moment:

      Supervisor: "The CIO wants you to check into the feasibility of

    • I could not agree more (I'd mod you up, but you're already at 5). I also attribute it to admins trying to prove how cool they were (more is better, when it comes to output). But most of these admins probably don't no how to configure the settings to supress the message, so I think your explanation makes more sense.

  • Very Disturbing... (Score:3, Funny)

    by bay43270 ( 267213 ) on Tuesday January 27, 2004 @06:29PM (#8105246) Homepage
    I'm very bothered by this. I'm going to send a message about this to everyone I know. I suggest you all do the same.
    • I'm very bothered by this. I'm going to send a message about this to everyone I know. I suggest you all do the same.

      I'm bothered to by this too. Make sure that when you email everyone, you add a link to SCO's website so even if they don't get MyDoom they can help^H^H^H^H be aware of what is this virus all about.

  • It's an advertisement (Score:4, Interesting)

    by Mr. Darl McBride ( 704524 ) on Tuesday January 27, 2004 @06:29PM (#8105247)
    Have you ever seen a bounce message that didn't plaster the software's name all over it multiple times?

    It's an advertisement, pure and simple. It's entirely to the software manufacturer's benefit to take the opportunity to advertise to third parties with you as the middleman.

    And it works. I've had grey haired suits forward bounce messages to me to ask about the other products, asking whether we might want that instead of or in addition to the package I'd already put in place for them.

  • I report all mistaken anti-virus bounce as spam to DCC, Pyzor, Razor. Since the primary motivation that anti-virus companies set bounce as default is to advertise their product, I consider it unsolicited mail.

    • Re:Report their virus bounce as spam!! (Score:4, Interesting)

      by DrZaius ( 6588 ) <gary.richardson+slashdot@gmail.com> on Tuesday January 27, 2004 @09:05PM (#8107189) Homepage
      And you are the reason that RBL's cause so much collateral damage.

      It's great that you are taking this political stand and sticking it to the virus scanner companies. I'm sure all the email admins out there make the logical jump that their virus scanner messages are causing their IP addresses to show up in RBL's. They'll all disable their virus bounce messages for you.

      Actually, now that I think about it, it's more likely that people will assume RBL's are useless and don't work. They'll probably complain to their peers and convince them that RBL's are unreliable.

      Way to go, jerk.
      • Umm.. dude. I don't know that mych about DCC and Pyzor, but Razor is certainly not a RBL and I'm guessing the first 2 aren't either. Razor does some fuzzy-hash matching or something to reject individual messages as spam, instead of the RBL approach of blocking whole domains. So this wouldn't hurt domains at all, just that one type of message.
      • What do you mean "collateral damage"? Anti-virus ads in response to e-mail I didn't send *are* spam, by any reasonable definition. They're advertising a commercial product to me, and I didn't ask for the mail.
      • And you are the reason that RBL's cause so much collateral damage.
        Umm.. Razor, Pyzor and DCC are all programs that create spam SIGNATURES, not RBLs. Reporting a spam virus email to an RBL would be pretty stupid, but that's not what this guy did. Think before you post.

  • It's a subtle form of spam.. (Score:5, Insightful)

    by zcat_NZ ( 267672 ) <zcat@wired.net.nz> on Tuesday January 27, 2004 @06:32PM (#8105297) Homepage
    and should be recognised as such.

    AV vendors know damn well that 99% of viruses spoof addresses. More than anyone else, since studying viruses and figuring out what they do is their JOB!!

    The only possible excuse for this behaviour is that they get FREE ADVERTISING out of it. It's spam advertising AV software and/or mail filters, plain and simple. It should be treated the same way as any other spam.

    • To what end? To get some idiot MCSE admin in trouble because his domain got listed in a bunch of spam databases? It's not his fault the AV company his company bought software from is a bunch of spammers.
      • Oh yes it is. He is responsible for it being in place. If we make life bad for idiot MCSE admins they just might get a clue and choose products that do not spam. Getting him in trouble is one way to voice our opinion and try to lessen the market share of bad products. And, it's a better way than MyDoom [slashdot.org]
      • Depends who you consider is to blame; the AV companies, certainly, since they know full-well that bouncing the mail is at best pointless.

