Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Lousy E-mail Filters Complicating Outlook Worms

CmdrTaco posted more than 11 years ago | from the cluttering-up-my-inbox dept.

Security 461

Mar writes "FRISK Software founder Fridrik Skulason has issued an open letter in which he blames other anti-virus companies for much of the Sobig.F network load problems: 'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'"

Sorry! There are no comments related to the filter you selected.

iHateSpam (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6933106)

If you find yourself deleting most of the e-mails in your inbox without even reading them, iHateSpam [] may just be the program you need. Available for users of Microsoft Outlook and Outlook Express, this utility is great for personal users, but may not always be appropriate for business use.

iHateSpam [] takes only a few moments to install, but the setup process can be somewhat time-consuming. After installation, iHateSpam [] mines your Outlook contacts and any folders you choose to look for e-mail addresses you do not consider to be spam. It then creates a "friends" list so all the e-mails you do want to receive will be left untouched by the program. Conversely, iHateSpam [] also has an "enemies" list to which you can add unwanted e-mails that you receive and the sending addresses will be blocked by iHateSpam [] . You can also bounce an e-mail back to the sender, which includes a message saying that your addresses is unavailable, thus tricking the sender into deleting your e-mail address from their database.

While all of these features seem attractive in theory, we found that the program has some drawbacks in actual use. First, the setup process becomes redundant for the person who uses Outlook for business purposes. It is extremely difficult and time-consuming to manage a friends list when you receive and send e-mails to hundreds of coworkers and associates. Further, creating an enemies list becomes a delicate process as you do not want to inadvertently have a new customer or contact be labeled as an enemy, even though you have not received e-mail from them before.

All in all, iHateSpam [] would most likely work very well for someone who uses Outlook for personal e-mails only and who is merely trying to get rid of the junk so they can keep in touch with their friends and family. But for anyone who is already managing a wide database of contacts, it creates more trouble than it removes.

Re:iHateSpam (1)

trompete (651953) | more than 11 years ago | (#6933153)

If you don't want to spend any money at all, you should consider getting SpamBayes [] . I've tried both SpamBayes and iHateSpam, and I personally like SpamBayes better. It is also FREE. Both have nice Outlook plugins.

Spambayes rocks (1)

turbotalon (592486) | more than 11 years ago | (#6933249)

I also use SpamBayes, filters like this are THE way to go. No extra traffic generated from all the notifications heading out, just a few weeks of learning and all works well. If EVERYONE used it, only the people who wanted a penis enlargement would actually recieve the email. hooray!

Re:Spambayes rocks (-1)

Dr. Cockulus (684502) | more than 11 years ago | (#6933344)

What about those of us who want a penis enlargement, but don't want all the spam anyway?

woobidy doo (-1, Troll)

stratjakt (596332) | more than 11 years ago | (#6933114)

we know that

let us return to racist rants about how Indians will sabotage your company.

But still less... (4, Interesting)

mindriot (96208) | more than 11 years ago | (#6933118)

...traffic than you'd have if the worm got to its target and continued spreading.


Subject Line Troll (581198) | more than 11 years ago | (#6933175)

Re:But still less... (5, Insightful)

nacturation (646836) | more than 11 years ago | (#6933200)

...traffic than you'd have if the worm got to its target and continued spreading.

That's a lousy argument for obvious poor behavior on the part of anti-virus software. It's like saying every time the police catch a violent criminal, they should kick the ass of some random citizen. Hey, it may be annoying, but it's still less violence than you'd have if the criminal got to their target and acted violently.

Re:But still less... (2, Insightful)

Hayzeus (596826) | more than 11 years ago | (#6933308)

That's beside the point. The problem isn't that the mail blocking is objectionable. It's the idiotic reply messages that worsen traffic problems. The email can be blocked with the stupid "warning" being returned to a forged address.

Re:But still less... (2, Insightful)

gi-tux (309771) | more than 11 years ago | (#6933547)

And on top of that, some of them return the virus with the message. Therefore, it you don't have virus protection (which is stupid) and your address is forged on one, you might get a copy and also get infected.

There are people out there that don't understand that email addresses are easy to forge. I had two people last night a church services comment about me sending them a virus. I never check email with anything except Linux at home and even at that I have virus scanning on and working to make sure. I also received a few messages bounced by corporate systems that included the virus within the message they sent me, to "notify me that I was infected". Glad I wasn't on Windows.

Re:But still less... (5, Insightful)

American AC in Paris (230456) | more than 11 years ago | (#6933362)

...traffic than you'd have if the worm got to its target and continued spreading.

I'm still getting about 200-300 "You sent a message with SoBig.F! Patch your computer immediately!" every day.

Trouble is, I'm on a Mac. I couldn't be infected with SoBig.F if I wanted to.*

Further trouble is, SoBig.F spoofs the FROM: field, so these messages invariably go to everybody except the schmuck with the infected box.

So no, these messages hurt far more than they help.

[* Pedant filter: I suppose I could buy Virtual PC or somesuch and install a vulnerable version of Windows. That'd probably do the trick.]

Re:But still less... (1)

aallan (68633) | more than 11 years ago | (#6933452)

Trouble is, I'm on a Mac. I couldn't be infected with SoBig.F if I wanted to...

I'm on Linux, and I've had far more bounce messages telling me I've just sent an infected email than copies of SoBig-F, and my spam filter has caught well over 400 copies of SoBig-F now...


