Forgot your password?
typodupeerror
Security

Lousy E-mail Filters Complicating Outlook Worms 461

Posted by CmdrTaco
from the cluttering-up-my-inbox dept.
Mar writes "FRISK Software founder Fridrik Skulason has issued an open letter in which he blames other anti-virus companies for much of the Sobig.F network load problems: 'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'"
This discussion has been archived. No new comments can be posted.

Lousy E-mail Filters Complicating Outlook Worms

Comments Filter:
  • But still less... (Score:4, Interesting)

    by mindriot (96208) on Thursday September 11, 2003 @01:32PM (#6933118)
    ...traffic than you'd have if the worm got to its target and continued spreading.
    • by nacturation (646836) <nacturation&gmail,com> on Thursday September 11, 2003 @01:36PM (#6933200) Journal
      ...traffic than you'd have if the worm got to its target and continued spreading.

      That's a lousy argument for obvious poor behavior on the part of anti-virus software. It's like saying every time the police catch a violent criminal, they should kick the ass of some random citizen. Hey, it may be annoying, but it's still less violence than you'd have if the criminal got to their target and acted violently.
      • by mindriot (96208) on Thursday September 11, 2003 @01:56PM (#6933561)
        Of course you're right. The bounces are becoming a problem because most new worm variants fake the From: header anyway. The question would be, what percentage of total SoBig.F-related traffic comes from bounces? It might, of course, be as high as 50% if every message sent is bounced; but Frisk didn't really point out how much the Bounce problem contributed to the general worm traffic.

        I'd be happy if bounces in SoBig-like cases were reduced, but I find it a weak argument to blame the worm problem on anti-virus software without giving numbers of how much bounces actually added to the problem. (Well, it's another anti-virus software producer writing this statement, so this open letter could be considered a PR statement to some extent.)

        Somehow this also reminds me of those stupid Windows firewall products that by default alert you of every single stupid network packet...
        • but I find it a weak argument to blame the worm problem on anti-virus software without giving numbers of how much bounces actually added to the problem

          I don't. Their contribution to the problem is only limited to their marketshare. Any antivirus can block the viruses - but using these idiots over better competitors results in how many *illions of extra messages? Not to mention the confusion it creates on behalf of less savvy recipients. How many people paid for tech service on their "infected" computer

          • It really isn't all that big of a deal. As said earlier, at MOST 1 email is generated. This effectively doubles the impact of something like SoBig. When looking at a virus that is spreading not linearly, but geometrically, this double-sized payload begins to have little total impact. We aren't talking MB of data, we're talking a couple KB per message.

            I suggest that at the very least, users get the message that there is something going on (even it it isn't there particular machine that is affected) and, kn

            • When looking at a virus that is spreading not linearly, but geometrically, this double-sized payload begins to have little total impact.

              Nope. Because the bounce rate is simply a linear factor of (market share of idiot AV vendor) * (virus propogation rage). So if the virus goes geometric, so does the bounce rate.

              We aren't talking MB of data, we're talking a couple KB per message.

              Remember the total overhead of sending a message as well.

              I suggest that at the very least, users get the message that ther

              • When looking at a virus that is spreading not linearly, but geometrically, this double-sized payload begins to have little total impact.

                Nope. Because the bounce rate is simply a linear factor of (market share of idiot AV vendor) * (virus propogation rage). So if the virus goes geometric, so does the bounce rate.

                Gonna have to disagree with your conclusion. When you have x^y where x is the size/impact of a single letter and y is the branching factor (average number of recipients per message) than (x+1)^

                • by siskbc (598067) on Thursday September 11, 2003 @03:35PM (#6935087) Homepage
                  Gonna have to disagree with your conclusion. When you have x^y where x is the size/impact of a single letter and y is the branching factor (average number of recipients per message) than (x+1)^y isn't a great difference. You see what I am saying?

                  No, the math's still off. If x is the so big rate, and y is the exponential propogation rate, and A is the AV copmany's market share (between 0 and 1), the rate of propogation of Sobig is x^y. The rate of propogation of bounces is A(x^y). So the propogation rate of sobig + bounces is (1+A)(x^y), not (x+1)^y. Actually, if I amended your math, it would be worse (your formula assumes that a bounce can be branched). There, it would be (x+Ax)^y. And that would be a phenomenal impact. The way you write the formula (x+1)^y, it assumes that only one bounce were ever sent. If that were the case, no one would worry. But it's not. And if you take the derivative of my amended version of your formula, which is the incremental impact per message sent, it increases exponentially too. Think about that. I can do the calculus too if you like. Either way, it's bad. At best the impact is a constant fraction of the sobig rate. At worst, they work together geometrically.

                  What does one do if they think they have a virus? If they are in a corporate environment, they ping the help desk (and that would be ONCE per person, regardless of the number of emails they get).

                  Yeah, and in a large environment of thousands of people, that's *exactly* what the help desk needs. Trust me, I know some of these people, and it's driving them nuts.

                  If they are a home user, they make sure they have updated virus software. If they are clueless, then they will take it somewhere and get anti-virus software installed.

                  And if they were already up-to-date, then they just paid money for nothing. And once they get up-to-date and know they're OK, and they keep getting messages, they learn to ignore them. So when another message comes out that they're not prepared for, they think they are.

                  • Gonna have to disagree with your conclusion. When you have x^y where x is the size/impact of a single letter and y is the branching factor (average number of recipients per message) than (x+1)^y isn't a great difference. You see what I am saying?

