Automatic Virus Notification classified as SPAM

[Chris Parker]

Does anyone have a boilerplate response that can be sent to mail admins in reference to the subject?

Please see http://www.cgp.cc/resources/virusbounce.txt

I'm open to suggestions!

Here's another boilerplate that I use for email netiquette.

http://www.cgp.cc/resources/emailguidelines.txt

[oldjack]

I am taken aback that there is still a person who thinks that it's OK to send an e-mail to an innocent person, accusing the innocent person of sending a virus.

The last major virus that used the actual e-mail address of an actual infected computer was Sircam. Sircam has not been a major problem since 2001 (and even Sircam used a mixture of real and fake addresses). Since then, the major viruses that have spread themselves by e-mail have forged the sender's address.

I can understand that someone might send these e-mails out of ignorance, because they do not realize the harm they are doing. But that's not the case here. This person knows the harm he is doing, but he does it anyway.

Anyone who says he still needs to send these e-mails on the off-chance that there might still be some virus, somewhere, that's being sent with the actual e-mail address of an actual infected computer needs to understand: It's 2004, not 2001. There's no baby anymore, just bathwater.

(btw, I really don't know what to think about whether, as a matter of policy, these e-mails should be reportable to Spamcop. These e-mails are pernicious, but not everything that's pernicious is spam.)

[Jeff G.]

I really don't know what to think about whether, as a matter of policy, these e-mails should be reportable to Spamcop.  These e-mails are pernicious, but not everything that's pernicious is spam.

It is against the rules to report virus infected emails using SpamCop. If

you are caught, your account will be terminated. Please see

http://www.spamcop.net/fom-serve/cache/14.html for more details, especially

these two examples of what should not be reported:

7. virus infected emails are not spam regardless of whether you know the

originating party or not.

8. bounces/virus notifications are not spam. We actively encourage service

providers to turn off such notifications, but reporting them will not

encourage this to happen any faster.

You can, however, use the parser to help you to determine where to send

manual reports of virus infected emails (hopefully without the virus

payload).

[oldjack]

I don't report them. I didn't mean to imply that I did. To some extent, I sympathize with those who think they should be reportable, but they probably have more in common with chain letters (and other annoying things that aren't reportable) than they have in common with spam.

As Mydoom subsides, we will have a respite from these people (until the next e-mail worm appears and they crank up their misinformation apparatus again).

[ahnah]

Phew

I have turn off my Sophos Virus Notification.

[Bumpkin]

I really don't know what to think about whether, as a matter of policy, these e-mails should be reportable to Spamcop.  These e-mails are pernicious, but not everything that's pernicious is spam.

It is against the rules to report virus infected emails using SpamCop.

AV Notifications aren't infected e-mails, but they are unsolicited commercial e-mail. I always thought UCE = spam. I get 100+ e-mails per day falsely notifying me that I sent a virus and to please download and buy their software that (AHA!) caught the virus.... and I can't report them to anyone other than a completely clueless admin??

I don't exactly agree with that, I see these AV notifications as spam and a blight on the AV market. Yesterday I started using the boilerplates that were kindly posted, but that got old after about 50 e-mails. At what point does someone report me for spamming just because I'm replying to these $#[at]% e-mails???

This is going to go from bad to worse as people figure out what AV companies have their server software set up for these, and start shopping for other software that won't get them harrassed.

[Jeff G.]

This is going to go from bad to worse as people figure out what AV companies have their server software set up for these, and start shopping for other software that won't get them harrassed.

Wouldn't that make the situation better, not worse?

[Miss Betsy]

This is another topic that would very confusing to the new user trying to find help. It also would have been more interestingly discussed in the spamcop newsgroups. Presumably anyone who is in IT could access the newsgroups.

Miss Betsy

[ahnah]

This is another topic that would very confusing to the new user trying to find help.  It also would have been more interestingly discussed in the spamcop newsgroups.  Presumably anyone who is in IT could access the newsgroups.

Miss Betsy

but in news group it is slow to access, slow in response, less interactive and most of all .. no color.