Re:But still less... (2, Informative)

Anonymous Coward | more than 11 years ago | (#6933489)

The downside is that the lusers are protected but those who keep their system in shape and don't click on every attachment become victims and can't even do anything about it. After 30000 SoBig.F related messages you learn that it is nearly impossible to filter bounces. They come in all languages, with or without headers. Some mention the worm, others don't because they're just "user unknown" bounces. My system is clean. The 900+ wormmails per day were easily filtered, but I had to sort through more than 100 bounces a day. To me, the bounces where the real problem.

Stupid Bounce (3, Redundant)

crayiii (679161) | more than 11 years ago | (#6933127)

After so many viri's that fake return to headers it's stupid to continue responding to them. No I didn't read the article...

Re:Stupid Bounce (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#6933295)


(I mostly agree with you, except, I think it was stupid ever to respond spam in the first place, before or after the viruses -- when did spam ever use legitimate return addresses ?)

Re:Stupid Bounce (0)

Anonymous Coward | more than 11 years ago | (#6933384)

worse. s/viri's/viruses . Two grammatical errors in one word.

The Latin plural of virus is virus. Apparatus is the same way. It's all a matter of whether it's a short or long u.

Otherwise, yes, the grandparent is dead on.

Re:Stupid Bounce (0)

Anonymous Coward | more than 11 years ago | (#6933413)

After so many viri's that fake return to headers it's stupid to continue responding to them.

Thank you, Captain Obvious, for regurgitating the article summary.

Yes, virus bounces suck (3, Insightful)

Anonymous Coward | more than 11 years ago | (#6933129)

The email bounce is nearly dead now. Between spam and viruses faking the from and reply-to headers, it's become almost a menace. I got nearly as many bounces as I did sobig messages.

Re:Yes, virus bounces suck (2, Insightful)

i.r.id10t (595143) | more than 11 years ago | (#6933266)

I actually got more bounce messages than sobigs... 10 messages saying sobig spoofed my addy as the sender, and no sobigs (we got good email admins here).

Re:Yes, virus bounces suck (4, Funny)

Xzzy (111297) | more than 11 years ago | (#6933429)

I must have really smart friends, because I didn't get a single bounce! /preen

Or maybe I just have no friends. /sigh

Re:Yes, virus bounces suck (4, Insightful)

realdpk (116490) | more than 11 years ago | (#6933377)

The bounces from the anti-virus software programs is pretty damned close to spam. Close enough that it gets their name out there, but not close enough that they'd actually be pinned about it except by the most self-righteous of the anti-spammers.

How come we even get them? (4, Interesting)

TerryAtWork (598364) | more than 11 years ago | (#6933130)

This is completely stoppable at the ISP level. I received over 1,000 SoBig.F messages, not one of which had to go through!

Re:How come we even get them? (0)

stratjakt (596332) | more than 11 years ago | (#6933162)

I'd rather they let them through than to know my ISP is sniffing all my incoming/outgoing mail.

But that's just me.

Re:How come we even get them? (0)

Anonymous Coward | more than 11 years ago | (#6933230)

They don't need to "sniff" anything. You can reject sobig based on SMTP behavior since it has it's own internal server.

Re:How come we even get them? (1)

TerryAtWork (598364) | more than 11 years ago | (#6933364)

I don't think it's violating our privacy to scan our email for virii.

Unless your email is encrypted your privacy is an illusion anyway.

Re:How come we even get them? (0)

Anonymous Coward | more than 11 years ago | (#6933234)

This is completely stoppable at the ISP level.


If the ISP allows port 25 incomming, how does the ISP stop the mail-based worms run on individuals hosting their own mail?

Given the $10+ cost per mail box for anti-virus, who will pay that extra cost? Will *YOU* pay $10+ per mailbox per year extra?

Re:How come we even get them? (0)

Anonymous Coward | more than 11 years ago | (#6933371)

Yes, the ISP can stop viruses, and I think they should.

Microsoft is giving a very good example here by scanning all of Hotmail's e-mails for viruses. It saves people from a lot of problems, and no, Microsoft doesn't have to charge for it. And the other ISPs won't have to charge for this either, considering that their e-mail server load will be much lighter if viruses can't use e-mail to spread!

Why can't all the other ISPs do the same?

Re:How come we even get them? (1)

Tenareth (17013) | more than 11 years ago | (#6933441)

I would never want my ISP making decisions for me... That's not what I pay them for.

If you want someone making all your decisions, use AOL or MSN.

ISP is just that, Internet Service Provider. Not a nanny.

Mod story -1 (Duh...) (1)

setzman (541053) | more than 11 years ago | (#6933132)

You would think that server admins would know that responding to each worm would double traffic and take action to prevent it, by either using a better filter or reconfiguring the filter to not reply.

Re:Mod story -1 (Duh...) (2, Insightful)

blunte (183182) | more than 11 years ago | (#6933184)

Duh it may be, but that's the default behavior for Norton's Exchange AV software.

You have to fool around with it in a most confusing way to get it to stop doing that. Like all good Windows management interfaces, it's confusing and inconsistent. But I digress...

This is so true (5, Funny)

blunte (183182) | more than 11 years ago | (#6933138)

Our Norton Exchange AV kicks out "we-saved-your-butt" emails to the admin, the original recip, and back at the "sender", who of course knows nothing about it since it was forged.

I've just been creating more and more filters that send to trash with no notification to anyone.