                    No, the math's still off. If x is the so big rate,

                    Ok, your hypothetical is wrong, not what I was saying. X is the impact or cost of a single sobig email. This is how much? 600k? if for EACH sobig email X there is a "random" message saying "You sent spam" whic

            • Only on slashdot would someone get moderated as interesting for saying that a phenominon that doubles the rate of junk emails is insignificant because the rate is already high to begin with.

              I don't care if it's growing linearly, exponentially, or factorially. Doubling it means twice as much crap for email administrators to deal with and is hardly "not all that big of a deal."

        • by isomeme (177414) <cdberry@gmail.com> on Thursday September 11, 2003 @02:51PM (#6934481) Homepage Journal
          It can actually exceed 50% in some scenarios. For example:

          1. Trojan fakes from address of 'joe@foo.com', sends email to 'sue@bar.com' with infected attachment.

          2. Filter at 'bar.com' detects infected attachment, sends rejection email from 'sue@bar.com' to 'joe@foo.com'.

          3. It turns out that 'joe@foo.com' is no longer a valid address. 'foo.com' mail agent sends a delivery failure email to 'sue@bar.com'.

          Thus we get two pointless administrative emails generated by a single infected email.

          I am seeing this happening quite commonly, by the way.
    • by Hayzeus (596826)
      That's beside the point. The problem isn't that the mail blocking is objectionable. It's the idiotic reply messages that worsen traffic problems. The email can be blocked with the stupid "warning" being returned to a forged address.
      • by gi-tux (309771)
        And on top of that, some of them return the virus with the message. Therefore, it you don't have virus protection (which is stupid) and your address is forged on one, you might get a copy and also get infected.

        There are people out there that don't understand that email addresses are easy to forge. I had two people last night a church services comment about me sending them a virus. I never check email with anything except Linux at home and even at that I have virus scanning on and working to make sure.
        • by John Miles (108215) * on Thursday September 11, 2003 @02:22PM (#6933995) Homepage Journal
          And on top of that, some of them return the virus with the message. Therefore, it you don't have virus protection (which is stupid) and your address is forged on one, you might get a copy and also get infected.

          <rant>

          That's what utterly astonished me during the recent SoBig.F infestation. When an undelivered mail message with an attachment bounces, the mail servers return not just the subject line, or the message text, but the attachment to the putative sender.

          Were the architects of the common Internet mail utilities just plain stupid? What other conclusion can possibly be drawn? Who taught these epsilon-minus lackwits to use a computer, and why? What else am I supposed to think when a mail gateway or server is designed to bounce hundreds of kilobytes worth of attached junk to someone who, by definition, already has the data (since, after all, it's not as if he or she is the one who fucking sent it the first place)? And when it's designed to do so via an untrustworthy return address courtesy of the nullwits who designed the SMTP protocol, no less?

          It is WAY past time to scrap the Internet's existing email infrastructure in favor of something designed by actual engineers. What we have now is a giant, virtual Petri dish better suited for the cultivation of worms, viruses and spam than for communication between legitimate users.

          </rant>
          • by AKnightCowboy (608632) on Thursday September 11, 2003 @03:03PM (#6934633)
            Were the architects of the common Internet mail utilities just plain stupid? What other conclusion can possibly be drawn? Who taught these epsilon-minus lackwits to use a computer, and why?

            Why don't you go ask him:

            SIMPLE MAIL TRANSFER PROTOCOL
            Jonathan B. Postel
            August 1982
            Information Sciences Institute
            University of Southern California
            4676 Admiralty Way
            Marina del Rey, California 90291
            (213) 822-1511

            I'm sure many of us would love it if you met up with him and had a spirited debate about the issue very soon.

            Did you ever stop to think that many of the Internet's protocols were designed when there were no fuckwits running operating systems that are a virtual "petri dish" for viruses and worms?

            • Re:But still less... (Score:3, Interesting)

              by John Miles (108215) *
              Did you ever stop to think that many of the Internet's protocols were designed when there were no fuckwits running operating systems that are a virtual "petri dish" for viruses and worms?

              (Shrug) Bad engineering is bad engineering. Postel's accomplishments were legion, but in the email department, he and his colleagues dropped the ball big-time. There's just no room to defend the decisions that were made.

              The minute the Internet showed signs of growing out of the obscure DARPA-funded labs where it was bo
          • Re:But still less... (Score:3, Informative)

            by isomeme (177414)
            Good post, overall, but I have to object to your phrase "the nullwits who designed the SMTP protocol". SMTP was designed at a time when the nascent internet was more or less a research preserve, all users of which were cooperative and well-intentioned. SMTP uses what I call "Moria security", for reasons which will be obvious to Tolkien fans.

            SMTP lacks meaningful authentication features for the same reasons that TCP/IP lacks such features; they weren't needed at the time, and better to get something worki
      • by arivanov (12034) on Thursday September 11, 2003 @02:04PM (#6933724) Homepage
        It is well known that the Sobig.F and many other viruses forge the sender address. These viruses are identified by the relevant filter product.

        Then, why on earth do you send a notification to an address that is known to be forged?

        The answer is simple - free advertising payed with your and my money. It is not stupidity. It is malice. An outright form of advertising a product by SPAM. I think that any Washington (or other state with antispam laws) resident should sue them for this.
    • by American AC in Paris (230456) on Thursday September 11, 2003 @01:45PM (#6933362) Homepage
      ...traffic than you'd have if the worm got to its target and continued spreading.

      I'm still getting about 200-300 "You sent a message with SoBig.F! Patch your computer immediately!" every day.

      Trouble is, I'm on a Mac. I couldn't be infected with SoBig.F if I wanted to.*

      Further trouble is, SoBig.F spoofs the FROM: field, so these messages invariably go to everybody except the schmuck with the infected box.

      So no, these messages hurt far more than they help.

