Welcome to SecurityForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

Why (some) anti-virus companies are to blame for the recen..

  
   Security Forums (Home) -> General Discussions RSS
Next:  WormP2P-Banuris  
Author Message
Fridrik Skulason

External


Since: Feb 08, 2004
Posts: 8



(Msg. 1) Posted: Tue Sep 09, 2003 5:45 am
Post subject: Why (some) anti-virus companies are to blame for the recent e-mail flood
Archived from groups: alt>comp>virus (more info?)
As everyone knows, Sobig.F has generated a tremendous amount of e-mail
traffic world-wide. However, that traffic is partly to blame on some
of the anti-virus companies.



What I am referring to is the large number of incorrectly configured
mail filters that respond with a "virus alert" to the "From:" address.
As Sobig.F forges the From: address, those mails just clutter up
mailboxes of innocent, non-infected people, causing annoyance and
worry, as typically (and incorrectly) the messages claim people sent
out a virus.



Worse yet, if the mail filters send out one message for every copy of
Sobig.F you receive, they are in effect doubling the traffic - which
makes them a part of the problem, not a part of the solution.



The problem is that some commercial mail filters have this behaviour
set as the default, or worse yet - at least one filter only allows
this behaviour or "pass the message through to the recipient", which
is clearly not acceptable either.



I have only one word for this: Stupid!



Acceptable behaviour would be one of the following:



1) Have the mail filter properly distinguish between worms that
forge the

From: address and those that don't and only send the warning
message

when the Address is likely to be the "right" one.



2) Do not send the alerts at all.



In fact, sending an alert automatically to the From: address for every
virus or worm received by e-mail should not even be a selectable
option.



I hope other anti-virus producers will be updating their products in
the near future, but that is not going to happen unless their
customers request this.



-frisk

 >> Stay informed about: Why (some) anti-virus companies are to blame for the recen.. 
Back to top
Login to vote
kurt wismer

External


Since: Jul 04, 2003
Posts: 1566



(Msg. 2) Posted: Tue Sep 09, 2003 11:22 am
Post subject: Re: Why (some) anti-virus companies are to blame for the recent e-mail [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
null.DeleteThis@zilch.com wrote:
> On 9 Sep 2003 05:45:50 -0700, frisk.DeleteThis@complex.is (Fridrik Skulason)
> wrote:
[snip]
>>I hope other anti-virus producers will be updating their products in
>>the near future, but that is not going to happen unless their
>>customers request this.
>
>
> That strikes me as very odd. Why would the av producers not go ahead
> and do what's obviously required?

because a number of anti-virus software houses (in fact most software
houses of any type) are ruled by 'management'... sometimes they might
look at something other than the bottom line, but don't count on them
doing so... if there are a lot of user requests for this then
management has 2 options, satisfy the users request or leave the users
unsatisfied - which obviously affects their bottom line...

--
"hungry people don't stay hungry for long
they get hope from fire and smoke as the weak grow strong
hungry people don't stay hungry for long
they get hope from fire and smoke as they reach for the dawn"

 >> Stay informed about: Why (some) anti-virus companies are to blame for the recen.. 
Back to top
Login to vote
optikl

External


Since: Jul 09, 2003
Posts: 95



(Msg. 3) Posted: Tue Sep 09, 2003 1:15 pm
Post subject: Re: Why (some) anti-virus companies are to blame for the recent e-mail flood [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
"Fridrik Skulason" <frisk RemoveThis @complex.is> wrote in message
news:fcd2fc13.0309090445.7c1b8962@posting.google.com...
> As everyone knows, Sobig.F has generated a tremendous amount of e-mail
> traffic world-wide. However, that traffic is partly to blame on some
> of the anti-virus companies.

> I have only one word for this: Stupid!

> Acceptable behaviour would be one of the following:
>
> 1) Have the mail filter properly distinguish between worms that
> forge the
>
> From: address and those that don't and only send the warning
> message
>
> when the Address is likely to be the "right" one.
>
> 2) Do not send the alerts at all.
>
There is also the problem of the emails that recipients of the original
mailings send back to the "from" addresses. I like the ones I get that
threaten to kill me for sending them a virus Wink.
Talk about adding to traffic congestion...
 >> Stay informed about: Why (some) anti-virus companies are to blame for the recen.. 
Back to top
Login to vote
kurt wismer

External


Since: Jul 04, 2003
Posts: 1566



(Msg. 4) Posted: Tue Sep 09, 2003 7:02 pm
Post subject: Re: Why (some) anti-virus companies are to blame for the recent e-mail [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
null.TakeThisOut@zilch.com wrote:
> On Tue, 09 Sep 2003 11:22:22 -0400, kurt wismer <kurtw.TakeThisOut@sympatico.ca>
[snip]
>>because a number of anti-virus software houses (in fact most software
>>houses of any type) are ruled by 'management'... sometimes they might
>>look at something other than the bottom line, but don't count on them
>>doing so... if there are a lot of user requests for this then
>>management has 2 options, satisfy the users request or leave the users
>>unsatisfied - which obviously affects their bottom line...
>
>
> And I suppose McAfee (NAI) and Norton (Symantec) are of the kind you
> have in mind,

them and lots more...

> whereas I tend to think of FSI and Kaspersky as not
> being of this kind.

well, since frisk himself is saying this 'feature' is a problem i
suspect you're right about fsi - no idea about kaspersky...