Of course, you have to pay attention when you first turn some of the capabilities on, as Norton kindly preset you to block AOL mail :) Serves AOL right...

Re:This is so true (1)

trompete (651953) | more than 11 years ago | (#6933226)

Yeah, especially since AOL has been blocking tons of other people's mail servers. That was a Slashdot story a few weeks ago...

Re:This is so true (1)

rampant poodle (258173) | more than 11 years ago | (#6933279)

The autoresponse can be turned off. With Sobig et al it really makes a big difference in server load and amount of crap hitting user's inboxes.

Re:This is so true (1)

hmallett (531047) | more than 11 years ago | (#6933292)

Our Norton Exchange AV kicks out "we-saved-your-butt" emails to the admin, the original recip, and back at the "sender"

Not only is this something which you can configure, IIRC it's also not the default. I think the default is admin and recipient only. Perhaps this illustrates that those who select all the options are also part of the problem...

Is that better than... (0, Redundant)

stovey (698291) | more than 11 years ago | (#6933146)

letting the user get the email and start spewing out more viruses? I'd rather those reject emails go out than having more virus emails floating around..

Re:Is that better than... (1)

cybermace5 (446439) | more than 11 years ago | (#6933246)

Uh, the virus software already caught the message and the user won't be getting it. Sending a "you're infected" email back to the sender won't do a single bit of good, since the vast majority of SoBig viruses spoofed addresses using the infected computer's address book.

Re:Is that better than... (0)

Anonymous Coward | more than 11 years ago | (#6933468)

since the vast majority of SoBig viruses spoofed addresses

No, actually - that should be every SoBig virus. As in every single last one.

There is no point in sending them at all.

When I receive them, I immediately blackhole the admin's server (they're not fit to be on the internet anyway, so I'm not losing anything), and then forward the message (which usually includes the attachment in question) to the admin.

Yes, I know that each mail server will try to bounce the message back to me, but since they're blacklisted, the bounce will end up in the admin's mailbox. With the attachment. Which will probably then be bounced. Hopefully with the attachment. :o)

Re:Is that better than... (1)

rgmoore (133276) | more than 11 years ago | (#6933430)

It's not an either/or question, you know. Blocking the message from getting to its intended recipient is completely unrelated to sending a message back to the alleged sender. It's perfectly possible to block the message without informing the (alleged) sender. It's even desirable in the case of email worms like SOBIG that are known to forge the From: header, since in that case you're pretty much guaranteed not to be sending the message to the right person. A well writting program would take this kind of thing into account.

How about a real email client or real rules? (4, Insightful)

TWX (665546) | more than 11 years ago | (#6933149)

Do most users exchange executable files? How about just blocking them if they're executable... How about getting an email client that isn't known for it's ability to spread received infected email without the user having to even open the email?

/been using pine since 1996...

Re:How about a real email client or real rules? (3, Insightful)

Elwood P Dowd (16933) | more than 11 years ago | (#6933392)

There have been semi-successful email viruses where the user had to download a .zip attachment, decompress, run the executable, and click "yes" to install.

Sure, we can remove capabilities in order to increase safety, but with users like that... I'm really not sure what we should do. Authenticating the sender and receiver of all email would be a step.

Hallelujah! (4, Insightful)

PopeAlien (164869) | more than 11 years ago | (#6933158)

Not only are they doubling traffic, they can help spread the virus.. I've recieved bounced email containing the virus, since the the return address is randomized this in effect helps to spread the virus. Why include the attachment in a bounce message?

Outlook (0, Troll)

Bame Flait (672982) | more than 11 years ago | (#6933164)

Nothing much can be said about security when you are using Outlook Express. Microsoft has always been quick to issue patches to cover up its bugs. It usually releases these patches on the Web. All you can do to keep your mails secure to the utmost extent is to keep a watch on these patches and update your OE as and when necessary. Please check that you have 128-bit encryption on your system. For this, please go to the `help' menu of your browser and then click `about Internet Explorer.' A dialog box will pop up. Look for the word Cypher strength. The cypher strength ideally should be 128bit. If it is anything less than that, then click on the link displayed next to it to upgrade it to 128. Cipher Strength is a security feature in browsers which provides encryption of information being transmitted across the Internet. Barring these security bugs, you can tweak your security to a great extent by applying file-level security to your mail box by using NTFS file system, for which you will have to have win2000 or XP as your primary OS.

please mod parent down (0)

Anonymous Coward | more than 11 years ago | (#6933307)

completely irrelevant, and sounds copy & pasted

mod parent up! (0)

Anonymous Coward | more than 11 years ago | (#6933325)

good advice

Re:Outlook (0)

Anonymous Coward | more than 11 years ago | (#6933334)

The first step with Outlook or Outlook Express (assuming that moving to anything better is not an option) is to set the "Internet Security Zone" to be "Restricted".

I would post steps, but, they move that around to hide it from version to version :(

Re:Outlook (2, Insightful)

Seth Finklestein (582901) | more than 11 years ago | (#6933350)

  1. Low-level format lusers' hard drives.
  2. Install Linux.
  3. Save $900 per seat on annual licenses for operating system, office suite, and anti-virus software.
  4. Profit.

Re:Outlook (1)

Seth Finklestein (582901) | more than 11 years ago | (#6933412)

Good post, Seth!