        The idiot MSCE and/or PHB? Yes, absolutely.

        Is there any difference between running 'spammy' AV software and hosting viagra-marketing spammers? If there is any difference I would think that the site running spammy AV software is more at fault, not less.

  • Problem is (Score:2, Insightful)

    by jptechnical ( 644454 )

    Many admins think that they are lord of the castle, if you suggest a change to the email system, like cancelling the bounce, the first answer is NO like you are stepping in their territory.

    I used to work for a place where the admin also got so paranoid with spam that he blocked entire domains like yahoo and hotmail even though there were at least a dozen legitimate customers that used those email services as their primary business email.

    It isnt until there is a backlash or fear of losing their castle tha

  • That really IS an interesting question. What is worse, bouncing it, or accepting it?

    If an admin were to bounce it then the only way to take care of it *correctly* would be to parse the header and send it to the ISP of the luser who is infected. They will (hopefully) notify the owner of the affected machine, and THAT user gets to fix their machine. Or, they can boost the economy a little and hire someone to do it or go buy some AV software.

    Now a better way in my opinion would be to blackhole all emails re
    • Bit Bucket (*woosh!*) He shoots, he scores!

      Yes, ye olde bit bucket - silent but deadly. Virus-infected emails check in, but they don't check out (or get delivered). Saves disk space, too.
    • > What is worse, bouncing it, or accepting it?

      There's no reason to do either. Just drop it into the bit bucket. You don't
      save any bandwidth by rejecting it, since by the time you've detected the
      virus you have already incurred the bandwidth burden. So just route it
      direct to the dustbin.
  • I'm stuck with an older version of Symantec Antivirus (because the current one doesn't run on Exchange Server 5.5), and I can't just delete the fscking message, I have to explain, over and over, just how the user doesn't have to worry... it's already taken care of.

    I hate being forced into supposed "up"grades.

    --Mike--

  • Why not strip the virus from the bounce, like some (too few) servers do? Even better, why not have the AV scanner integrate with the mail server, so that the bounce doesn't just bounce, but also SAYS "Hey, douchebag, you're infected!" Make the bounce message USEFUL.
    • You apparently don't understand the problem. The virus FORGES the sender address so the bounce goes to a third party, not to the person who was infected.
      • True, I get lots of bounces when I've never sent mail there (nor been wormed), but for folks who are infected, and do get bounces, a bounce with info saying "This bounced due to a worm you are infected with" would be more helpful to the clueless newbies with "Lookout!" Express...
    • I've gotten about a ton of bounces like that. But they've all been sent to the (forged) sender of the virus, so they're worse than useless.

      The only acceptable way to generate a bounce of a virus message is as part of the SMTP dialog. That way the sending *server* will get the message, and it won't bother me.

      While you go off and re-think your proposal, I'll just head over here and delete the last hundred or so of those cleaned bounce saying hey douchebad, you're infected.

  • we just bounce the headers (Score:2, Informative)

    by Anonymous Coward
    We have a semi-homebrew mail filter based on open source tech like customized spamassassin and mimedefang.

    1) Messages which are obvious worms are not bounced at all, just dropped. This requires us to update the list of which AV hits are worms and which are just attachments in an otherwise legit mail. Obviously this isn't always kept up to date, but when a worm is wide-spread we make sure it isn't generating bounces. The bounces clog up the queue anyway.

    2) Other messages are bounced, but only text portions
    • > I'm not (very) worried about bandwidth

      That's because you're only bouncing the text parts. I don't mind that quite
      so much (though it still annoys me, getting hundreds of bounces for messages
      that I didn't send, just because a bunch of idiots who think it's a good
      idea to use Outlook have me in their address book). The real problem is
      the AV packages that bounce the entire message, including the attachment.
      That adds up to quite a lot of bandwidth. During the last big Outlook virus
      outbreak I found that m
  • The answer is quite simple:
    • mark
    • defang
    • deliver (if recipient exists)

    And don't ever send a bounce.

    Send bounces only for mails not detected as either virus spam.

    That would make everybody happy.