> But it would take a really significant customer
> uproar to get the attention of the first kind. Whom do customers
> complain to? Lotsa luck Smile

depends on the size of the customer... i don't think home user
complaints would be considered significant, but corporate complaints
might and frisk pointed out the very thing administrators should be
considering... even if their networks never receive a bounce, by
sending the bounces the mail server load associated with these worms is
doubled... and with worms as prolific as sobig.f, and the number of
possible recipients in a large network, that can be a very big deal...

on the other hand, someone may simply write a worm that forges
anti-virus sales addresses for the From: line and then they're all
hosed... that's another bottom line av company managers might want to
look at - how this 'feature' could be exploited for an email DDoS
against *them*...

--
"hungry people don't stay hungry for long
they get hope from fire and smoke as the weak grow strong
hungry people don't stay hungry for long
they get hope from fire and smoke as they reach for the dawn"
 >> Stay informed about: Why (some) anti-virus companies are to blame for the recen.. 
Back to top
Login to vote
Gabriele Neukam

External


Since: Sep 14, 2003
Posts: 47



(Msg. 5) Posted: Tue Sep 09, 2003 9:29 pm
Post subject: Re: Why (some) anti-virus companies are to blame for the recent e-mail flood [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On that special day, Fridrik Skulason, (frisk@complex.is) said...

> What I am referring to is the large number of incorrectly configured
> mail filters that respond with a "virus alert" to the "From:" address.
> As Sobig.F forges the From: address, those mails just clutter up
> mailboxes of innocent, non-infected people, causing annoyance and
> worry, as typically (and incorrectly) the messages claim people sent
> out a virus.

*sigh* you just word our rants since late August.

But what is even worse, there are mail server programs which do *that*
(excerpted from the mail source - this must be the work of a private
mail server run by a Blueyonder UK customer):

| Return-Path: <missblackcat DeleteThis @blueyonder.co.uk|
| Received: from smtp-out6.blueyonder.co.uk ([195.188.213.9]) by
mailin00.sul.t-online.de
| with esmtp id 19wdGC-1kafRo0; Tue, 9 Sep 2003 09:50:00 +0200
| Received: from HriUL ([82.39.90.101]) by smtp-out6.blueyonder.co.uk
with Microsoft SMTPSVC(5.0.2195.5600);
| Tue, 9 Sep 2003 08:49:40 +0100
| FROM: " Internet Mail Storage" <mailer-form DeleteThis @bigfoot.com|
| TO: Internet emailservice recipient < |
| SUBJECT: Failure Notice
| Mime-Version: 1.0
| Message-ID: <ECOWS06MEP5TpIAstem0006145a DeleteThis @smtp-out6.blueyonder.co.uk|
| X-OriginalArrivalTime: 09 Sep 2003 07:49:45.0991 (UTC) FILETIME=
[F0036970:01C376A6]
| Date: 9 Sep 2003 08:49:45 +0100
| X-Seen: false
| Content-Type: multipart/alternative; boundary="DRQlsoVSHLUFPBSMey"
|
|
| --DRQlsoVSHLUFPBSMey
| Content-Type: text/html;
| Content-Transfer-Encoding: quoted-printable
|
| <HTML|<HEAD|</HEAD|<BODY|
| <iframe src=3D"cid:apioyvpdwu" height=3D0 width=3D0|</iframe|
| Hi. This is the email-engine program.<BR|<BR|
| I'm sorry to have to inform you that the message returned
| <BR|below could not be delivered to one or more destinations.
| <BR|<BR|<BR|<BR|
| Undelivered to gzfpmgvnl DeleteThis @aol.net
| </BODY|</HTML|
|
| --DRQlsoVSHLUFPBSMey
| Content-Type: audio/x-wav; name="jaNLzy.exe"
| Content-Transfer-Encoding: base64
| Content-Id: <apioyvpdwu|
(worm begins)


*NO* original header is given in the mail at *any* place, but the whole
kaboozle of wormy code in the attachment remains untouched. Aargh.


Gabriele Neukam

Gabriele.Neukam DeleteThis @t-online.de


--
Ah, Information. A good, too valuable theses days, to give it away, just
so, at no cost.
 >> Stay informed about: Why (some) anti-virus companies are to blame for the recen.. 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
First PC anti-virus, trivia question - Which company developed the first PC anti-virus ? Some say it was Symantec others say it was an Israeli firm.

Opinions on Avast Anti-virus - Never used it. Anyone have any experience with it? W.S. Blevins wsblevins@mchsi.com PGP Public Key ID: 0xC780309A

Do anti-virus scan zip password protected files? - Kaspersky do _not_ scan zip password protected files. Does anybody know if NOD32 and VirusScan Enterpise 7.0 scan Zi protected files? Thanks in advance, -- Angelo Lopes da Silva Porto, Portugal

REQ: Anti-Trogan key - hello. i'm wondering if anyone has an unlock key for the anti-trogan program? TIA?

about virus - Hello, Help me please. When I browse internet, I often get virus warning messages: Virus name: W32/Deloder.worm Infected file: C:\WINNT\system32\Dvldr32.exe and Virus name: BackDoor-ARG.dr Infected file: C:\WINNT\system32\inst.exe Neither files can be....
   Security Forums (Home) -> General Discussions All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]