[WB8TYW]

but in news group it is slow to access, slow in response, less interactive and most of all .. no color.

The newsgroup is only slow on the intiial load. Once loaded, it is much faster to scan read and respond to issues.

Because the newsgroup is faster, the noise to signal ratio is higher than on a web form as there can be a dozen posts in the time it takes to make a reply.

A newsgroup can handle a high volume of mostly unique topics very efficiently. Much more efficiently than a web forum in my opinion.

A web forum like this is probably better when most of the topics are repetative, and the longer time it takes to follow a thread slows down the noise posts where the same response is posted my the many participants to frequently asked questions.

The biggest problem with the newsgroup is that when a problem occurs, a bunch of posters show up who have not looked at even the postings of the last few minutes and then post the same questions that have just been answered.

Newsgroups / e-mail went to "plain text only" because they used to be mainly read on terminals that would respond to "ESCAPE" codes and binary, and people played pranks similar to the tricks that spammers and viruses do with HTML.

-John

Personal Opinion Only

[Bumpkin]

This is another topic that would very confusing to the new user trying to find help.  It also would have been more interestingly discussed in the spamcop newsgroups.  Presumably anyone who is in IT could access the newsgroups.

Miss Betsy

But when a new user does the original posting, what then?

I check both the newsgroups and the webforum. As this is a help forum, I would think questions and answers are applicable posts.

Anyone in IT could access newsgroups, but what about the non-IT pro who gets a bounce stating their IP has been blocked and barely managed to find this website? There seem to be just as many of those types of users as users who are in some type of IT field. There are still quite a few people in IT who have no idea how e-mail works, how a mail server works, what a block list does, etc., because it is not their field of specialty. I deal with some of the smartest programmers in the world, but they don't even know how to clear their internet cache or look at full headers.

Not trying to instigate, just my opinion after observing.

[StevenUnderwood]

Anyone in IT could access newsgroups, but what about the non-IT pro who gets a bounce stating their IP has been blocked and barely managed to find this website?

I am in IT but can not access the groups at work due to company policy. Only HTTP, SMTP, and FTP traffic that can be monitored by security modules is allowed through the firewall. NNTP does not have a security module available. If I punch a hole through, even if I only allow myself access to it, I could be fired.

[Miss Betsy]

But when a new user does the original posting, what then?

An answer can be given, of course, but if the discussion keeps continuing, then someone could suggest that the ng would be a better place.

The alternative, of course is to set up a new web forum for discussion just as spamcop.help and spamcop had different aims.

Since some people seem to prefer web forums with the cute little smiley faces, then perhaps a separate web forum would be the answer.

I am used to the newsgroup now and like it, but I certainly would have welcomed a web forum to answer my newbie questions. The thing is that questions generally can be answered in one or two posts. It is easy for a newcomer to look at several topics and get the information they want.

Why an IP address is blocked is also answered in one or two posts. If there are more, it is generally the questioner wanting more information. It is not generally a discussion.

IMHO, Why is my IP address blocked should be in a separate forum than spamcop user questions anyway. The purpose of moving the help section was to make it simpler for the questioner, no matter what level of experience, to get an answer to his question and to provide less "noise" from other subjects, IIUC.

Miss Betsy

[turetzsr]

Anyone in IT could access newsgroups, but what about the non-IT pro who gets a bounce stating their IP has been blocked and barely managed to find this website?

I am in IT but can not access the groups at work due to company policy. Only HTTP, SMTP, and FTP traffic that can be monitored by security modules is allowed through the firewall. NNTP does not have a security module available. If I punch a hole through, even if I only allow myself access to it, I could be fired.

...Same, here, but perhaps what Bumpkin meant by "could access" wasn't "permitted to" but "can figure out how to"?

[Craig]

Virus bounce notifications that are sent to the the unfortunate owner of a forged email address are themselves spam. The owner of the forged address never sent the original infected message, and thus the bounce message sent to them is false. It is thus just more spam.

