To send or not to send 'virus in email' notifications?
Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?
Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?
Considering that the "From" is almost always not the right one, I think sending notifications back will only help to increase the mail traffic and wont help anyone. Pascal
Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?
IMO: No. I have had around 200 of these alerts this morning alone, most of which originate from POSTMASTER@somedomain which received email using my forged address. I can't blithely ignore the postmaster, but I'm sorely tempted to filter them. Side note: I'm seeing about a 20x increase in smtp traffic over the daily norm. -John
On Wed, 20 Aug 2003, Joe Maimon wrote:
Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?
well if you dont tell them they wont know, altho with sobig the return address is false anyhow it would probably be best to cache the sender/virus combinations and send a single message per 7 days Steve
Absolutely not. SoBig.F, like many others, forges the sender address. That means that your notifications: 1) Don't make it back to the person with the infection 2) Simply add more clutter to the mailbox of the person whose address was used (in addition to all the bounce messages) In the enterprise, this is a great argument for scanning outbound email with positive identification of whose outbound mail you're scanning. Matthew Kaufman matthew@eeph.com
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Joe Maimon Sent: Wednesday, August 20, 2003 7:25 AM To: nanog@merit.edu Subject: To send or not to send 'virus in email' notifications?
Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?
On Wed, 20 Aug 2003 10:25:28 EDT, Joe Maimon <jmaimon@ttec.com> said:
Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?
It isn't like the A/V vendors can't put a single bit in the description that says "uses real address" or "uses forged address" and only send a notification when the "real" bit is set. However, a lot of them seem to be more interested in pumping out PR and FUD. Worst part is if one of them had been smart, they'd have invented such a bit, patented it, and then shipped "New! Improved! Now with less confusing messages", and used the patent to make sure nobody else did. Now *that* would be a selling point for their product, but noooo... ;) They've missed their chance. Feel free to cite this e-mail as prior art if somebody tries it now... ;)
On Wednesday 20 August 2003 10:25, Joe Maimon wrote:
Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?
Absolutely not. My spam filters are handling the original spam fine but I am getting tons of responses to email I didn't send in the first place. It's legitimate email from legitimate sources so the filters don't catch it but it is garbage nonetheless. -- D'Arcy J.M. Cain <darcy@{druid|vex}.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or >not?
Virus notification was great in times past. With forged addresses, now the double edged sword is pointed back at the victim system, since some of the notifications are sent to invalid domains or accounts the mail rests undeliverable in a mail queue awaiting to expire. My mail queue rose yesterday to over 100 undeliverable mails. All of these from sorbid notifications to illegal domains or accounts. I shutdown notifications ASAP, saving myself (and my systems) some processing time. The notification piece of most scanner engines need to be revamped by the software manufacturers and developers to keep up in the new trends in virii behavior (i.e. forged addresses). Someone posted that Amavis-new has this feature, and this is open source software, you imagine the commercial companies could have figured this one out by now since klez also used forged addresses. Gerardo D'Arcy J.M. Cain writes:
On Wednesday 20 August 2003 10:25, Joe Maimon wrote:
Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?
Absolutely not. My spam filters are handling the original spam fine but I am getting tons of responses to email I didn't send in the first place. It's legitimate email from legitimate sources so the filters don't catch it but it is garbage nonetheless.
-- D'Arcy J.M. Cain <darcy@{druid|vex}.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
Gerardo A. Gregory Manager Network Administration and Security 402-970-1463 (Direct) 402-850-4008 (Cell) ------------------------------------------------ Affinitas - Latin for "Relationship" Helping Businesses Acquire, Retain, and Cultivate Customers Visit us at http://www.affinitas.net
In a message written on Wed, Aug 20, 2003 at 11:40:53AM -0400, D'Arcy J.M. Cain wrote:
Absolutely not. My spam filters are handling the original spam fine but I am getting tons of responses to email I didn't send in the first place. It's legitimate email from legitimate sources so the filters don't catch it but it is garbage nonetheless.
For those that use spamassassin, in ~/.spamassassin/user_prefs: header VIRUS_BOUNCE X-MailScanner =~ /Found to be clean/ describe VIRUS_BOUNCE Has X-MailScanner with virus signature. score VIRUS_BOUNCE 5.0 -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
Joe Maimon wrote:
Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?
I guess we can summarise and say that: (intelligent virus scanner) ? notify : dont notify
Notifications from virus scanners is backscatter, just the same as the backscatter generated by Smurf attacks. The virus scanners are contributory technology in the conduct of a denial of service attack in exactly the same way as having directed broadcasts enabled on your routers was (read RFC 2644 for the details). Please let's stop building technology that aids in the conduct of DoS attacks.
on 8/20/2003 9:25 AM Joe Maimon wrote:
Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?
The least-harmful yet still-compliant mechanism is to reject the message during the transfer stage, instead of during the delivery stage. If the victim is sending their mail using an MTA that is built into the worm, that should be the end of it. If the victim is sending the mail by way of a real server (eg, a submission server or a smarthost), then the transfer rejects will probaly still result in delivery failure notifications being sent to the spoofed sender address. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
participants (11)
-
D'Arcy J.M. Cain -
Daniel Senie -
Eric A. Hall -
Gerardo A. Gregory -
Joe Maimon -
John Ferriby -
Leo Bicknell -
Matthew Kaufman -
Pascal Gloor -
Stephen J. Wilcox -
Valdis.Kletnieks@vt.edu