There's really no 'right' answer to this question IMO. At $vbc we didn't send notifications to the sender, but we did to the intended recipient. At other companies we did the opposite and at 1 we notified everyone and their monkey.
Horses for courses I guess. -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Posted At: Wednesday, June 11, 2003 9:46 AM Posted To: swynk Conversation: Virus Notifications to Sender? Subject: RE: Virus Notifications to Sender? Hmmm.. Two interesting things are that a) none of the other sources I checked talked about spoofed sender addresses, and b) my experience has been that the ones I have bird dogged were indeed NOT spoofed, and came from the sender in question. I'll stand corrected on the spoofing issue, but I still feel sender notifications are worth doing. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 11, 2003 10:43 AM > To: Exchange Discussions > Subject: RE: Virus Notifications to Sender? > > > Roger, > > This is the FIRST topic I have ever disagreed with you > on...however, see > below: > > Klez - > http://securityresponse.symantec.com/avcenter/venc/data/w32.kl > ez.gen.html > Email spoofing > Some variants of this worm use a technique known as > "spoofing." If so, the worm randomly selects an address that > it finds on an infected computer. It uses this address as the > "From" address that it uses when it performs its mass-mailing > routine. Numerous cases have been reported in which users of > uninfected computers received complaints that they sent an > infected message to someone else. > > Bugbear - > http://securityresponse.symantec.com/avcenter/venc/data/w32.bu > [EMAIL PROTECTED] > l > Uses its own SMTP engine to send itself to all the email > addresses it finds. As part of the routine, the worm spoofs > the From: address. > > Fizzer - > http://securityresponse.symantec.com/avcenter/venc/data/w32.hl > [EMAIL PROTECTED] > tml > Retrieves the email addresses from the Windows Address Book, > cookie files, Internet temporary files, and from files in > your personal folder. The worm sends itself to all the email > addresses it finds. The worm may spoof the sender's name and > email address. > > Not even counting: > http://securityresponse.symantec.com/avcenter/venc/data/w32.hl > [EMAIL PROTECTED] > tml > http://securityresponse.symantec.com/avcenter/venc/data/w32.so > [EMAIL PROTECTED] > http://securityresponse.symantec.com/avcenter/venc/data/w32.as > pam.trojan.b.h > tml > http://securityresponse.symantec.com/avcenter/venc/data/w32.hl > [EMAIL PROTECTED] > html > http://securityresponse.symantec.com/avcenter/venc/data/w32.ya > [EMAIL PROTECTED] > > and on and on and on...unfortunately. :0) > > Jim > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 11, 2003 5:05 AM > To: Exchange Discussions > Subject: RE: Virus Notifications to Sender? > > > We have what I consider a finely tuned AV system, utilizing > multiple vendors and multiple layers. I'm also willing to > share that in the 4 years since we've implemented our current > approach, we have not been the victims of any major virus > outbreaks. That's not to say we don't get hit with the > occasional virus, but we've never had to enter firedrill mode > to contain them. > > I do get administrative virus notifications. But considering > I see between 100 and 1000 virus notifications a day from > inbound mail, the added assurance of my user being notified > is worth it. Maybe I'm just lucky that most of my users will > pick up the phone and ask why they got the message in the first place. > > With regards to spoofed source addresses, there are > relatively few that actually spoof source address. Looking > over my recent notifications, I'm seeing BugBear.B, Klez, and > Fizzer the most, none of which are spoofed source addresses. > The only one that currently spoofs source is Sobig, but > that's no longer high traffic. So, I honestly thing that > you're overstating the impact of notifications being sent to > hapless victims of spoofing. > > As someone else said, its obvious we're not going to change > each other's minds. > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Durkee, Peter [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, June 10, 2003 1:44 PM > > To: Exchange Discussions > > Subject: RE: Virus Notifications to Sender? > > > > > > If our user is the sender then all the e-mails will still have the > > wrong Sender address, we'd still be sending notifications > to a bunch > > of people that didn't send any viruses, and it's still a > bad idea. In > > fact it's a worse idea for internal infections because then > everyone > > would get bombarded with both viruses and virus warnings. > > > > In our case, I do get notified when viruses are blocked, and the > > notifications contain the complete headers of the blocked > messages, so > > we can keep an eye on things and act accordingly. > > > > -Peter > > > > > > > > -----Original Message----- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, June 10, 2003 9:27 > > To: Exchange Discussions > > Subject: RE: Virus Notifications to Sender? > > > > > > Here's the problem with not performing sender notifications: > > > > What if your user is the sender? > > > > Don't say it doesn't happen. It does, and sometimes that's the best > > way for you to know it happened. > > > > Roger > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: Dan Bartley [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, June 10, 2003 12:03 PM > > > To: Exchange Discussions > > > Subject: RE: Virus Notifications to Sender? > > > > > > > > > We don't send sender notifications. It is bad Netiquette in the > > > current Trojan environment. It is bad for email lists, it > is bad for > > > IT departments and it is bad for individual users. > > > > > > However, we do look at the recipient and administrative > > > notifications. If it is klez, sobig, etc. we pretty much > ignore it. > > > If it is something else we look at the headers and see if we can > > > trace it. If we can, we send a notification. > > > > > > A little extra work for us, but we are not causing extra work for > > > others by doing it this way. That is where the above "bad > > > Netiquette" comment comes from. > > > > > > Best Regards, > > > > > > Dan Bartley > > > > > > -----Original Message----- > > > From: Christopher Hummert [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, June 10, 2003 11:56 > > > To: Exchange Discussions > > > > > > A simple change in the notification could solve this problem. You > > > could say "your system might possibly be infected with a virus" or > > > something along those line. But the problem of spoofing your > > > trying to get across is more of a problem with e-mail in general > > > then with anti-virus software. What going to happen when p*rn > > > spammers start sending messages to users as [EMAIL PROTECTED] > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Harmer, > > > Michael > > > Sent: Tuesday, June 10, 2003 8:49 AM > > > To: Exchange Discussions > > > Subject: RE: Virus Notifications to Sender? > > > > > > > > > Ah, but "Don't send me viruses and I won't send you those > > > notifications in the first place." is the flaw. They did not send > > > you the virus. They mearly were member of some distribution list, > > > had their e-mail on a web site, or corrisponded with the > person that > > > was actually infected. Unfortunatly, in your desire to 'assist' > > > those that have no technical ability(A noble cause), you > send many > > > messages to people who have done you no wrong. 99 out of > 100 times > > > your sending someone a message that indicates that they are > > > infected. This causes any responsible person to panic, scan their > > > system, and find nothing. In the end this has as much or more > > > 'cost' as most of the viruses put together. There is nothing wrong > > > with sending the message if you are 99% sure the from or reply > > > address is correct, but otherwise, your risking offending people > > > and causing increases in costs for other companies and > > > individuals. > > > > > > Here are a couple of possible situations that currently > can happen. > > > 1 : The CEO of your company is the member of a Senior Executive > > > group and they have a mailing list. Someone who is > infected visits > > > the web site for the group, which has the posting e-mail > list on it. > > > You receive a infected message to someone inside your > network. Your > > > system replys with the 'Your Infected' e-mail. Your CEO > gets a copy. > > > He has his favorite computer savvy family member check > his computer. > > > The family member says that the computer is fine and that the > > > message was incorrect. The CEO is displeased at the wasted time > > > trying to fix a unknown problem. You get a memo the next day, one > > > that I doubt would be plesant. 2 : Assume that your company values > > > corprate relations. Some random person is infected with one of > > > these spoofing viruses. They had visited the web site for a > > > company that your company values in the corprate relationship > > > sense. Note that the value could be any number of things. The > > > other companies web site had a sales or management e-mail address > > > for contacting them. This random person sends to you the virus > > > with the other companies list address. You will be sending a > > > message that WILL cause the other company expense and frustration. > > > That WILL damage relationships with that company. Will it break > > > them, probibly not, but you can not say with 100% certainty that > > > it will not. > > > > > > Yes, the other company could have had a virus of the non-spoofing > > > kind, but your job is to protect your computers first, > and I assume > > > you have done that or this conversation would not be > happening. So > > > it costs you nothing if they send you a virus short of > the continued > > > maintence costs for the software. Which you will have to spend > > > anyway as there will always be > 0 viruses in the wild. > Responding > > > that they have a virus in the case of a non-spoofing > virus is fine, > > > few would argue that it is not fair. However, the problem is that > > > now the viruses are lieing about where they came from, so the > > > increadbly simple rules of the past are no longer