      [* Pedant filter: I suppose I could buy Virtual PC or somesuch and install a vulnerable version of Windows. That'd probably do the trick.]

      • Trouble is, I'm on a Mac. I couldn't be infected with SoBig.F if I wanted to...

        I'm on Linux, and I've had far more bounce messages telling me I've just sent an infected email than copies of SoBig-F, and my spam filter has caught well over 400 copies of SoBig-F now...

        Al.
      • by mph (7675) <mph@freebsd.org> on Thursday September 11, 2003 @02:05PM (#6933745)
        Further trouble is, SoBig.F spoofs the FROM: field, so these messages invariably go to everybody except the schmuck with the infected box.
        Yeah, I got tons of those Virus Warnings. I haven't run Windows, or any MS software, since 1995.

        The worst part of it is that the antivirus software sending these messages knows that it's SoBig.F. Thus, it should also know that the virus forges the From: header, and that it's pointless to send out the warning message to that address.

        So thanks, antivirus programmers. Thanks for wasting my time instead of doing your job correctly. How long would have taken to add an extra if(){} to your code, and another boolean field to your virus database?

    • by gl4ss (559668)
      it's just utterly stupid from the companies making the software, for crying out loud, most of the programs can tell about sobig.f that it forges it's address(have a flag for it in their virus db, so it wouldn't be much of a chore to add it to NOT send warning email to that forged address)!

      but i guess it's just a nice feature some phb's think that is cool.
  • Stupid Bounce (Score:3, Redundant)

    by crayiii (679161) on Thursday September 11, 2003 @01:33PM (#6933127)
    After so many viri's that fake return to headers it's stupid to continue responding to them. No I didn't read the article...
  • by Anonymous Coward on Thursday September 11, 2003 @01:33PM (#6933129)
    The email bounce is nearly dead now. Between spam and viruses faking the from and reply-to headers, it's become almost a menace. I got nearly as many bounces as I did sobig messages.
    • I actually got more bounce messages than sobigs... 10 messages saying sobig spoofed my addy as the sender, and no sobigs (we got good email admins here).
    • by realdpk (116490) on Thursday September 11, 2003 @01:46PM (#6933377) Homepage Journal
      The bounces from the anti-virus software programs is pretty damned close to spam. Close enough that it gets their name out there, but not close enough that they'd actually be pinned about it except by the most self-righteous of the anti-spammers.
      • by AnotherBlackHat (265897) on Thursday September 11, 2003 @02:30PM (#6934135) Homepage

        The bounces from the anti-virus software programs is pretty damned close to spam.


        Not just close - they meet most of the definitions of "spam" that I've heard;

        They're excessive unwanted emails.

        They're unsolicited bulk.

        They're mass mailings from a stranger.

        They're sent without consent.

        They're commerical (they're an ad for the anti-virus software that sends them.)

        -- this is not a .sig

    • Yup, I agree that the whole idea of "bounce" has been killed by spam and by viruses.

      The statement "If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution" is also what I've been saying for months. This is a condemnation of challenge/response. Challenge/response is flawed conceptually in that it assumes the return address is correct. In an age of spam (which it supposedly

    • "The email bounce is nearly dead now. Between spam and viruses faking the from and reply-to headers, it's become almost a menace. I got nearly as many bounces as I did sobig messages."

      On my main account, I got exactly 0 sobig bounces and 0 actual sobig messages. This applies for all versions of sobig. (Only the competent get access to my real address.)

      On my main 'spam address' however, it got about a 10:1 ratio of bounces to sobig messages. I guess a lot of spammers got infected and since they have a

  • by TerryAtWork (598364) <research@aceretail.com> on Thursday September 11, 2003 @01:33PM (#6933130)
    This is completely stoppable at the ISP level. I received over 1,000 SoBig.F messages, not one of which had to go through!
    • 1. The world isn't quite that authroitarian.
      2. Your desire to have people behave politely doesn't override the general need to have the Internet remain an open exchange of packets between peers.
      3. What's an ISP? What's a customer? Should UUNet filter mail coming from their peers? Should a University filter mail coming from its own dekstops? What about labs that have their own Internet presence, but are part of the University? What about multi-homed businesses?

      I get a slew of these messages, and I have to a
    • by lseltzer (311306) on Thursday September 11, 2003 @02:40PM (#6934314)
      My latest column [eweek.com] deals with this too. I got a lot of e-mail in response from ISPs talking about how it would be difficult/expensive to implement and that it would violate customer privacy. One said it would be a HIPAA violation. My own ISP (Speakeasy.net [speakeasy.net]) virus-scans all e-mail that goes through their servers; is that a HIPAA violation? A lot of them are also scared of losing customers after offending them by blocking their outbound port 25 access, but does an ISP really want business from someone infected with Sobig?

      It is true that since Sobig uses its own SMTP server the ISP would have to do the monitoring via a port 25 monitor. I'm not completely sure how difficult/expensive this would be to implement on a large scale, but there's an opportunity for someone who comes up with a cheap solution. I suppose it could be part of a general IDS, but it needs to be something price-accessible to an ISP.

      Larry Seltzer
      Security Editor, eWEEK.com
      http://security.eweek.com/
      • by nacturation (646836) <nacturation&gmail,com> on Thursday September 11, 2003 @04:47PM (#6936111) Journal
        It is true that since Sobig uses its own SMTP server the ISP would have to do the monitoring via a port 25 monitor. I'm not completely sure how difficult/expensive this would be to implement on a large scale, but there's an opportunity for someone who comes up with a cheap solution. I suppose it could be part of a general IDS, but it needs to be something price-accessible to an ISP.