Re:Outlook (-1)

Dr. Cockulus (684502) | more than 11 years ago | (#6933456)


2a. Pay $799 license fee for Linux.
3 (corrected). Save $101 per seat.

still a profit.

Re:Outlook (1)

Seth Finklestein (582901) | more than 11 years ago | (#6933505)

The $699 license fee is for servers. I pay only $199 per workstation [] . Also, that license is good forever, not for one year like Micro$soft's "license."

Frankly, I believe that $199 is a perfectly fair price for Linux.

mmm, pie (0, Offtopic)

kinzillah (662884) | more than 11 years ago | (#6933178)

I like pie. Pie is better than Outlook worms.

Letter contents incase of /.'ing (3, Informative)

B5_geek (638928) | more than 11 years ago | (#6933187)

Why (some) anti-virus companies are to blame for the recent
e-mail flood

As everyone should now know, Sobig.F has generated a tremendous amount of e-mail traffic world-wide. However, part of the blame for this traffic should be placed on some of the anti-virus companies.

What I am referring to is the large number of incorrectly configured mail filters that respond by sending a "virus alert" to the "From:" address. As Sobig.F falsifies the "From:" address, these e-mails just clutter up the mailboxes of innocent, non-infected people. These messages cause unnecessary annoyance and worry, as they typically (and incorrectly) claim that people have sent out a virus.

When you get an e-mail, warning you of a Sobig.F infection, with a subject line similar to these:

* *** detected and quarantined a virus in a message you sent.
* Warning: E-mail viruses detected
* Virus Detected by ***
* This is an alert from ***

it usually means that someone, somewhere has made a bad decision on how to react to infected mail, either by selecting a substandard product or by configuring it incorrectly.

Worse yet, if mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.

The problem is that some commercial mail filters have this behaviour set as the default. At least one filter gives only two options: Always send a "virus alert" to the "From" address of every infected e-mail received or "pass the message through to the recipient". Clearly neither of these options are acceptable.

I have only one word for this: Stupid!

Acceptable behaviour would be one of the following:

1. Have the mail filter properly distinguish between worms that falsify the "From:" address and ones that do not and only send a warning message when the "From:" address is likely to be genuine.

2. Do not send the alerts at all.

In fact, sending an alert automatically to the From: address for every virus or worm received by e-mail should not even be a selectable option.

With Sobig.F scheduled to die out today, Sept. 10th, the problem might go away for a while - until the next similar worm appears. And this is the scary part. Sobig.F didn't really infect that many machines world-wide, maybe only 200.000 or so. This is only a fraction of the number of machines infected by Msblaster (Lovsan). Now imagine a worm combining the distribution method of Msblaster with the mass-mailing feature of Sobig.F. The flood of traffic might practically render the Internet unusable.

Eventually, some virus author will create a virus like this, maybe this month, maybe in a few years, but it will happen. And when it does we do not need the anti-virus companies making a bad situation worse.

I hope the "guilty" anti-virus producers will be updating their products in the near future, but this is not going to happen unless their customers request it.

Fridrik Skulason ( )
Founder of FRISK Software International

Re:Letter contents incase of /.'ing (1)

secolactico (519805) | more than 11 years ago | (#6933471)

Wouldn't be better if the server simply returned an SMTP 550 when a virus is found? Too bad most AV plugins only work *after* the message has been accepted and not after the end of the DATA command.

Brithday! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6933191)

At the moment, the earth is at approximately the same spot in it's orbit that it was the day I started using my lungs. PAR-TAY, biznaitches.

Re:Brithday! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6933395)

You have a sucky birthday. I bet it really sucked two years ago.

Re:Brithday! (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6933485)

That is also the day you fucked your mom. Your penis travelled the full length of her vagina on that day.

opt-in (1)

Douglas Simmons (628988) | more than 11 years ago | (#6933195)

Agreed. My box is getting dozens of filtered SoBig notifications every day. I'm not that paranoid that the wicked screensaver emails I would otherwise be receiving might be false-positives, and I imagine the same is true for most others; but for those who want to know about everything that is addressed to them, the filterware out there ought to let them opt-in. This is an unnecessary waste of server/network resources that clutters my emailing experience more than it already is.

No doubt! (4, Interesting)

tbase (666607) | more than 11 years ago | (#6933196)

If the e-mail filter is smart enough to know it's Sobig.F, why isn't it smart enough to know the "from" is spoofed?!?!?

I set our filters to just delete anything with an executable attachment, but that didn't to crap for the stupid "Virus Detected" warnings.

One guy was sending us about 150 copies a day, and the others his PC sent out with our address as the "from" resulted in about 50-75 Virus warnings a day - from the first day it popped up until it expired. I had his IP address, and called and e-mailed his ISP ( a dozen or more times, and they did squat. 150 x ~100k x # of people in his address book - not to mention the undeliverables and virus warnings - and they did nothing.

Re:No doubt! (1)

spydir31 (312329) | more than 11 years ago | (#6933534)

Some filters do, you might want to try MailScanner [] which has an option to clean silently on a per virus name basis (and optionally still delivering a message to the postmaster)

Fuzzy Math (4, Interesting)

Akai (11434) | more than 11 years ago | (#6933203)

The SoBig.(X) (all of 'em, been getting them for months, good thing Evolution doesn't care) are all around 100K a piece.

A "your message was filtered" is maybe 2-3K including all headers (more likely under 1k), so responding to messages with Virus' in them adds 1-3% not 100% to the traffic.

