From: Daniel Senie [mailto:dts@senie.com]
Sent: Friday, December 2, 2005 11:27 AM
To: nanog@nanog.org
Subject: Clueless anti-virus products/vendors (was Re: Sober)
Interested, but I see many Sober postings and outages on other lists and
not here...has anyone been having issues? I know the ISP's are fighting
the living out of the virus.
I've been seeing a few really large bursts into our mailserver. Not
sure if it's a new variant or a reoccurrence of an old strain. I
put in a good number of new port 25 inbound blocks for infected
systems and attempted to put up a few checks inside of our front end
mail servers rather than in the virus and spam filtering (which
happens later for us, so for bad surges we put a few custom rules up
front early in postfix).
Only stuff we're seeing is a lot of blowback from dumb mail systems
that accept email, THEN scan for viruses, and ultimately decide to
send a note back to the From: address in the body of the infected
email. Since the From: is invariably forged, the uninvolved owner of
those forged email addresses gets hammered.
Can people building virus scanning devices PLEASE GET A %^&*^ CLUE?
This means you, Barricuda Networks, more than anyone else, but we
also see this annoyance from Symantec devices, and from some AOL
systems as well.
It's a simple switch in the GUI of Barracuda Networks to turn of this annoyance. More operator error than Barracuda's fault, IMHO.
-Dee
Not if a software upgrade from Barracuda can cause the current
configuration to be silently reverted to Barracuda's defaults ...
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Richard Cox
Sent: Friday, December 02, 2005 4:23 PM
To: nanog@nanog.org
Subject: Re: Clueless anti-virus products/vendors (was Re: Sober)
> It's a simple switch in the GUI of Barracuda Networks to turn of
> this annoyance. More operator error than Barracuda's fault, IMHO.
Not if a software upgrade from Barracuda can cause the current
configuration to be silently reverted to Barracuda's defaults ...
That never happened on any of our cluster.
-Dee
If it is on by default, it is a bug, and not operator error.
(Virus "warnings" to forged addresses are UBE, plain and simple.)
While we can argue whether it is UBE, it is a pretty dumb move I think we can all agree.. 
If it is on by default, it is a bug, and not operator error.
(In the case of the Barracuda) there are at least two such switches:
one for spam, one for viruses. Note that when both are set to "off" that
the box still occasionally emits such messages under as-yet-undetermined
circumstances. I attempted to persuade one of Barracuda's engineers,
months ago, that there was absolutely no valid reason for including a
"feature" whose only purpose was abuse redirection. Incredibly, I was
told "the customers want this feature", and that it would not be removed.
And thus we now have blacklist entries such as:
barracuda1.aus.texas.net
barracuda.yale-wrexham.ac.uk
barracuda.morro-bay.ca.us
barracuda.ci.mtnview.ca.us
barracuda.elbert.k12.ga.us
barracuda.fort-dodge.k12.ia.us
barracuda.ci.garner.nc.us
barracuda.ship.k12.pa.us
and many, many more.
Perhaps Barracuda should simply rename those switches as "spam
random individuals" and/or "get yourself blacklisted", as those
are the only two things likely to result from turning them on.
(Virus "warnings" to forged addresses are UBE, plain and simple.)
When sent in bulk (as they inevitably are), absolutely. There's
no exception in the canonical definition of spam (which _is_ "UBE")
for "messages sent by broken anti-virus software", nor should there be.
---Rsk
UBE = "unsolicited bulk e-mail".
Which of those three words do[es] not apply to virus "warning" backscatter
to forged envelope/From: addresses? Think carefully before answering.
Rich Kulawiec wrote:
And thus we now have blacklist entries such as:
barracuda1.aus.texas.net
barracuda.yale-wrexham.ac.uk
barracuda.morro-bay.ca.us
barracuda.ci.mtnview.ca.us
barracuda.elbert.k12.ga.us
barracuda.fort-dodge.k12.ia.us
barracuda.ci.garner.nc.us
barracuda.ship.k12.pa.us
and many, many more.
Blocking based on rDNS simply because it implies that a certain piece of equipment is at that address is... not advisable.
Agreed. Those blocks aren't in place because there's a certain piece
of equipment at those addresses (hostnames); they're in place because
all of them have emitted spam.
---Rsk