        This is trivial. Allow for normal port 25 access to the ISP's email server (with the usual restrictions on volume and content) and, for external port 25 access, there's a number of possibilities:

        1. Allow the client to setup a pre-determined list of specific hosts they want to connect to. This might be done using a web-based interface.
        2. Only allow the first 10 hosts (per dialup connection, per DHCP lease, per hour, etc.) to be accessible via port 25. This should satisfy even power users as few need to check mail on over 10 different servers. Adjust number as appropriate.
        3. Setup a proxy service which allows unlimited port 25 access. Any viruses which include their own SMTP delivery engines won't know about the proxy and will simply fail. There's no additional security risk to using your ISP's proxy than using the ISP's connection itself, as both can be logged with equal ease.
      • Something I don't think I've seen addressed in coping with these things. Short-term versus long term. The tactics and priorities are quite different.
        Getting rid of all of them is a long-term process.
        In the short term, you want to stay operational with minimal colateral damage. While emergency training will certainly help, it's almost a certainty that what needs to be done is not covered in the book. Sophisticated tools could certainly help, but it seems to me that with TCPDUMP and a pair of eyes and almost
  • by blunte (183182) on Thursday September 11, 2003 @01:33PM (#6933138)
    Our Norton Exchange AV kicks out "we-saved-your-butt" emails to the admin, the original recip, and back at the "sender", who of course knows nothing about it since it was forged.

    I've just been creating more and more filters that send to trash with no notification to anyone.

    Of course, you have to pay attention when you first turn some of the capabilities on, as Norton kindly preset you to block AOL mail :) Serves AOL right...
  • by TWX (665546) on Thursday September 11, 2003 @01:34PM (#6933149)
    Do most users exchange executable files? How about just blocking them if they're executable... How about getting an email client that isn't known for it's ability to spread received infected email without the user having to even open the email?

    /been using pine since 1996...
  • Hallelujah! (Score:5, Insightful)

    by PopeAlien (164869) on Thursday September 11, 2003 @01:34PM (#6933158) Homepage Journal
    Not only are they doubling traffic, they can help spread the virus.. I've recieved bounced email containing the virus, since the the return address is randomized this in effect helps to spread the virus. Why include the attachment in a bounce message?
  • by B5_geek (638928) on Thursday September 11, 2003 @01:36PM (#6933187)

    Why (some) anti-virus companies are to blame for the recent
    e-mail flood

    As everyone should now know, Sobig.F has generated a tremendous amount of e-mail traffic world-wide. However, part of the blame for this traffic should be placed on some of the anti-virus companies.

    What I am referring to is the large number of incorrectly configured mail filters that respond by sending a "virus alert" to the "From:" address. As Sobig.F falsifies the "From:" address, these e-mails just clutter up the mailboxes of innocent, non-infected people. These messages cause unnecessary annoyance and worry, as they typically (and incorrectly) claim that people have sent out a virus.

    When you get an e-mail, warning you of a Sobig.F infection, with a subject line similar to these:

    * *** detected and quarantined a virus in a message you sent.
    * Warning: E-mail viruses detected
    * Virus Detected by ***
    * This is an alert from ***

    it usually means that someone, somewhere has made a bad decision on how to react to infected mail, either by selecting a substandard product or by configuring it incorrectly.

    Worse yet, if mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.

    The problem is that some commercial mail filters have this behaviour set as the default. At least one filter gives only two options: Always send a "virus alert" to the "From" address of every infected e-mail received or "pass the message through to the recipient". Clearly neither of these options are acceptable.

    I have only one word for this: Stupid!

    Acceptable behaviour would be one of the following:

    1. Have the mail filter properly distinguish between worms that falsify the "From:" address and ones that do not and only send a warning message when the "From:" address is likely to be genuine.

    2. Do not send the alerts at all.

    In fact, sending an alert automatically to the From: address for every virus or worm received by e-mail should not even be a selectable option.

    With Sobig.F scheduled to die out today, Sept. 10th, the problem might go away for a while - until the next similar worm appears. And this is the scary part. Sobig.F didn't really infect that many machines world-wide, maybe only 200.000 or so. This is only a fraction of the number of machines infected by Msblaster (Lovsan). Now imagine a worm combining the distribution method of Msblaster with the mass-mailing feature of Sobig.F. The flood of traffic might practically render the Internet unusable.

    Eventually, some virus author will create a virus like this, maybe this month, maybe in a few years, but it will happen. And when it does we do not need the anti-virus companies making a bad situation worse.

    I hope the "guilty" anti-virus producers will be updating their products in the near future, but this is not going to happen unless their customers request it.

    Fridrik Skulason ( frisk@f-prot.com )
    Founder of FRISK Software International

  • No doubt! (Score:5, Interesting)

    by tbase (666607) on Thursday September 11, 2003 @01:36PM (#6933196)
    If the e-mail filter is smart enough to know it's Sobig.F, why isn't it smart enough to know the "from" is spoofed?!?!?

    I set our filters to just delete anything with an executable attachment, but that didn't to crap for the stupid "Virus Detected" warnings.

    One guy was sending us about 150 copies a day, and the others his PC sent out with our address as the "from" resulted in about 50-75 Virus warnings a day - from the first day it popped up until it expired. I had his IP address, and called and e-mailed his ISP (Birch.net) a dozen or more times, and they did squat. 150 x ~100k x # of people in his address book - not to mention the undeliverables and virus warnings - and they did nothing.
  • Fuzzy Math (Score:4, Interesting)

    by Akai (11434) on Thursday September 11, 2003 @01:37PM (#6933203) Homepage Journal
    The SoBig.(X) (all of 'em, been getting them for months, good thing Evolution doesn't care) are all around 100K a piece.

