Weekly Edition
Return to the Security page
| |||||||||||||
|
| |||||||||||||
On the value of virus notifications
Many readers will, by now, be familiar with the results of "SoBig," this
week's worm afflicting Microsoft systems. This worm, by some
estimates, is accounting for some 70% of all email traffic on the net
as this article is being written. Even those of us smugly running Linux,
and who are thus not directly susceptible to this worm, have been affected
by the flood of incoming email.
Interestingly, here at LWN we might have remained almost unaware of this worm. SpamAssassin does a perfectly fine job of filtering out SoBig mail; it never made it to our mailbox. The same cannot be said for the steady stream of "your email contained a virus" mail which continues to pour in. Finding our real mail among all of the virus notifications has become a bit of a challenge. The thing is, of course, that we have not sent infected mail to anybody. Honest. Neither have many of the other people who have gotten these notifications. The software sending these notifications is working on the assumption that email containing virulent malware will also be so polite as to contain a correct return address. SoBig is far from the first infestation which forges return addresses, and it will certainly not be the last. If virus notification email ever served a purpose, it has long since outlived it. Virus/worm scanning software has its place in organizations which are running vulnerable software, but as soon as it starts sending mail to addresses found in hostile mail, it becomes part of the problem. If you have anything to do with the development, deployment, or administration of such software, please consider turning the notification feature off. (Log in to post comments)
On the value of virus notifications Posted Aug 21, 2003 1:45 UTC (Thu) by ewen (subscriber, #4772) [Link] I absolutely agree with you that "your message has a virus" notifications are causing far more of a problem than they are solving. I'm currently seeing about 2-3 times as many "your message has a virus" notifications as all other (non-SPAM) mail, despite being on some busy mailing lists, and it still seems to be growing. (I got about 150 "your message has a virus" notifications yesterday, and have easily had that many so far today. All of them relate to email forged in my name, with injection addresses all over the globe.)At very least virus filters should be told which viruses forge email addresses, and not bother to "reply" to those at all. Given all the mail servers which are apparently struggling under the load, I'm surprised more people haven't turned the notifications off already. Perhaps this is something which needs to be raised considerably more publically with anti-virus software makers? Ewen
On the value of virus notifications Posted Aug 21, 2003 4:23 UTC (Thu) by jamesh (subscriber, #1159) [Link] The anti-virus companies already analyze new worms and viruses in order to identify them and create signatures for their anti-virus products. For mass mailing worms, they should know whether the sender address will be forged.It doesn't take much imagination to see that if this information could be put to good use by the anti-virus software. If the worm forges the sender, just discard the message. If the worm doesn't forge the sender, then sending a rejection notice back is probably still a good idea.
On the value of virus notifications Posted Aug 28, 2003 7:35 UTC (Thu) by akukula (guest, #3862) [Link] It's not that easy. A worm dosen't use single forged address (althought BigBoss used just one: big(at)boss.com) They either choose random adresses from a victim's address book, or create a brand new, like fed343fd(at)example.com, where the domain is also random. How do you imagine filtering them???
On the value of virus notifications Posted Aug 28, 2003 14:19 UTC (Thu) by dark (✭ supporter ✭, #8483) [Link] Simple, you recognize which worm it is and you know what it does. That's how virus filters work, they have pattern with which to recognize specific worms.
On the value of virus notifications Posted Aug 21, 2003 4:42 UTC (Thu) by piman (subscriber, #8957) [Link] Several people I've talked to, and myself, have the suspicion that the antivirus rejection letters are still sent because they form seemingly-innocuous spam for the company's product.Free software users generally know better than to fall for such things, but if an ordinary Windows user gets an email "Your mail contained a virus; it was automatically removed by WhizBang AntiVirus 2003", they're going to a) remember that name, and b) consider them immensely useful ("they removed a virus I didn't even know I had!") and nice ("they even told me about it"). There are also, of course, the conspiracy theories that say the antivirus software makers are in bed with the virus makers.