That being said, since most of the current generation of SoBig happily fake the "From" email address, a reply to the from address doesn't really help anyone either.

So in the worst case scenario, a 3K reply to a fake email address results in a bounce message, so at the most you've got 5% overhead, and theoretically for that 6K of email, you've saved a user from getting infected, which would generate 100K*1000's of data.

I'd say it's not too high a price to pay.

Re:Fuzzy Math (5, Insightful)

realdpk (116490) | more than 11 years ago | (#6933343)

There's some flaws in the logic.

First, there's a cost per message that you're not including. Every message I get I have to consider and read, or delete. I'm getting tons of virus bounces, even though I've never sent a virus - the virus uses forged headers. So, for me, someone who has no way to contract a virus, my "work"load has gone up noticably, and the price I pay went from $0 to $X where X is a positive number.

Second, the autoresponder is not a necessary part of the virus removal. The savings is already there by blocking the virus from infecting the user's computer. The bounce is just an extra thing the anti-virus people put in to try to advertise their product.

It's *pretty damn close* to being spam.

Re:Fuzzy Math (1)

Mr. McGibby (41471) | more than 11 years ago | (#6933545)

I pay went from $0 to $X where X is a positive number.

Yeah, epsilon.

Re:Fuzzy Math (1, Insightful)

Anonymous Coward | more than 11 years ago | (#6933551)

What about the responders that include the original message in the bounce?

And as you mentioned with SoBig the From address is spoofed, so not only is the message just as bad as everyday spam, it may also contain the attached virus.

It's not a matter of "price to pay", it's a matter of "why the hell would you have stupid behavior like this the default action?" Maybe you just missed that there was an article attached to this story that explained this?

I completely agree (4, Insightful)

PktLoss (647983) | more than 11 years ago | (#6933207)

One member of our software development team ended up receiving over 10,000messages/hour during our peak load, about equally split between virus messages, and bounce backs/mailer daemon messages. The latter weren't blocked by the standard anti-spam solution.

The messages generally contain no usefull information, and are deleted without reading.

Spam catchers should be combined with anti virus solutions, to ensure that authentic messages do generate some sort of response, either to the sender or receiving, informing them of the infection. The technologies would mesh well in this case.

5xx is the answer (3, Informative)

hey (83763) | more than 11 years ago | (#6933212)

last time []

As a mailing list manager... (1, Interesting)

winkydink (650484) | more than 11 years ago | (#6933216)

I have many more complaints about misconfigured UNIX mail systems & poorly written vacation programs than I do about Outlook filters.

This FRISK dude needs to go back and look at his assumptions:
Worse yet, if mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic.

huh? If person A's infected machine sends out 100 emails, and the one received by person Q generates a reply to sender, how does this double the amount of traffic. Sheesh! Calm down.

Re:As a mailing list manager... (1)

nacturation (646836) | more than 11 years ago | (#6933366)

huh? If person A's infected machine sends out 100 emails, and the one received by person Q generates a reply to sender, how does this double the amount of traffic. Sheesh! Calm down.

In the off chance that you're not just trolling, you're clearly missing the obvious. Person A sends out 100 infected emails. Person Q1's antivirus generates an email to forged sender. Person Q2's antivirus generates an email... Person Q3's antivirus generates... 97 emails later ... Person Q100's antivirus generates an email.

Ergo, 100 viruses sent out, 100 replies from autogenerated "you sent an email" messages. This assumes Q1 ... Q100 all have antivirus filters.

We've started to filter bounce messages. (2, Interesting)

Future Man 3000 (706329) | more than 11 years ago | (#6933222)

All the bounces from viruses and faked spam 'From:' headers amount to about 5% of our worthless inbox content, so we've just decided to filter the stuff for a while until either the viruses die down or we determine that we really need the bounce messages for some reason.

It's pretty rare that an e-mail that we send out does not eventually get to its recipient, and in most cases the e-mail is in response to something so the recipient will let us know if they aren't getting a message from us, so this system has been working out well so far.

Not entirely true (1)

mrtroy (640746) | more than 11 years ago | (#6933229)

They arent entirely part of the problem. I think this report lacks some valuable data and misses a key point.

What about all the emails these virus detectors PREVENT by warning the user about the potential virii in the emails.

Remember, the average user isnt that smart. We dont want to prevent them from getting their mail. We do want to warn them. Not only this, the warning emails are likely just local anyways, so this isnt going to be too bad of a traffic increase.

If everyone used even the worst email virus detection software, most of these worms would be stopped much quicker.

Most worms that are using a lot of bandwidth are not email based, and scanning for other vulnerable machines.

Re:Not entirely true (0)

Anonymous Coward | more than 11 years ago | (#6933372)


(Using wrong Latin does not make you look more educated :))

va lairIE's lousy pateNTdead PostBlock(tm) devise, (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6933232)

complicating conveyance of planet/population rescue initiative information/instruction. makes /.robbIE look a little wormIE to us.

no problem. we're hanging in there 'til the last postIE.

we extend our deepest sympathies to the victims of cowardly greed/fear based aggression everywhere.

that old tune title (hope we don't get 'busted' for using it) "make the world go away", takes on new/varied meaning in these times.

the prevalent notion that 'everything will be taken care of' without yOUR knowledge/participation is insidiously misleading.

in our estimation, the biggest 'threat' against US (aside from continuing to fire bullinedly into the 'crowd', whilst demanding applause), would be a failure to recognize our 'role' in the problems. we're victims for sure, but whoare ALL the perpetrators (see also: corepirate nazi puppets), gets lost in the ?pr? ?firm? generated propaganda spew.

consult with/trust in yOUR creator. seek others of non-aggressive behaviours/intentions. that's the spirit.

the lights ARE coming up now. pay attention (to yOUR heart, for example). that could lead to new ways (see also: newclear power plan) of thinking about/dealing with, the needs/rights of others EVERYWHERE on the planet.

having the attention span of a gnat, & similar ambitions, might be ok if you are just planning to be a consumer/type one liners.

take care of each other, you're all we've got. we're here for you. get ready to see the light.--

worth reading, again, with feeling.