    A "your message was filtered" is maybe 2-3K including all headers (more likely under 1k), so responding to messages with Virus' in them adds 1-3% not 100% to the traffic.

    That being said, since most of the current generation of SoBig happily fake the "From" email address, a reply to the from address doesn't really help anyone either.

    So in the worst case scenario, a 3K reply to a fake email address results in a bounce message, so at the most you've got 5% overhead, and theoretically for that 6K of email, you've saved a user from getting infected, which would generate 100K*1000's of data.

    I'd say it's not too high a price to pay.

    • Re:Fuzzy Math (Score:5, Insightful)

      by realdpk (116490) on Thursday September 11, 2003 @01:44PM (#6933343) Homepage Journal
      There's some flaws in the logic.

      First, there's a cost per message that you're not including. Every message I get I have to consider and read, or delete. I'm getting tons of virus bounces, even though I've never sent a virus - the virus uses forged headers. So, for me, someone who has no way to contract a virus, my "work"load has gone up noticably, and the price I pay went from $0 to $X where X is a positive number.

      Second, the autoresponder is not a necessary part of the virus removal. The savings is already there by blocking the virus from infecting the user's computer. The bounce is just an extra thing the anti-virus people put in to try to advertise their product.

      It's *pretty damn close* to being spam.
    • Re:Fuzzy Math (Score:3, Interesting)

      by Zak3056 (69287)
      A "your message was filtered" is maybe 2-3K including all headers (more likely under 1k), so responding to messages with Virus' in them adds 1-3% not 100% to the traffic.

      First off, disclaimer: My mail servers have been (until SoBig) configured to send "Hey, you sent us a virus" messages. We stopped this practice because SoBig is so damn prolific that it proved to us this was absolutely worthless and harmful.

      That said, there are some REALLY stupid people out there that not only bounce to the "sender," b
    • Re:Fuzzy Math (Score:3, Informative)

      by MSG (12810)
      A "your message was filtered" is maybe 2-3K including all headers (more likely under 1k), so responding to messages with Virus' in them adds 1-3% not 100% to the traffic.

      There are bigger problems than just the total amount of traffic. Lets say you run a domain that's in thousands and thousands of address books and Internet cache files... like "real.com". Now lets say that a multithreaded virus starts emailing itself as rapidly as possible to all of the addresses it can find... like SoBig.F.

      Care to gues
    • Re:Fuzzy Math (Score:4, Interesting)

      by Snowdog668 (227784) on Thursday September 11, 2003 @02:43PM (#6934361) Homepage
      You'd be right and I wouldn't care if I only got the headers. Unfortunately about 95% of the bounce messages I've gotten contain the original attachment as well. Thank goodness I check that account on webmail so I didn't have to wait to download the messages over dial-up(stuck in the great broadband wasteland). It was easy to get rid of from my point of view because all I had to do was was go down the list and mark all the e-mails that were 100k for deletion and get rid of them. If I had to actually download each message over my dial-up account because some sysadmin decided to bounce the entire message I'd be seriously pissed.

  • I completely agree (Score:5, Insightful)

    by PktLoss (647983) on Thursday September 11, 2003 @01:37PM (#6933207) Homepage Journal
    One member of our software development team ended up receiving over 10,000messages/hour during our peak load, about equally split between virus messages, and bounce backs/mailer daemon messages. The latter weren't blocked by the standard anti-spam solution.

    The messages generally contain no usefull information, and are deleted without reading.

    Spam catchers should be combined with anti virus solutions, to ensure that authentic messages do generate some sort of response, either to the sender or receiving, informing them of the infection. The technologies would mesh well in this case.
  • 5xx is the answer (Score:4, Informative)

    by hey (83763) on Thursday September 11, 2003 @01:37PM (#6933212) Journal
    last time [slashdot.org]
  • I have many more complaints about misconfigured UNIX mail systems & poorly written vacation programs than I do about Outlook filters.

    This FRISK dude needs to go back and look at his assumptions:
    Worse yet, if mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic.

    huh? If person A's infected machine sends out 100 emails, and the one received by person Q generates a reply to sender, how does this double the amount of traffic. Sheesh!

    • huh? If person A's infected machine sends out 100 emails, and the one received by person Q generates a reply to sender, how does this double the amount of traffic. Sheesh! Calm down.

      In the off chance that you're not just trolling, you're clearly missing the obvious. Person A sends out 100 infected emails. Person Q1's antivirus generates an email to forged sender. Person Q2's antivirus generates an email... Person Q3's antivirus generates... 97 emails later ... Person Q100's antivirus generates an e
  • All the bounces from viruses and faked spam 'From:' headers amount to about 5% of our worthless inbox content, so we've just decided to filter the stuff for a while until either the viruses die down or we determine that we really need the bounce messages for some reason.

    It's pretty rare that an e-mail that we send out does not eventually get to its recipient, and in most cases the e-mail is in response to something so the recipient will let us know if they aren't getting a message from us, so this system

  • They arent entirely part of the problem. I think this report lacks some valuable data and misses a key point.

    What about all the emails these virus detectors PREVENT by warning the user about the potential virii in the emails.

    Remember, the average user isnt that smart. We dont want to prevent them from getting their mail. We do want to warn them. Not only this, the warning emails are likely just local anyways, so this isnt going to be too bad of a traffic increase.

    If everyone used even the worst em
  • On a related note, the flood (several hundred an hour) of Sobig.F's that I was getting since its onset stopped at 11PM EDT on 9-Sep-2003. The last bounces with my forged E-mail address as the sender came in about a half hour later. Media stories said that it would stop on 11-Sep-2003... but something seems to be off by a few days.