On the value of virus notifications Posted Aug 21, 2003 14:06 UTC (Thu) by jamesh (subscriber, #1159) [Link] Well, there is a business case for fixing AV software.One of the sources modern mail worms use to pick the sender and recipient is the infected user's address book. This means that there is a non-trivial chance that if you receive a copy of the mail worm, you will have a "friend of a friend" relationship with the forged sender. They might even be one of your clients. If you have a choice between a well behaved piece of AV software and one that wrongly accuses your clients of spreading mail worms, which one are you going to pick?
I actually have to disagree with you on this one Posted Aug 21, 2003 5:40 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link] the problem is that anti-spam software still has a noticable (i.e. non-zero) false positive rate and as a result if you just have it delete messages with no notification you will delete legitamate mail without anyone knowing about it.if we could actually get postmasters to wade through the long list of messages that are marked as spam/virus infected on a regular basis we could leave the messages there and still count on them getting to their destination, but to be honest very few companies are willing to pay people for this time consuming (and usually very low return) work so the current comprimise is to alert the sender (as best as that can be determined) and let them figure out what to do
I actually have to disagree with you on this one Posted Aug 21, 2003 16:07 UTC (Thu) by rfunk (subscriber, #4054) [Link] the problem is that anti-spam software still has a noticable (i.e. non-zero) false positive rate and as a result if you just have it delete messages with no notification you will delete legitamate mail without anyone knowing about it. Yes, so the AV software should send a message to the recipient, not the sender. Preferably the recipient should get a sanitized version of the original. BTW, so far I've managed to mitigate the notification problem with this procmail rule:
:0
* 1^1 ^Subject:\/.*virus found and action taken
* 1^1 ^Subject:\/ ALERT *- *GroupShield
* ! ^Subject: Re:
{
LOG="Dropping virus notice: $MATCH
"
HOST
}
Wiki for collecting virus bounce rules for SpamAssassin Posted Aug 21, 2003 16:21 UTC (Thu) by colink (guest, #274) [Link] http://www.exit0.us/index.php/VirusBounceRules
spam or virus Posted Aug 21, 2003 19:07 UTC (Thu) by Ross (subscriber, #4065) [Link] We're talking about virus notifications. I know these sometimes havefalse positives (I belive gzip'ed files are often mistaken as infected Windows executables), in cases like this, they can be identified with 100% accuracy. I don't think a notification is appropriate when the message is known to be generated by a mail worm which forges email headers.
On the value of virus notifications Posted Aug 21, 2003 6:37 UTC (Thu) by zmi (subscriber, #4829) [Link] The REAL problem is that it is still possible for any virus/worm/software to actuallyforge the sender. The mail software (MUA/MTA) should include prevention against this (e.g. users sending over @mydomain.isp should only be able to send as <userpart>@mydomain.isp, and not as anybody else). If the mail software would stick to that, at least all replies only go to the mail server they came from - and suddenly that administrator will be *forced* to do something in order not to be overflooded. You need "your mail was filtered" messages because it could be that because of a false positive a correct e-mail was filtered, and then you should know that it was thrown into /dev/null.
On the value of virus notifications Posted Aug 21, 2003 7:12 UTC (Thu) by proski (subscriber, #104) [Link] The REAL problem is that it is still possible for any virus/worm/software to actually forge the sender.Agreed. But it's not like "the real problem" going to be fixed soon. There is one realistic proposal though, it's called Reverse MX. You need "your mail was filtered" messages because it could be that because of a false positive a correct e-mail was filtered, and then you should know that it was thrown into /dev/null.I disagree. In case of viruses, the only "false positive" would be a delibrate attempt to infect the recipient, provided, of course, that the virus signature is long enough and is matched exactly.