And, unless the bouncing server removes the full quoted original message headers, we the end users are told that it is a trivial manual process to reveal that the original sending IP does not match the forged address domain, our own addresses. Yes, it's trivial for one message, but for large numbers of them, it is a major task. How can anyone expect us to deal with contacting the bounce server postmasters ourselves when there are large numbers of these? And, you better believe that there are plenty. We get as many of these bogus bounces as we do other forms of spam.

• It seems obvious to me that the bouncing server must be constructed or configured to bounce the infected message to the contact address of the original message IP, and to leave the owner of the forged address out of the message stream.
  
• Whether this is practical or not using currently available server software, I do not know.
  
• However, if it is not, then allowing the server to bounce to whatever user[at]domain email address is used in the original message is unacceptable, as the vast majority of the bounces go to the wrong address - this technique is flooding the internet with these bogus messages, and there is no practical way for the end user to deal with it themselves, for the reasons sited below.
  

Asking end users to just delete bogus bounces is also not an acceptable solution. It's a fact that by the time large numbers of these bogus messages have accrued in the victim's In box, by that time they've already been victimized, and dealing with large numbers of these themselves if not practical, if not impossible:

• For example, if a user does not check their email for a few days and then faces difficulty even downloading headers/messages because their mail service mail spools are so full that timeouts or other failures ensue, even deletion becomes a major task. For an account of this sort of difficulty, read my winging on this right here on this very conferencing system: Folder Level Delete Malfing???....
  
• Important valid messages are far more likely to be missed, as their presense is obscured since they are buried amidst large numbers of the bogus bounce messages.
  
• The bogus bounce messages frequently do not contain the full headers of the original message. If we cannot see the originating IP, how can we track down the actual spammer to report them? That info was removed by the bouncing server, where it should have been dealt with in the first place.
  

Asking end users to personally reply themselves to the bogus bouncing server postmaster is also impractical. As mentioned at the beginning of this posting, there are simply too many of these for the average end user reply to.

So, what to do?

First , end users need some kind of programmatic way to either participating in fighting the problem, or they need to be protected from it upstream. That service would be best achieved by properly constructed or configured mail servers, just as mail servers in general should be properly configured to block spammer access through open relays, etc.

Or, second, SpamCop and similar services should attempt to catch virus bounce messages and perform the To-address-domain/actual-source-IP-domain comparison and validation. Only validated bounces would be sent forward to the subscriber mailbox. Alert or warning messages might also be sent to the bogus bouncing server owners. But most certainly the bogus bounces would not be continued to the end user / subscriber In box. If for some reason SpamCop feels an obligation to notify the subscriber of receipt of these bogus messages, they should be treated as spam, which they are, and filtered into Held Mail.

This problem is in fact just another version of the same spam issue that has been plaguing is all. The bogus bounces are spam, and I'd like to see SPAMCop helping us deal with them. I'd be willing to pay more for the service. What choice do I have?

[ahnah]

Anyone in IT could access newsgroups, but what about the non-IT pro who gets a bounce stating their IP has been blocked and barely managed to find this website?

I am in IT but can not access the groups at work due to company policy. Only HTTP, SMTP, and FTP traffic that can be monitored by security modules is allowed through the firewall. NNTP does not have a security module available. If I punch a hole through, even if I only allow myself access to it, I could be fired.

firewall policy rite ... me too.

[turetzsr]

Hi!

<snip quote>

Possible solution?  We are getting so many of these piece of crap e-mails (300+ a day at the peak of MyDoom) from every single AV program I've heard of, and some I haven't, that we are considering blocking the servers that they come from. With the block we would also be bouncing the e-mail back to the originating "anti-virus" sender as well as <snip>.

...How will you determine the "'anti-virus' sender?" The reason I ask is that if you bounce it to the "From" address, you could be sending it to some hapless e-mail user whose address was forged.

[Craig]

...How will you determine the "'anti-virus' sender?"  The reason I ask is that if you bounce it to the "From" address, you could be sending it to some hapless e-mail user whose address was forged.

Well, perhaps the server doing the bouncing should bounce the message to the actual sending mail account as revealed in the full virus-laden message headers instead of just grabbing the From header value, or, if that is munged, the abuse address at the actual sending mail account IP address.