    Any sightings of Sobig.G in the wild yet? Everybody was predicting it to be released today.

  • The SoBig.F virus message was much larger than a "we found a virus" letter, because it included a copy of the virus itself. The number of messages bouncing around may have doubled, but the total bandwidth required did not.

    However, as the recipient of 300+ messages a day, I for one would be delighted if the virus scanners had an option to Just Shut Up when they find a specific virus. While I don't believe the scanners aggravated the problem -- indeed, by reducing its transmission, they certainly improved
  • ... you'll start getting "You're mailbox is near/over it's limit" messages.

    Are there any mailservers that can check if you've received a message previously? Maybe they should have a 'Sent' mailbox and check against them. It could clear it out every ten minutes of everything older than 24 hours, ensuring you'd get 1 notice a day max. If these filters are outside the server, it should be easy for them to offer this. Shouldn't it?
  • Good for this guy... (Score:5, Interesting)

    by fuqqer (545069) on Thursday September 11, 2003 @01:41PM (#6933291) Homepage
    I work in Tech support for a telecommunications company and I get at least three calls per day regarding a message from Norton Antivirus. The message falsely states that they were a sender of the sobig.f virus. Of course, our users are completely up to date with their virus software and our e-mail servers catch the sobig virus. A big shame on you to Norton for having an e-mail enabled warning like that. It preys on the stupidity of end users.

    Granted, if nobody talked about AIDS, the infection rate would probably skyrocket too. So is it better that there be a symptom of the virus such as increased network traffic. Or is it better to not inform external users and try to repair in house?

    Maybe it offers a little job security too though.
  • by mcrbids (148650) on Thursday September 11, 2003 @01:42PM (#6933310) Journal
    One of my clients is an ISP - and they *want* the bounces to go out for the simple reason that it broadcasts to the world that "your mail is safe with us".

    So the bounce messages go something like "Our mail server detected a virus in an email you appear to have sent, and we protected our customer ... For more information about our services come to --URL--"

    I don't know if it's effective at all, but it sure doesn't cost much - the virus notification is essentially a mild form of SPAM which few people really get up in arms about.

    Just to understand, there are market conditions behind those virus notices...
    • That seems remarkably ridiculous as it's their bandwidth that's getting toasted. I was on vacation in the deep maine woods when the sobig hit it's stride. obviously, all three of my main email accounts went over limit. It also tied up other email accounts getting bouncebacks from my isp's server. I think they were a little peeved at me.
  • Um... (Score:3, Insightful)

    by Realistic_Dragon (655151) on Thursday September 11, 2003 @01:42PM (#6933316) Homepage
    Wouldn't it be better to blame those resposible for Outlook for Outlook worms? (Be it users who fail to patch, admins to deploy it, Microsoft for writing it on one drunken weekend that involved a lot of monkey hookers and a boat load of cocaine.)

    It's certainly better than blaming a _client_ problem on the _network_ which when it was designed didn't anticipate (understandably) a near monoculture of such vunerable products being deployed.
  • by RobertB-DC (622190) * on Thursday September 11, 2003 @01:43PM (#6933328) Homepage Journal
    I just got a call from the Data Security guy in my office. I've had run-ins with him before, because their scans of my PC would occasionally find that I run Eudora [eudora.com] for my personal email rather than routing it through the corporate virus portal known as Outlook Express. My bosses have been supportive -- as long as I get my work done, who the heck cares what I've got installed?

    Now, I get 50-100 messages from "helpful" virus checkers telling me that I sent them a virus. Duh, of course I didn't. But what's worse is when they try to help my by sending the damned virus back to me! So my Eudora inbox fills up with viruses. No problem, I just delete them, right?

    But we've got real-time virus scanning installed, and the admins take a dim view of tweaking it to skip certain directories. It finds that In.mbx contains a virus and kills the file. Poof, there goes my Eudora inbox. Frustrating, but it was full of junk anyway.

    This morning, though, I get a call from the head Data Security honcho. Norton called mommy when it found the virus, and did it often enough for me to show up on the admin guy's radar again. Now, I'm going to have to quit using Eudora at work, just because brain-dead virus protection is sending me viruses! I'd fight it again, but I have to agree -- if I keep downloading viruses, I'm part of the problem.

    Thanks for nothing, AV companies. All you're doing is keeping yourselves in business with false virus alerts. Or maybe that was the "2. ???" in between "1. Spread Viruses" and "3. Profit!"
    • Cry me a river (Score:5, Insightful)

      by maggard (5579) <michael@michaelmaggard.com> on Thursday September 11, 2003 @02:50PM (#6934476) Homepage Journal
      I just got a call from the Data Security guy in my office. I've had run-ins with him before, because their scans of my PC would occasionally find that I run Eudora for my personal email rather than routing it through the corporate virus portal known as Outlook Express.
      You on the clock? In the company office? Using company hardware? On an account with access to material the company would probably rather not get corrupted, infected, or randomly sent out to strangers?

      Uh huh.

      So you wanna read your personal email at the office. Fine if your company supports that.

      But then you just absolutely positively gotta use only your favorite email client, not the one already installed, not a web portal. The email client now installed by you, presumably licensed to you, that is not owned or supported by IS. The one that makes IS's day that much tougher by throwing one more ingredient into the stew that is the company's desktop computer.

      Now on top if it your personal email client reading your personal email is bringing in viruses to the company. Onto that corporate PC logged into the corporate network. And dammit those nasty folks in IS aren't willing to spend their time making exceptions to the virus scanning so your unique-in-the-company personal email client reading your personal, virus-infected email is exempted.

      Cry me a river.