"It takes a long time to teach the judges, legislators, and public to understand technology. Right now, they're getting a strong dose of "education" on the Internet's threats and harms, and not hearing so much about its potential. Shouts of "piracy" often outweigh consideration of how we might communicate with more open media formats, but judges like Stephen Wilson in the Grokster case are starting to listen through the shouting. We're encouraging more people to think about how the law shapes technological innovation, how the technology itself can foster creativity, and then to do something about it to advance the public interest."--

"The stability of the large world house which is ours will involve a revolution of values to accompany the scientific and freedom revolutions engulfing the earth. We must rapidly begin the shift from a "thing"-oriented society to a "person"-oriented society. When machines and computers, profit motives and property rights are considered more important than people, the giant triplets of racism, materialism and militarism are incapable of being conquered. A civilization can flounder as readily in the face of moral and spiritual bankruptcy as it can through financial bankruptcy."

Not *too* opinionated, are we??? (0)

Anonymous Coward | more than 11 years ago | (#6933236)

Nice rant. Sheesh, this guy makes McBride seem all warm and fuzzy.

Sobig.F gone quiet (1)

shoppa (464619) | more than 11 years ago | (#6933241)

On a related note, the flood (several hundred an hour) of Sobig.F's that I was getting since its onset stopped at 11PM EDT on 9-Sep-2003. The last bounces with my forged E-mail address as the sender came in about a half hour later. Media stories said that it would stop on 11-Sep-2003... but something seems to be off by a few days.

Any sightings of Sobig.G in the wild yet? Everybody was predicting it to be released today.

how to truely stop spam and viruses (0)

Anonymous Coward | more than 11 years ago | (#6933245)

use pine. and whenever you goto a website that requires an email address type in

Another problem: User replies (0)

Anonymous Coward | more than 11 years ago | (#6933259)

A related, but smaller, problem is users responding to the spoofed from address and complaining about being on someone's mailing list. I received a lot of these during the SoBig.F mess, and my system was never infected. (But obviously the system of one or more people who had me in their address book got the bug.)

New virus tactics (1)

JamesP (688957) | more than 11 years ago | (#6933264)

is adding to the bottom of the fake message "please send this email to everybody you know"

Doubling messages, not traffic (2, Informative)

fadden (469243) | more than 11 years ago | (#6933280)

The SoBig.F virus message was much larger than a "we found a virus" letter, because it included a copy of the virus itself. The number of messages bouncing around may have doubled, but the total bandwidth required did not.

However, as the recipient of 300+ messages a day, I for one would be delighted if the virus scanners had an option to Just Shut Up when they find a specific virus. While I don't believe the scanners aggravated the problem -- indeed, by reducing its transmission, they certainly improved matters -- the bogus reject messages were a highly visible and easily avoidable irritant.

And if you get enough of them... (1)

NaugaHunter (639364) | more than 11 years ago | (#6933287)

... you'll start getting "You're mailbox is near/over it's limit" messages.

Are there any mailservers that can check if you've received a message previously? Maybe they should have a 'Sent' mailbox and check against them. It could clear it out every ten minutes of everything older than 24 hours, ensuring you'd get 1 notice a day max. If these filters are outside the server, it should be easy for them to offer this. Shouldn't it?

Good for this guy... (5, Interesting)

fuqqer (545069) | more than 11 years ago | (#6933291)

I work in Tech support for a telecommunications company and I get at least three calls per day regarding a message from Norton Antivirus. The message falsely states that they were a sender of the sobig.f virus. Of course, our users are completely up to date with their virus software and our e-mail servers catch the sobig virus. A big shame on you to Norton for having an e-mail enabled warning like that. It preys on the stupidity of end users.

Granted, if nobody talked about AIDS, the infection rate would probably skyrocket too. So is it better that there be a symptom of the virus such as increased network traffic. Or is it better to not inform external users and try to repair in house?

Maybe it offers a little job security too though.

It's viewed as promotion (5, Interesting)

mcrbids (148650) | more than 11 years ago | (#6933310)

One of my clients is an ISP - and they *want* the bounces to go out for the simple reason that it broadcasts to the world that "your mail is safe with us".

So the bounce messages go something like "Our mail server detected a virus in an email you appear to have sent, and we protected our customer ... For more information about our services come to --URL--"

I don't know if it's effective at all, but it sure doesn't cost much - the virus notification is essentially a mild form of SPAM which few people really get up in arms about.

Just to understand, there are market conditions behind those virus notices...