On the value of virus notifications Posted Aug 21, 2003 8:26 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link] however even virus definitions are not that good. it's relativly common for files to match up with virus definitions.you still have the false-positive problem
Spotting forged email with MTAs Posted Aug 21, 2003 13:06 UTC (Thu) by dps (subscriber, #5725) [Link] > The REAL problem is that it is still possible for any virus/worm/software> to actually forge the sender. The mail software (MUA/MTA) should include > prevention against this (e.g. users sending over @mydomain.isp should only > be able to send as <userpart>@mydomain.isp, and not as anybody else). Implementing this is not really feasible unless you have seperate mail servers for mail coming in and going out, which is very rare. I know of perhaps one very large ISP with such a system... so filtering MAIL FROM: to insist on something local is not possible. It might just be possible if you check the source IP in your check_mail ruleset but doubt it is worth the agro generated when the first few iterations are <100% correct. Until a reliable "cookbook" version of this is avialable I doubt many people will implement this. You can, and I have, impelement a rule that stops the mail if neither the sender nor the recipient is local. My version of this is based on sendmail's check_compat ruleset and this is not the only anti-relaying measure on the internal mail server (which the poublic can not reach). This stops the vast majority of forged email. There are cookbooks and hints to help clueless sysadmins insist on one local address (which are also useful for clueful ones too :-) IMHO someone else to take the mistakes before you is always useful for anything as hairy as sendmail rulesets.
On the value of virus notifications Posted Aug 21, 2003 7:03 UTC (Thu) by nicku (subscriber, #777) [Link] The samba list is drowned by these "notifications", and it is hard to get work done. Some have said that spamassassin can be trained to recognise these notifications as spam and treat them appropriately.
On the value of virus notifications Posted Aug 21, 2003 7:18 UTC (Thu) by proski (subscriber, #104) [Link] Until you get filtering in place, consider turning off messages saying "your message awaits moderator approval" (if you are using Mailman and you haven't done it already). Such messages also add to the flood.
Mail loops. Posted Aug 21, 2003 11:42 UTC (Thu) by dwmw2 (subscriber, #2063) [Link] The scary thing is that half of these autoresponders are so broken they're likely to cause mail loops... they respond to bounce messages, and the messages they send out aren't bounce messages either.All it takes is for one or two of them to start triggering on the Subject line alone, and including the original subject in their autoreply's subject, and they'll mailbomb each other to death. My mailing lists don't allow bounce messages to get through to the list -- if the incoming mail had a null sender, it's trapped for moderation -- but these broken autoresponders manage to get round that rule.
Mail loops. Posted Aug 22, 2003 3:33 UTC (Fri) by proski (subscriber, #104) [Link] In fact, a loop has been found in Mailman: http://mail.python.org/pipermail/mailman-users/2003-August/031131.html. There was no confirmation, but it looks scary. Looks like a DoS.
On the value of virus notifications Posted Aug 21, 2003 16:14 UTC (Thu) by iabervon (subscriber, #722) [Link] The odd thing is that it's not too hard to determine the machine that has the virus (or rather, the IP it has at the moment it contacts the notifying machine), because, unlike most spam, viruses generally are sent without any relays. A quick peek at the headers will generally reveal some information that's much more applicable than the forged sender. Combined with the To address, this is likely to lead to at least a small set of likely people to contact about the infected machine (mail to a list is likely from a subscriber, to an individual is likely someone who's in either the recipient's address book or mail archives; from an IP in an address block likely an address at the MX for the owner's domain; present the list of the intersection of these who haven't already been informed about this one to the user, send to any who get checked off).Out of curiousity, I thought all of the forged addresses that SoBig used were hardcoded owners of significant sites. Am I mistaken, or has lwn.net made the big time?
On the value of virus notifications Posted Aug 22, 2003 5:53 UTC (Fri) by piman (subscriber, #8957) [Link] Unless I am amazingly more famous than I think, this isn't the case; hundreds of people are getting viruses from "me".
AMAVIS had a solution a long ago Posted Aug 28, 2003 7:30 UTC (Thu) by akukula (guest, #3862) [Link] For me it was simple: just turn off "offsite notifications" (which is indeed turned off by default). I mean send warnings only to users in your own domain and don't pollute the Net.I can really see the difference. The postmaster receives no e-mails that "something must be wrong about your server; we have no virus because we've got the best antivir software...." where there were dozens of them before :) But I have no plan to turn off notifications for local users. It's perfect for them to know which e-mail has been destroyed on the server - just in case they wait for some important letter. I always tell them that it's good that it is only a notification, and not the real virus... Just my lame proposal...
|
|
||||||||||||