  • The worst of it is when you've got an email address like "webmaster at goofball.com" and thousands of people have you in their address book and some of them get the virus that spoofs YOU as the return email address.

    I'm still fielding like 400 auto-generated emails from various anti-virus software each day. The author's suggestion to simply stop the alerts is not that far fetched at all.

    Obligatory bad analogy: it's like pelting someone with rocks in order to warn them they're about to be run over by a c

  • Not the problem (Score:3, Interesting)

    by Spazmania (174582) on Thursday September 11, 2003 @01:44PM (#6933349) Homepage
    The mail filters that send out a message for each virus message received are not the problem. Indeed, they're just following the basic requirements for bounced messages listed in RFC 2822.

    THE problem is the mail filters which also send a second message to postmaster@whatever domain. Whatever brainiac thought that one up should be shot.
  • His two minutes (Score:4, Insightful)

    by muffen (321442) on Thursday September 11, 2003 @01:48PM (#6933419)
    I find this most interesting.

    Until recently, no e-mail worms spoofed the email address. F-Prot obviously never had the functionality of replying to infected emails.

    Until just recently, it was really good to reply to the sender alerting him about the fact that he sent out a virus/worm. Where was F-Prot back then??

    The way I see it, it's been three steps.
    Step 1: No email worms.
    Step 2: Email worms that didn't spoof the sender (replying to sender is good).
    Step 3: Email worms that spoof the sender (replying to sender is bad).

    Seems to me that F-Prot is complaining that everyone hasn't reached step 3 yet (with spoofed sender addresses, infected emails shouldn't be replied to), even though we pretty much reached it just now. Before Sobig, even though there were worms that spoofed the sender, they were a minority. After Sobig, spoofing worms are a majority, which means that AV products need to change. This won't happen in a second like it did for F-Prot, because most AV vendors didn't skip step 2 like F-Prot did.

    This coming from a company who 95% of computer users never heard, and who never even added the functionality of replying to emails even though it was really good until just recently, makes me believe his just looking for his two minutes of fame.
    • Re:His two minutes (Score:5, Informative)

      by Juggler (5256) on Thursday September 11, 2003 @02:03PM (#6933698) Homepage Journal
      Not true, most worms and viruses have spoofed the From address for quite a long time now.

      Autoreplies have always been problematic at best, which anyone who's experienced the annoyance caused by vacation programs on public mailing lists can attest to. Autoreplies to automatically generated traffic have always been a no-no.

      Viruses and worms are clearly autogenerated traffic.

      Also, although 95% of computer users have never heard of FRISK, Fridrik has been a respected member of the A/V community since it very began and wrote one of the very first virus scanners.

      Disclaimer: I work for FRISK, writing said e-mail filter code. But I can tell you with authority that the decision was taken a long time ago.

    • by frankie (91710) on Thursday September 11, 2003 @02:24PM (#6934022) Journal
      Until recently, no e-mail worms spoofed the email address

      What is your definition of "recently"? Apparently it's about two years.

  • by Anonymous Coward on Thursday September 11, 2003 @01:48PM (#6933426)
    Critical Update:

    A security issue has been identified that could allow an attacker to compromise a computer running Microsoft Windows and install Linux on it. You can help protect your computer by installing this EULA from Microsoft. After you install this EULA, a NULL update will be downloaded for your benefit.

  • Change the bounce messages to something like the following.

    Try our new penis enlargement patch and make your lady love you forever.

    Use the bounce messages as vehicle for spamming.
  • 'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'

    Not quite. Fortunately the alert emails are (usually) just text, and not some several-kilobyte attachment. They may be doubling the messages, but certainly nowhere *near* the bandwidth used.

    One would hope the anti-virus tool folks could build in ways to sniff out "Oh, this is a SoBig-laden email" and *not* send out t
  • by Anonymous Coward on Thursday September 11, 2003 @01:53PM (#6933509)
    We have Mail Marshall here at work. I got the following mail from the system yesterday...

    MailMarshal (an automated content monitoring gateway) has stopped the following email for the following reason:

    It believes it may contain unacceptable language, or inappropriate material.

    Message: B000038072.00000001.mml
    From: xxx@xxx.com
    To: xxx@xxx.com
    Subject: Re: So Whuz Up?

    Please remove any inappropriate language and send it again.

    The blocked email will be automatically deleted after 5 days.

    MailMarshal Rule: Inbound Messages : Block Unacceptable Language Script Offensive Language (Basic) Triggered
    Expression: asshole Triggered 1 times weighting 5


    Email security by MailMarshal from Marshal Software.


    So the message tells both the ortiginal sender and I that it won't deliver the email because it contains the term "asshole". So it lets me know that by sending me an email telling me the exact same word that was supposed to be filtered? It seems like we've got a hypocrytical mail filter here :(
  • Of course not. (Score:4, Interesting)

    by SuiteSisterMary (123932) <slebrun@ g m a i l . com> on Thursday September 11, 2003 @01:58PM (#6933603) Journal

    At no point should a response be generated for a virus. Maybe five years ago, when viruses tagged along with legitimate data, but nowadays, a virus generates it's own delivery system, and there's no point to a bounce.

  • by ctwxman (589366) <me@@@geofffox...com> on Thursday September 11, 2003 @02:05PM (#6933729) Homepage
    I received hundreds of bouncebacks from one organization. So, I did a whois and wrote to the contact listed:
    My name is Geoff Fox and I am writing because I have received hundreds upon hundreds of message bounces from your **** mail server.
    These messages are not originating with me. These are SoBig virus generated and are spoofing my address as the return.
    I am asking nicely, but I need you to take action immediately. I am attaching a bounce message so you can see what I've received. From the headers it looks like they're actually coming from ***.com
    Sincerely, Geoff Fox

    I did get a response... but not what I had expected.

