To send or not to send 'virus in email' notifications?

Joe_Maimon1 · August 20, 2003, 2:25pm

Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?

Pascal_Gloor · August 20, 2003, 2:32pm

Considering the amount of email traffic generated by responding to
forged virus laden email from culprits like sobig should email virus
scanning systems be configured to send notifications back to sender or

not?

Considering that the "From" is almost always not the right one, I think
sending notifications back will only help to increase the mail traffic and
wont help anyone.

Pascal

John_Ferriby · August 20, 2003, 2:32pm

Considering the amount of email traffic generated by responding to
forged virus laden email from culprits like sobig should email virus
scanning systems be configured to send notifications back to
sender or not?

IMO: No. I have had around 200 of these alerts this morning alone,
most of which originate from POSTMASTER@somedomain which received
email using my forged address. I can't blithely ignore the
postmaster, but I'm sorely tempted to filter them.

Side note: I'm seeing about a 20x increase in smtp traffic over
the daily norm.

-John

Stephen_J_Wilcox1 · August 20, 2003, 2:32pm

well if you dont tell them they wont know, altho with sobig the return address
is false anyhow

it would probably be best to cache the sender/virus combinations and send a
single message per 7 days

Steve

Matthew_Kaufman · August 20, 2003, 2:41pm

Absolutely not.

SoBig.F, like many others, forges the sender address. That means that your
notifications:
1) Don't make it back to the person with the infection
2) Simply add more clutter to the mailbox of the person whose address was
used (in addition to all the bounce messages)

In the enterprise, this is a great argument for scanning outbound email with
positive identification of whose outbound mail you're scanning.

Matthew Kaufman
matthew@eeph.com

Valdis_Kletnieks · August 20, 2003, 2:54pm

It isn't like the A/V vendors can't put a single bit in the description that says
"uses real address" or "uses forged address" and only send a notification when
the "real" bit is set. However, a lot of them seem to be more interested in
pumping out PR and FUD.

Worst part is if one of them had been smart, they'd have invented such a bit,
patented it, and then shipped "New! Improved! Now with less confusing
messages", and used the patent to make sure nobody else did. Now *that* would
be a selling point for their product, but noooo... They've missed their
chance. Feel free to cite this e-mail as prior art if somebody tries it now...

D_Arcy_J.M_Cain · August 20, 2003, 3:40pm

Absolutely not. My spam filters are handling the original spam fine but I am
getting tons of responses to email I didn't send in the first place. It's
legitimate email from legitimate sources so the filters don't catch it but it
is garbage nonetheless.

Gerardo_A_Gregory · August 20, 2003, 4:03pm

virus laden email from culprits like sobig should email virus
scanning systems be configured to send notifications back to sender or >not?

Virus notification was great in times past. With forged addresses, now the double edged sword is pointed back at the victim system, since some of the notifications are sent to invalid domains or accounts the mail rests undeliverable in a mail queue awaiting to expire.

My mail queue rose yesterday to over 100 undeliverable mails. All of these from sorbid notifications to illegal domains or accounts. I shutdown notifications ASAP, saving myself (and my systems) some processing time.

The notification piece of most scanner engines need to be revamped by the software manufacturers and developers to keep up in the new trends in virii behavior (i.e. forged addresses).

Someone posted that Amavis-new has this feature, and this is open source software, you imagine the commercial companies could have figured this one out by now since klez also used forged addresses.

Gerardo

D'Arcy J.M. Cain writes:

Considering the amount of email traffic generated by responding to
forged virus laden email from culprits like sobig should email virus
scanning systems be configured to send notifications back to sender or not?

Absolutely not. My spam filters are handling the original spam fine but I am getting tons of responses to email I didn't send in the first place. It's legitimate email from legitimate sources so the filters don't catch it but it is garbage nonetheless.

--
D'Arcy J.M. Cain <darcy@{druid|vex}.net> | Democracy is three wolves
http://www.druid.net/darcy/ | and a sheep voting on
+1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.

Gerardo A. Gregory
Manager Network Administration and Security
402-970-1463 (Direct)
402-850-4008 (Cell)

Joe_Maimon1 · August 20, 2003, 4:11pm

Joe Maimon wrote:

Considering the amount of email traffic generated by responding to forged virus laden email from culprits like sobig should email virus scanning systems be configured to send notifications back to sender or not?

I guess we can summarise and say that:
(intelligent virus scanner) ? notify : dont notify

Daniel_Senie2 · August 20, 2003, 4:36pm

Notifications from virus scanners is backscatter, just the same as the backscatter generated by Smurf attacks. The virus scanners are contributory technology in the conduct of a denial of service attack in exactly the same way as having directed broadcasts enabled on your routers was (read RFC 2644 for the details).

Please let's stop building technology that aids in the conduct of DoS attacks.

Leo_Bicknell1 · August 20, 2003, 4:46pm

In a message written on Wed, Aug 20, 2003 at 11:40:53AM -0400, D'Arcy J.M. Cain wrote:

Absolutely not. My spam filters are handling the original spam fine but I am
getting tons of responses to email I didn't send in the first place. It's
legitimate email from legitimate sources so the filters don't catch it but it
is garbage nonetheless.

For those that use spamassassin, in ~/.spamassassin/user_prefs:

header VIRUS_BOUNCE X-MailScanner =~ /Found to be clean/
describe VIRUS_BOUNCE Has X-MailScanner with virus signature.
score VIRUS_BOUNCE 5.0

Leo_Bicknell1 · August 20, 2003, 5:16pm

FWIW

In a message written on Wed, Aug 20, 2003 at 10:04:05AM -0700, Steve Thomas wrote:

From: Steve Thomas <nanog@sthomas.net>
To: Leo Bicknell <bicknell@ufp.org>
Subject: Re: To send or not to send 'virus in email' notifications?

[other headers editied]

NO! Some organizations (the company I work for, for instance) use MailScanner on incoming AND outgoing mail. I tried telling this to the person who sent the Postfix regex, but, of course, my mail was rejected.

MailScanner is a very widely used product, and adding rules/filters like the one above only adds to the problems that the virus author is trying to create. Please forward this to NANOG - I tried subscribing to NANOG-POST, but my subscription request was bounced with "content rejected".

Note, unlike the postfix rule his message still made it past
spamassassin has he had enough "non-spam" qualities to offset the
rule I suggested adding.

Please keep in mind there may be legitimate e-mail with these headers
if you're going to use rules such have been suggested here.

Eric_A_Hall · August 20, 2003, 6:47pm

The least-harmful yet still-compliant mechanism is to reject the message
during the transfer stage, instead of during the delivery stage. If the
victim is sending their mail using an MTA that is built into the worm,
that should be the end of it. If the victim is sending the mail by way of
a real server (eg, a submission server or a smarthost), then the transfer
rejects will probaly still result in delivery failure notifications being
sent to the spoofed sender address.