    • Problem here is that if you mark, defang and deliver some people will get hundreds of e-mails in their inbox which consist entirely of the attachment removed due to virus infection message. They inevitably come back to the mail administrator and report it as a problem: 'all of my e-mail is getting the attachments removed'. Far better just to log the event and place the infected e-mail into the bit bucket, never to bother anyone again. This approach doesn't cause lots of 'shells' being sent to the recipie
  • I just had to flush out 40,000 of those damn Worm.SCO.A mails, and they're still crunching along...

    Amavis (running clamav) has an option in there to specify which virii should be dropped instead of replied to, although it's manual so until you know how your virus software will ID things you'll probably dump replies. Maybe it'd be handy for AV database maintainers to add a flag, like a 'from header spoofer, please don't reply or you'll just make things worse' boolean.

  • Bouncing viruses (Score:5, Interesting)

    by HTH NE1 ( 675604 ) on Tuesday January 27, 2004 @07:15PM (#8105801)
    Are we certain that they are bounces and not just viruses pretending to be bounces? The pattern of the messages I've received suggest to me that the viruses are trying to conceal themselves (poorly) as bounce messages.
    • I thought the topic was mailer-daemon bounces too but I think they're actually talking about mail bounced by inbound mail virus scanners. These seem to bounce virus-infected e-mail with a note along the lines of "Your message was not delivered because it contained a virus. The message was cleaned by Norton Anti Virus." Hence the spam accusations.

      Calling it spam is a little harsh, but these messages are definitely unnecessary and annoying, especially considering many viruses nowdays forge their sender addre
  • The best solution would allow notification to users who actually send a virus unknowingly yet drop all bogus bounce messages. The server receiving the bounce should look up the SMTP id from the bounced message and compare it against messages that have been sent out recently. Drop the bounce unless it matches something from the last three days. Having records of smtp id, sender, and recipient could also be helpful in investigations of where a virus originated from.
    • It's an interesting idea, but it's difficult at best. Every mail server out there has a different idea of how to format a bounce message. There are a few that don't bloody include full headers (!). Still, if you could make it work...
      • I guess you are saying, how would we know at the receiving end whether a particular message was a bounce? This is true. For a 100% solution all smtp software makers would have to agree to share a common signal and to include the headers from the bounced message which most already do anyway. That would pretty much require an update to the RFC.

        My suggestion is to aim for 90% coverage by watching for the formats from the half dozen biggest vendors, after all, the goal is just to put a damper on the secondary

  • I just filter out the automated responses. Hopefully, I won't be getting that many important ones.
  • Why don't we expect ISPs to filter email for viruses?

    I know it would be expensive, that it would require people to do more work and buy more servers. But I don't see any other way of shutting down these mail virus storms.

    This virus doesn't exploit any real holes. It depends on unsophisticated users doing something dumb. I don't think we're ever going to live in a world in which it won't be possible to trick unsophisticated users into doing something dumb. Does that mean we have to suffer through this

  • "Simple" solution? (Score:4, Interesting)

    by srhuston ( 161786 ) on Tuesday January 27, 2004 @08:23PM (#8106735) Homepage Journal
    As I've seen it, there's multiple camps for what to do with email bourne viruses. Those that say strip the attachment, and those that say can the whole thing. I have always belonged to the "can it" group, and Mydoom is a good example. Before our virus scanner started catching them, I got at least 5 emails about how a hacker must have broken into the email system, because they got this message returned to them that they didn't send, etc. If the mail had a virus in it, just can the message.

    Next, is what to do after you've tossed the mail: to notify or not to notify. Well, I'm the type that believes that *someone* should get a notification if an email is tossed (ie, mail should never disappear without some sort of DSN going somewhere). So in the case of non-mass-mailing viruses, I send a notice back to the sender telling them their mail was canned, and why.

    So my question to other mail admins (which I recently posed to the amavis-new list), is why not rely on the virus scanner's naming schemes? I use f-prot here, and all viruses that fake sender email addresses end with "@mm" (for Mass-Mailer). So I told amavis to not notify the sender if the virus name contains "@mm", but to notify the sender if it does not.

    Result? I've blocked over 8000 copies of Mydoom in the last 24 hours, and not sent a single mail to the "sender"s, but when one of the professors sent a mail out with a Word document attached that had a macro virus in it, he got a mail back saying the message was stopped and why.