    Geoff, Thanks for raising the issue of the SoBig virus infection.
    From the information that you have provided, it does look like the infected machine is located at **** Architecs, Inc. of Harford, CT. Their contact information is provided below.
    Have your IT technical staff contact the admistrative contact or the technical contact below. They may not realize that they have a SoBig infected machine and that it needs to be cleaned.
    (whois stuff deleted)
    It was signed by their Director of IT Security.

    So, even at that level, he didn't realize he was doing something wrong... or that these bouncebacks came from him, not from the site that was infected. And, he felt it was my obligation to do something about it, not his!
  • by Animats (122034) on Thursday September 11, 2003 @02:09PM (#6933797) Homepage
    All autoresponders must start validating the "Received" chain, like SpamCop [spamcop.net] does. The open source community can help by packaging up a library to do just that, and putting it into any open source packages that generate mail responses. Writers who review programs should downgrade those that have autoresponders. I suggest the term "spamming autoresponder" be used for any program that replies to mail autonomously without checking the "Received" chain.

    Messages from known spamming autoresponders should be blocked by spam filters. A publicly available list of canned text appearing in messages from spamming autoresponders should be made available and placed into mail filters.

    That should deal with the problem.

    • by stevel (64802) *
      I don't see how validating the received chain helps. That will detect forged headers, but not a forged From address, which is what the viruses do. There is no way to reliably detect a forged From address by looking at the headers.

      Consider - I, and a lot of you too, I'm sure - routinely send out e-mail with a From address that has a domain unrelated to that of the outgoing SMTP server we are using. How can you tell the difference between such messages and those forged by viruses?
  • FYI Taco and Mar (Score:5, Informative)

    by Abm0raz (668337) on Thursday September 11, 2003 @02:13PM (#6933870) Journal
    Lousy E-mail Filters Complicating Outlook Worms

    SoBig.F is not an Outlook worm. It is a Windows worm. It does not require Outlook to run. It has it's own built in MTA and grabs email addresses from cached webpages and local text files as well as the Outlook/Express address book.

    -Ab
  • by ElektroHolunder (514550) on Thursday September 11, 2003 @02:17PM (#6933914)
    I am currently looking into antivirus solutions for our company mailserver, and originally thought about disabling the bounce messages.

    But unfortunately it seems that it could be illegal in Germany to intercept a message without notifying the sender. As far as I understand it, eMail seems to be subject to the same regulations as snail mail here, so dropping the message silently could constitute a legal hazard ..
  • by gvc (167165) on Thursday September 11, 2003 @02:23PM (#6934012)
    Last year, my wife received a spate of "you sent this virus" messages. Worse, a number of her associates received "this person tried to send you a virus" message, referring to her.

    I followed up with several of the administrators running the virus filters. In all cases, the administrators had quarantined the messages without headers so it was impossible to tell what machine really sent the message. I would have liked to know this information so as to have some hope of tracing the owner of the infected machine.

    I understand why users are unaware of headers. Microsoft's products go out of their way to hide them. In Outlook Express, to get headers you have to find the relevant show headers pull-down and even then the headers appear in a too-small non-resizable window. You have to clip the contents and paste into a real window before the headers can be read/forwarded.

    The "From:" field of email means no more than the snail-mail return address that you scribble on an envelope. The header, like the snail-mail postmark, tells the origin.

    What is the excuse for vendors of email software (filtering or end-user) perpetrating unawareness of this basic property of email?
  • an Idea (Score:3, Interesting)

    by linuxislandsucks (461335) on Thursday September 11, 2003 @02:25PM (#6934034) Homepage Journal
    why not have the filter do a whois on the ip of sender and send the warning to the admin of that net block?

    seems like abetter solution as it gets the virus warning in hands of the person that can do soemthing about it rather than sent to people who have no virus on their systems..

    comeon how hard is it to parse the record gotten back from a whois query?
  • by ddkilzer (79953) on Thursday September 11, 2003 @02:31PM (#6934138)

    Later versions of the amavisd-new [www.ijs.si] mail scanner don't send mail to sender addresses from virii/worms that forge mail headers, even if you have it configured to do so.

  • What I Think (Score:3, Informative)

    by Matty_ (74368) on Thursday September 11, 2003 @02:49PM (#6934458)
    I administrate a mail server with around 550 accounts on it. We got slammed by Sobig.F and eventually had to block it using header_checks in Postfix.

    This won't catch every virus-infected file attachment (like Word macro viruses), but the regex I put in place will block files with certain file extensions (e.g. pif, exe, etc.) What's nice is that the mail is rejected during the SMTP transaction and produces no residual mail traffic since the sending mail server is the worm's SMTP engine.

    So, for anyone using Postfix 2 who would like to stop most e-mail worms, using header_checks to scan MIME headers is a very effective way to protect your customers/users.
  • by onecrazyfoo (183660) <onecrazyfoo.yahoo@com> on Thursday September 11, 2003 @03:08PM (#6934702)
    I would imagine that most of the virus scanners for mail servers out there can be configured to not send out the notification to the forged From address. The virus scanner I am familiar with - RAV, has this capability. I had ours configured to send out the notification until Klez and other viruses made it a worthless endeavour. Unless of course you are an ISP that has no qualms about using the opportunity to advertise.

    It would be nice if GeCAD would rewrite their software to stop the notice from being sent when the virus is Klez, Sobig, etc. But since GeCAD got bought out [slashdot.org] by Microsoft who will be discontinuing their product line, I know that will never happen. Hopefully someone else like Sophos will.

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...