On Sun, 4 Dec 2005, Church, Chuck wrote:
What about all the viruses out there that don't forge addresses?
Not that there are nearly as many -- the main scourge is sender-forging worms by a better than 90%/10% margin -- but I very specifically mentioned:
(Virus "warnings" to forged addresses are UBE, plain and simple.)
I think that was pretty clear.
Sending a warning message makes sense for these. Unless someone has done the research to determine the majority of viruses forge addresses,
Are you living on Earth in 2005? Unless your filters are VERY strict, no research should be necessary; look at your own mailbox[es]. If you don't know that most worm-viruses forge senders these days, you haven't been using Internet e-mail long enough. 8-) That said, it takes only a cursory glance through the worms listed on Symantec's or F-Secure's or Sophos's web sites in reverse chronological order to see, very clearly, that *nearly every* worm in recent history forges sender addresses. Finding three or more worms in the past two years that don't forge is a challenge for the bored reader. Some do it for a very good reason -- in the eyes of the worm's writer, mind you. A worm is more likely to get through if the user in envelope-FROM has some sort of relationship with the recipient, because so many sites use weighted scoring that includes auto-whitelist bias. To a worm writer, just using the address in the luser's settings isn't enough, as folks are starting to understand "don't click on any random attachment." So, gambling on the luser having a circle of friends close enough to know each other, the worm forges many different combinations. (If you want more details on this reasoning, take it off-list.)
Calling vendors 'clueless' because a default doesn't match your needs is a little extreme, don't you think?
The vendors sending worm-virus "warning" UBE are indeed clueless now, because they aren't paying attention to (often their own!) virus statistics showing that the majority of worm-viruses forge sender addresses today. Let me repeat myself:
(Virus "warnings" to forged addresses are UBE, plain and simple.)
Not sending UBE is not just "my needs"; I think we can both agree on that. To extend that concept, virus "warnings" triggered by worm-viruses for which the forgery status is unknown is either UBE or very close to it. With the massive amount if spew that is forged, any warning option that is not absolutely confined to trigger on problem mail *known* not to be forged is a part of the problem, not part of the solution. The option for warning on forged senders shouldn't just be off -- it should not exist.
The ideal solution would be for the scanning software to send a warning only if the virus detected is known to use real addresses, otherwise it won't warn.
Symantec reportedly did this at long last in one of their products recently (see SPAM-L@PEACH.EASE.LSOFT.COM archives for details). I truly hope others follow suit. However, unless the option to warn forged senders is removed entirely from their products, anti-malware vendors still have a large amount of fault on their shoulders. Things like clamav have had the option properly separated for some time, but I'm mainly counting the slow-moving, commercial anti-malware products in the prior pragraph. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>