just or safe for > > > our carears. What we need to do is get the mail monitor product > > > vendors to get some smarts and add the ability to suppress mail > > > back in the case of a spoofing virus. That way you could continue > > > to crusade to end viruses and not risk anything. Untill then, I > > > disagree with punishing innocent people and letting the criminal > > > go free. > > > > > > --------------------------------------------- > > > Michael > > > --------------------------------------------- > > > > > > > > > -----Original Message----- > > > From: Christopher Hummert [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, June 10, 2003 11:14 AM > > > To: Exchange Discussions > > > > > > For us the 1% just happened to be one of our employees mother. She > > > was receiving those "what was that strange message you > sent?" for at > > > least 3 months from people. It wasn't until she sent a > message here, > > > got one of our virus notifications and then eventually asked me > > > about it, that the problem got cleared up. This was some > 70ish year > > > old woman that uses her computer for e-mail, small time > web surfing, > > > the occasional online banking session, and the perfect target > > > for virus writers. > > > > > > For me it's more then worth it if you can help one person from > > > sending viruses to the rest of us. If I get accused of being a > > > spammer for sending those notifications, then so be it. > Don't send > > > me viruses and I won't send you those notifications in the first > > > place. > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Harmer, > > > Michael > > > Sent: Tuesday, June 10, 2003 6:32 AM > > > To: Exchange Discussions > > > Subject: RE: Virus Notifications to Sender? > > > > > > > > > First, let me say that I understand what your saying if you are > > > saying that you are concerned about the 1% and wish to > help make the > > > internet a better place by assisting them to control viruses on > > > their computers. > > > > > > Now for my POV > > > The one percent are basically causing the hardliners to spam the > > > rest of us. Because most of the virus mail you receive is > spoofed, > > > leaving on the warning send back is the same as spamming. > Basically > > > you will be accusing someone of having a virus that they do not > > > have, generating bad will between your company and the > one you just > > > spammed. I am speaking from person experience. One > company late last > > > week, sent us 5 e-mails indicating that we were infected with the > > > active virus at that time. We were not infected, but > because we are > > > good admins, we sat down and verified that we were not > > > infected, wasting our time. We knew the virus lied about the > > > FROM address, but we checked anyway just to be safe. We then > > > called the offending party(The company that spammed us). They > > > told us we were infected and we deserved to get the message. > > > Needless to say, we informed them what the virus does, and > > > they said they could do nothing about the messages as they > > > wanted to stop others from spreading infection. BTW, did I > > > mention that their e-mail said that we wasted their time > > > because we did not have a e-mail scanner on our systems? > > > Needless to say, I will probably never do business with that > > > ISP. They proved that they did not care about corporate > > > relations, proper etiquette or virus control in general. > > > > > > The other problem with this is that the hardliners are > propagating a > > > 99% false positive system. If my AV system was that bad, > I would get > > > a new one. Heck my spam system does better that 3% false > positive. > > > What is worse is that the false positives are going to people who > > > did not 'sign up' in the first place.(Hence the spam title) > > > > > > Basically, to me, this comes down to a matter of fairness. If the > > > hardliners believe it is ok to call 100 people 'jerks' > just because > > > one of them has a foul mouth, go right ahead, but they > will find it > > > hard to make friends. If on the other hand, they instead pay > > > attention to what your receiving and respond only where you have > > > proof of 'jerkiness', they will have no problem making > friends and > > > they will make the community much happier. (No one likes a jerk) > > > > > > Michael > > > --------------------------------------------- > > > > > > > > > -----Original Message----- > > > From: Christopher Hummert [mailto:[EMAIL PROTECTED] > > > Sent: Monday, June 09, 2003 11:54 AM > > > To: Exchange Discussions > > > > > > Yea but what about that 1% that has no clue their sending out > > > viruses? <SNIP> > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Web Interface: > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > ext_mode=& > > lang=english > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > ext_mode=& > > lang > > =english > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > ext_mode=& > > lang=english > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] ______________________________________________ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
