Re: Clueless anti-virus products/vendors (was Re: Sober)
-----Original Message----- From: Daniel Senie [mailto:dts@senie.com] Sent: Friday, December 2, 2005 11:27 AM To: nanog@nanog.org Subject: Clueless anti-virus products/vendors (was Re: Sober)
At 03:12 PM 12/2/2005, Michael Loftis wrote:
--On December 2, 2005 2:02:15 PM -0600 Dennis Dayman <dennis@thenose.net> wrote:
Interested, but I see many Sober postings and outages on other lists and not here...has anyone been having issues? I know the ISP's are fighting the living out of the virus.
I've been seeing a few really large bursts into our mailserver. Not sure if it's a new variant or a reoccurrence of an old strain. I put in a good number of new port 25 inbound blocks for infected systems and attempted to put up a few checks inside of our front end mail servers rather than in the virus and spam filtering (which happens later for us, so for bad surges we put a few custom rules up front early in postfix).
Only stuff we're seeing is a lot of blowback from dumb mail systems that accept email, THEN scan for viruses, and ultimately decide to send a note back to the From: address in the body of the infected email. Since the From: is invariably forged, the uninvolved owner of those forged email addresses gets hammered.
Can people building virus scanning devices PLEASE GET A %^&*^ CLUE? This means you, Barricuda Networks, more than anyone else, but we also see this annoyance from Symantec devices, and from some AOL systems as well.
It's a simple switch in the GUI of Barracuda Networks to turn of this annoyance. More operator error than Barracuda's fault, IMHO. -Dee
Blasting a note back does two things:
1. It allows the worm or virus author an opportunity to implement an amplified attack on a third party using your filtering systems.
2. The bounce messages mostly include an advertisement for the filtering box's vendor. Get a clue... this is a REALLY negative advertisement for your spam & virus filtering technology. If you can't manage to realize the virus laden email should perhaps be dropped, then it makes your box look poorly designed.
Oh, and please delete the infected file rather than sending that along too.
OK, off my soapbox.
Dan
On Sat, 03 Dec 2005 00:45:05 +0000 "W.D.McKinney" <dee@akwireless.net> wrote:
It's a simple switch in the GUI of Barracuda Networks to turn of this annoyance. More operator error than Barracuda's fault, IMHO.
Not if a software upgrade from Barracuda can cause the current configuration to be silently reverted to Barracuda's defaults ... -- Richard
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Richard Cox Sent: Friday, December 02, 2005 4:23 PM To: nanog@nanog.org Subject: Re: Clueless anti-virus products/vendors (was Re: Sober)
On Sat, 03 Dec 2005 00:45:05 +0000 "W.D.McKinney" <dee@akwireless.net> wrote:
It's a simple switch in the GUI of Barracuda Networks to turn of this annoyance. More operator error than Barracuda's fault, IMHO.
Not if a software upgrade from Barracuda can cause the current configuration to be silently reverted to Barracuda's defaults ...
That never happened on any of our cluster. -Dee
-- Richard
On Sat, 3 Dec 2005, W.D.McKinney wrote:
Can people building virus scanning devices PLEASE GET A %^&*^ CLUE? This means you, Barricuda Networks, more than anyone else, but we also see this annoyance from Symantec devices, and from some AOL systems as well.
It's a simple switch in the GUI of Barracuda Networks to turn of this annoyance. More operator error than Barracuda's fault, IMHO.
If it is on by default, it is a bug, and not operator error. (Virus "warnings" to forged addresses are UBE, plain and simple.) -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Todd Vierling Sent: Sunday, December 04, 2005 5:58 AM To: W.D.McKinney Cc: nanog@nanog.org Subject: Re: Clueless anti-virus products/vendors (was Re: Sober)
On Sat, 3 Dec 2005, W.D.McKinney wrote:
Can people building virus scanning devices PLEASE GET A %^&*^ CLUE? This means you, Barricuda Networks, more than anyone else, but we also see this annoyance from Symantec devices, and from some AOL systems as well.