This question as to what qualifies as spam always seems to devolve to the question as what qualifies as unsolicited and bulk. A bounce going to an actual sender and/or the admin address at their mail account host, is sent in response to the original message. So, while the original sender may not have explicitly requested a reply, it the bounce is a response to their message, not the message initiating the stream. So, calling properly addressed bounce messages spam seems a bit precious to me.

I expect that the real issue is that many mail server admins don't know how to configure them to bounce to the real originator, or even if that is possible.

[michaell]

Well, perhaps the server doing the bouncing should bounce the message to the actual sending mail account as revealed in the full virus-laden message headers instead of just grabbing the From header value, or, if that is munged, the abuse address at the actual sending mail account IP address.

Most of the recent virus/worms forge everything, so the actual sending account isn't available.

Figuring out what the right abuse address is for a given IP is also not easy. Spamcop has a complicated (and much debated) method for doing it, involving lookups to several places, and it still sometimes gets it wrong, so there is a database of manual overrides maintained by people. That's not something you could build into an antivirus package.

Unless the particular virus is known to leave the actual sending account in the header, the best option is just to dump the email silently. A better option would be not to accept the email in the first place.

[Bumpkin]

Hi!

<snip quote>

Possible solution?  We are getting so many of these piece of crap e-mails (300+ a day at the peak of MyDoom) from every single AV program I've heard of, and some I haven't, that we are considering blocking the servers that they come from. With the block we would also be bouncing the e-mail back to the originating "anti-virus" sender as well as <snip>.

...How will you determine the "'anti-virus' sender?" The reason I ask is that if you bounce it to the "From" address, you could be sending it to some hapless e-mail user whose address was forged.

The "antivirus sender" would be the admin with his mail server configured to do so. They're sending me a reply to an e-mail that I did not send because my e-mail address was spoofed.

As the mydoom infections seem to be getting under control, the AV notices have definitely dropped off. Since our mail is administered by our ISP, I've gotten with them and worked out some filters that will be in place when the next round of virus activities start up again.

Wishing I had a big stick I could walk softly with....

[Craig]

Most of the recent virus/worms forge everything, so the actual sending account isn't available. Figuring out what the right abuse address is for a given IP is also not easy.  Spamcop has a complicated (and much debated) method for doing it, involving lookups to several places, and it still sometimes gets it wrong, so there is a database of manual overrides maintained by people.  That's not something you could build into an antivirus package.

<snip>

That's what I was afraid of. Someone way upstream posted somethign about SMTP timeouts, because the server/AV package would have to hold the connection open while doing the rDNS lookup on top of it. I'm just throwing out wishful suggestions, being ignorant of real mail/server admin technique.

Unless the particular virus is known to leave the actual sending account in the header, the best option is just to dump the email silently.  A better option would be not to accept the email in the first place.

I like that last one, just to not accept the mail, but I guess the same ID and timeout problems exist..

[WB8TYW]

rDNS lookups are not time consuming.

Most mail server can do that check, and it will block a considerable amount of viruses and spam.

Unfortunately there are real mis-configured mail servers that do not have correct rDNS, so while requiring a correct rDNS should only reject spam and virms, it will also cause some real e-mail to be blocked.

When some of the major networks stated they were going to reject senders with bad rDNS, the spammers reacted faster to fix their spamware than the owners of real mail servers did to fix their contiguration errors.

Just about all mail servers can be easily programed to reject based on DNSbls on inspecting the incoming I.P. address.

Some mail servers can be programmed to issue a reject after they have recieved the entire message but before they have confirmed the SMTP transaction. A filter rule can be set to identify a broken virus scanner or other auto-responder and reject the messages.

I know of two mail servers doing this, and they are not having any problem with timeouts.

If you use a good DHCP dnsbl on the input to your mail server, it will stop most of the direct to MX viruses.

And if you save the I.P. addresses that the direct to MX viruses come from, it will give you I.P. addresses that will probably spam you in the future, or will never send e-mail.

-John

Personal Opinion Only