Re:It's viewed as promotion (1)

lumpenprole (114780) | more than 11 years ago | (#6933461)

That seems remarkably ridiculous as it's their bandwidth that's getting toasted. I was on vacation in the deep maine woods when the sobig hit it's stride. obviously, all three of my main email accounts went over limit. It also tied up other email accounts getting bouncebacks from my isp's server. I think they were a little peeved at me.

Um... (2, Insightful)

Realistic_Dragon (655151) | more than 11 years ago | (#6933316)

Wouldn't it be better to blame those resposible for Outlook for Outlook worms? (Be it users who fail to patch, admins to deploy it, Microsoft for writing it on one drunken weekend that involved a lot of monkey hookers and a boat load of cocaine.)

It's certainly better than blaming a _client_ problem on the _network_ which when it was designed didn't anticipate (understandably) a near monoculture of such vunerable products being deployed.

Just got my hand slapped by Data Security (4, Interesting)

RobertB-DC (622190) | more than 11 years ago | (#6933328)

I just got a call from the Data Security guy in my office. I've had run-ins with him before, because their scans of my PC would occasionally find that I run Eudora [] for my personal email rather than routing it through the corporate virus portal known as Outlook Express. My bosses have been supportive -- as long as I get my work done, who the heck cares what I've got installed?

Now, I get 50-100 messages from "helpful" virus checkers telling me that I sent them a virus. Duh, of course I didn't. But what's worse is when they try to help my by sending the damned virus back to me! So my Eudora inbox fills up with viruses. No problem, I just delete them, right?

But we've got real-time virus scanning installed, and the admins take a dim view of tweaking it to skip certain directories. It finds that In.mbx contains a virus and kills the file. Poof, there goes my Eudora inbox. Frustrating, but it was full of junk anyway.

This morning, though, I get a call from the head Data Security honcho. Norton called mommy when it found the virus, and did it often enough for me to show up on the admin guy's radar again. Now, I'm going to have to quit using Eudora at work, just because brain-dead virus protection is sending me viruses! I'd fight it again, but I have to agree -- if I keep downloading viruses, I'm part of the problem.

Thanks for nothing, AV companies. All you're doing is keeping yourselves in business with false virus alerts. Or maybe that was the "2. ???" in between "1. Spread Viruses" and "3. Profit!"

The worst of it is ... (1)

JSkills (69686) | more than 11 years ago | (#6933333)

The worst of it is when you've got an email address like "webmaster at" and thousands of people have you in their address book and some of them get the virus that spoofs YOU as the return email address.

I'm still fielding like 400 auto-generated emails from various anti-virus software each day. The author's suggestion to simply stop the alerts is not that far fetched at all.

Obligatory bad analogy: it's like pelting someone with rocks in order to warn them they're about to be run over by a car (and then continuing to pelt them with rocks even after the car has passed and is way down the block).

Not the problem (2, Interesting)

Spazmania (174582) | more than 11 years ago | (#6933349)

The mail filters that send out a message for each virus message received are not the problem. Indeed, they're just following the basic requirements for bounced messages listed in RFC 2822.

THE problem is the mail filters which also send a second message to postmaster@whatever domain. Whatever brainiac thought that one up should be shot.

Re:Not the problem (0)

Anonymous Coward | more than 11 years ago | (#6933526)

Well, whatever the RFC says, it makes no sense to send anything to the address in the "From" header in case of virus/spam since the address very likely fake.

A thought (-1, Troll)

stratjakt (596332) | more than 11 years ago | (#6933383)

Maybe you lunix fags could stop making heroes out of hackers, and start to look at them as the bottom feeding dregs that they are.

Maybe if it wasn't so hip and trendy to h4x0r j00r b0x0r with your m4d sk1llz0rz, this type of nonsense would fade away into obscurity.

Thousands of Bounce Messages Bullshit (1)

Czmyt (689032) | more than 11 years ago | (#6933404)

I've written to some of the people whose systems spew these bounce messages to complain. One of their admin's first told me that it was helpful in cases where people send a file that has a piggyback attachment. Ya, how often is that the case, 1 in 100000 times nowadays? Then he later said that it was good to inform people that there's a virus out there pretending to be from them. Ya, even if that's true, then send me a single bounce message, not 1000 of them!

Either the antivirus software has to get a lot smarter about which viruses fake the headers (and not send bounce messages in those cases), or there needs to be a netiquette against sending bounce messages for virus infected messages in all cases, or these antivirus companies that produce this crappy software need to be added to SPEWS. I am really sick of this problem personally.

His two minutes (3, Insightful)

muffen (321442) | more than 11 years ago | (#6933419)

I find this most interesting.

Until recently, no e-mail worms spoofed the email address. F-Prot obviously never had the functionality of replying to infected emails.

Until just recently, it was really good to reply to the sender alerting him about the fact that he sent out a virus/worm. Where was F-Prot back then??

The way I see it, it's been three steps.
Step 1: No email worms.
Step 2: Email worms that didn't spoof the sender (replying to sender is good).
Step 3: Email worms that spoof the sender (replying to sender is bad).

Seems to me that F-Prot is complaining that everyone hasn't reached step 3 yet (with spoofed sender addresses, infected emails shouldn't be replied to), even though we pretty much reached it just now. Before Sobig, even though there were worms that spoofed the sender, they were a minority. After Sobig, spoofing worms are a majority, which means that AV products need to change. This won't happen in a second like it did for F-Prot, because most AV vendors didn't skip step 2 like F-Prot did.