It's a simple switch in the GUI of Barracuda Networks to turn of this annoyance. More operator error than Barracuda's fault, IMHO.
If it is on by default, it is a bug, and not operator error.
(Virus "warnings" to forged addresses are UBE, plain and simple.)
Since when? I disagree. -Dee
On Dec 4, 2005, at 2:06 PM, W.D.McKinney wrote:
Can people building virus scanning devices PLEASE GET A %^&*^ CLUE? This means you, Barricuda Networks, more than anyone else, but we also see this annoyance from Symantec devices, and from some AOL systems as well.
It's a simple switch in the GUI of Barracuda Networks to turn of this annoyance. More operator error than Barracuda's fault, IMHO.
If it is on by default, it is a bug, and not operator error.
(Virus "warnings" to forged addresses are UBE, plain and simple.)
Since when? I disagree.
While we can argue whether it is UBE, it is a pretty dumb move I think we can all agree.. ;-)
On Sun, 4 Dec 2005, W.D.McKinney wrote:
(Virus "warnings" to forged addresses are UBE, plain and simple.)
Since when? I disagree.
UBE = "unsolicited bulk e-mail". Which of those three words do[es] not apply to virus "warning" backscatter to forged envelope/From: addresses? Think carefully before answering. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
On Sun, Dec 04, 2005 at 09:58:20AM -0500, Todd Vierling wrote:
If it is on by default, it is a bug, and not operator error.
(In the case of the Barracuda) there are at least two such switches: one for spam, one for viruses. Note that when both are set to "off" that the box still occasionally emits such messages under as-yet-undetermined circumstances. I attempted to persuade one of Barracuda's engineers, months ago, that there was absolutely no valid reason for including a "feature" whose only purpose was abuse redirection. Incredibly, I was told "the customers want this feature", and that it would not be removed. And thus we now have blacklist entries such as: barracuda1.aus.texas.net barracuda.yale-wrexham.ac.uk barracuda.morro-bay.ca.us barracuda.ci.mtnview.ca.us barracuda.elbert.k12.ga.us barracuda.fort-dodge.k12.ia.us barracuda.ci.garner.nc.us barracuda.ship.k12.pa.us and many, many more. Perhaps Barracuda should simply rename those switches as "spam random individuals" and/or "get yourself blacklisted", as those are the only two things likely to result from turning them on.
(Virus "warnings" to forged addresses are UBE, plain and simple.)
When sent in bulk (as they inevitably are), absolutely. There's no exception in the canonical definition of spam (which _is_ "UBE") for "messages sent by broken anti-virus software", nor should there be. ---Rsk
Rich Kulawiec wrote:
And thus we now have blacklist entries such as:
barracuda1.aus.texas.net barracuda.yale-wrexham.ac.uk barracuda.morro-bay.ca.us barracuda.ci.mtnview.ca.us barracuda.elbert.k12.ga.us barracuda.fort-dodge.k12.ia.us barracuda.ci.garner.nc.us barracuda.ship.k12.pa.us
and many, many more.
Blocking based on rDNS simply because it implies that a certain piece of equipment is at that address is... not advisable. -- Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED Company website: http://JustThe.net/ Personal blog, resume, portfolio: http://SteveSobol.com/ E: sjsobol@JustThe.net Snail: 22674 Motnocab Road, Apple Valley, CA 92307
On Sun, Dec 04, 2005 at 03:18:29PM -0800, Steve Sobol wrote:
Blocking based on rDNS simply because it implies that a certain piece of equipment is at that address is... not advisable.
Agreed. Those blocks aren't in place because there's a certain piece of equipment at those addresses (hostnames); they're in place because all of them have emitted spam. ---Rsk
participants (6)
-
Christian Kuhtz
-
Rich Kulawiec
-
Richard Cox
-
Steve Sobol
-
Todd Vierling
-
W.D.McKinney