    Simple, elegant... but why don't others do similar setups?
  • Mail Scanner has the option to not send bounce messages if the virus is in a particular list. However, it also has the option to strip any attachments that fall into the .exe, .pif, .scr, etc list of dangerous extensions without bothering to check if there's a virus in there or not -- which is very handy when a new one beats the patterns to your server. In this case the scanner does not know if the From: line is likely faked or not and must send a message indicating that the email has not been passed on c
    • I agree! Blocking dangerous attachments is very important these days. Viruses move far too quickly for virus signatures to be of much use. Be proactive and block those executables - it's not a total solution (e.g. macro viruses in Office files) but it's a good start. Anyone who actually needs an .exe is probably capable of getting it an alternate way (FTP, web, courier).

      FWIW, Symantec Mail Gateway Anti-virus (that's not the proper name, but you get the idea) can be configured in this way. Most mail s
      • Hmm, what I posted earlier wasn't entirely correct. Turns out that our anti-virus portion of MailScanner had gotten knocked-off during the last sendmail update. MailScanner will happily block an attachment for more than one reason, and by default it no longer sends an automated response if it detects a virus.

        This still means that attachments rejected in the hours before the virus pattern arrives will get a bounce message, but they'll dry up as soon as the pattern's in place. Nicer.

  • If a suspect message is found it should notify the sender.

    I send emails to some companies, they block all sorts of files. I tried to send a zip file that the customer, which was blocked.
    I immediately got a message refused notice.

    This allowed me to inform the customer that they would not get what I was trying to send, and we made alternate arrangements.
    If they didn't send out the failure my customer would have been screwed, and I wouldn't have even known. When stuff doesn't happen in business you get blame
    • If a suspect message is found it should notify the sender.
      That's all well and good, but in the case of these Windows worms, the person listed in the headers is not the sender. Furthermore, the antivirus companies know that they're bouncing it to someone who is not the sender. They don't care, because it's advertising their product.
      • I think they strongly suspect it, they don't know.

        Secondly only sometimes is the from false.

        Someone might actually send the virus to someone else an email asking "What is this file you sent me".

        For me silent failure is broken.
        I have many times sent someone an email that they needed, only to find out it isn't getting through due to any of a multitude of reasons.
        The worst is when their mailserver, which they don't control, blindly chucks email for stupid wrong reasons.

        • I think they strongly suspect it, they don't know.

          It's not rocket science to figure out how a new worm works. They know that they fake the senders.

          Someone might actually send the virus to someone else an email asking "What is this file you sent me".

          That's not the same as a message sent by the worm, and should not be detected as such. The software should not just look at the attachment, but at the whole email. The real worm email would not include that question.

          For me silent failure is broken

    • My domain's email does basically the same thing. I have neither the money or the processor power to virus scan everything, so I just set it up to not allow attachments that are executable in Windows.

      The problem is that if somebody sends an executable file, they need to know its not going to be delivered. So it bounces.

      That creates the problem the article poster is complianing about, but I'm not really sure which is worse. The last thing I want is somebody thinking an email got delivered when it actually d
    • If a suspect message is found it should notify the sender.

      Yes. I agree. Notify the sender.
      However, just because my address is in the from: field, that doesn't mean that I'm the sender, so don't notify me.
      Good luck in finding the sender, though.
  • Ok, so I actually like my ISP's setup. They require a username/password combo to send any emails through their SMTP server, and include the sender's username in the header info. Makes it really easy to track down who is doing the spamming.

    Disclaimer: I also work for them, so it makes my job as a first-line phone jockey easy to track down internal spammers.

  • During the last Sobig outbreak, I recieved over 100 bounces per day from a single ISP in New Zealand. I e-mailed them to stop, pointing out that Sobig forged its "From" header.

    They apologized and informed me I wouldn't receive any more bounces -- because their servers would now silenty delete all e-mail from my account.

    I wanted to write back and point out that (a) this didn't help all the other people they were bouncing Sobig too, and (b) I might actually want to e-mail someone using them as an ISP one da

  • Says I, as I attempt to manuver my way through about 1500 emails I've received in the last 4 HOURS on the OOo mod list

Slashdot Top Deals

BLISS is ignorance.

Close