This coming from a company who 95% of computer users never heard, and who never even added the functionality of replying to emails even though it was really good until just recently, makes me believe his just looking for his two minutes of fame.

Re:His two minutes (0)

Anonymous Coward | more than 11 years ago | (#6933490)

Until recently, no e-mail worms spoofed the email address.

You consider "I love you" and KLEZ recent?!


Microsoft EULA Security Update enclosed: (4, Funny)

Anonymous Coward | more than 11 years ago | (#6933426)

Critical Update:

A security issue has been identified that could allow an attacker to compromise a computer running Microsoft Windows and install Linux on it. You can help protect your computer by installing this EULA from Microsoft. After you install this EULA, a NULL update will be downloaded for your benefit.

No here is a better use (1)

codepunk (167897) | more than 11 years ago | (#6933451)

Change the bounce messages to something like the following.

Try our new penis enlargement patch and make your lady love you forever.

Use the bounce messages as vehicle for spamming.

Not doubling traffic. (2, Insightful)

Samurai Cat! (15315) | more than 11 years ago | (#6933453)

'If mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.'

Not quite. Fortunately the alert emails are (usually) just text, and not some several-kilobyte attachment. They may be doubling the messages, but certainly nowhere *near* the bandwidth used.

One would hope the anti-virus tool folks could build in ways to sniff out "Oh, this is a SoBig-laden email" and *not* send out the completely useless alert to someone's address that happened to be the random "From" address used.

Proprietary Pish (0)

Anonymous Coward | more than 11 years ago | (#6933466)

Funny thing is I have seen some mail servers bounce the sobig mail and include the entire mail - including the attached virus - in the reply.

I envisage some mail servers are continually sending each other the sobig virus as they bounce each others bounces for containing the virus.

Matter of education and responsibility (2, Informative)

stopbit (444789) | more than 11 years ago | (#6933498)

Until the anti-virus software developers, M$ and the general e-mail population can out-wit a 12 year old script kiddie, no progress will be made.

Bounces are good, just not for Sobig.F (1)

Digital_Quartz (75366) | more than 11 years ago | (#6933499)

A bounce is a good thing, since it tells the sender of the virus "Hey, you've got a virus". This encourages the sender to remove the virus from their system, and results in a net reduction of network volume.

The problem, of course, is that many of these email worms forge the from. But... the virus filter takes the time to identify that there is a virus, and the filter knows that it's Sobig.F, so why can't the filter also be smart enough to not send a bounce FOR Sobig.F? This seems like it should be trivial to implement.

Ahh well... Speaking as someone who works at a data switch and router company, more network traffic is a good thing. :)

Why shouldn't ISPs block viruses? (1)

indros13 (531405) | more than 11 years ago | (#6933502)

I am not a programmer, computer tech, or anything else. I am smart enough to figure out some decent filtering through Outlook Express that usually kills most virus emails and I have one of those real-time scanners going to pick up the stuff.

However, why can't I opt with either my ISP or email provider to have virus emails deleted immediately from the server? It would seem to be economical for either to do so, because they would save server space and prevent the spread of the virus by keeping dumb users from opening the attachments.

Furthermore, should they even have to ask? Virus emails are not really personal or private email, it's junk. I doubt there would be much complaint (from the average Joe) if the Post Office just started throwing away those stupid Valupak coupon things or other mail addressed to "our friend at ADDRESS."

Again, I have no idea what is technically feasible, but perhaps someone could enlighten me as to what an ISP or mail provider could do to cut the spread of virus-laden email before the end user has a change to see who loves them...

Simple (1)

FreeLinux (555387) | more than 11 years ago | (#6933503)

helo valid?
mailfrom: xxx
rctpto: xxx
data .exe|.bat|.cmd|.vb*|.scr|.jsp|.com|.sys|.bin|..... .

550 For security reasons this form of message is denied on this system.

connection closed.

The need for digital signatures. (1)

pope1 (40057) | more than 11 years ago | (#6933504)

With the way our mail system is now, mail servers accepting and routing mail from any client w/o the need for any real kind of authorization or identity matching, we are screwed.

Most modern clients support digitally signing mail, either via PGP or S/MIME. This needs to become a lot more widespread, with 3rd party verification of signatures ala VeriSign/SSL-certs. When it is in place we can safely delete any mail we get w/o a real signature, and go about our business. If someone with a legit signature DOES join the dark side, they are stamped, labeled, and easily filtered.

Does anyone see any arguments against digitally signed mail, besides the large over-head of layering security onto a system that started w/o any, by design?

Speaking of bad email filters... (4, Funny)

Anonymous Coward | more than 11 years ago | (#6933509)

We have Mail Marshall here at work. I got the following mail from the system yesterday...

MailMarshal (an automated content monitoring gateway) has stopped the following email for the following reason:

It believes it may contain unacceptable language, or inappropriate material.

Message: B000038072.00000001.mml
Subject: Re: So Whuz Up?

Please remove any inappropriate language and send it again.

The blocked email will be automatically deleted after 5 days.

MailMarshal Rule: Inbound Messages : Block Unacceptable Language Script Offensive Language (Basic) Triggered
Expression: asshole Triggered 1 times weighting 5

Email security by MailMarshal from Marshal Software.

So the message tells both the ortiginal sender and I that it won't deliver the email because it contains the term "asshole". So it lets me know that by sending me an email telling me the exact same word that was supposed to be filtered? It seems like we've got a hypocrytical mail filter here :(
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?