Re: Clueless anti-virus products/vendors (was Re: Sober)
On Sat, 3 Dec 2005, W.D.McKinney wrote: Can people building virus scanning devices PLEASE GET A %^*^ CLUE? This means you, Barricuda Networks, more than anyone else, but we also see this annoyance from Symantec devices, and from some AOL systems as well. It's a simple switch in the GUI of Barracuda Networks to turn of this annoyance. More operator error than Barracuda's fault, IMHO. If it is on by default, it is a bug, and not operator error. (Virus warnings to forged addresses are UBE, plain and simple.) -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Clueless anti-virus products/vendors (was Re: Sober)
On Dec 4, 2005, at 2:06 PM, W.D.McKinney wrote: Can people building virus scanning devices PLEASE GET A %^*^ CLUE? This means you, Barricuda Networks, more than anyone else, but we also see this annoyance from Symantec devices, and from some AOL systems as well. It's a simple switch in the GUI of Barracuda Networks to turn of this annoyance. More operator error than Barracuda's fault, IMHO. If it is on by default, it is a bug, and not operator error. (Virus warnings to forged addresses are UBE, plain and simple.) Since when? I disagree. While we can argue whether it is UBE, it is a pretty dumb move I think we can all agree.. ;-)
Re: Clueless anti-virus products/vendors (was Re: Sober)
On Sun, Dec 04, 2005 at 09:58:20AM -0500, Todd Vierling wrote: If it is on by default, it is a bug, and not operator error. (In the case of the Barracuda) there are at least two such switches: one for spam, one for viruses. Note that when both are set to off that the box still occasionally emits such messages under as-yet-undetermined circumstances. I attempted to persuade one of Barracuda's engineers, months ago, that there was absolutely no valid reason for including a feature whose only purpose was abuse redirection. Incredibly, I was told the customers want this feature, and that it would not be removed. And thus we now have blacklist entries such as: barracuda1.aus.texas.net barracuda.yale-wrexham.ac.uk barracuda.morro-bay.ca.us barracuda.ci.mtnview.ca.us barracuda.elbert.k12.ga.us barracuda.fort-dodge.k12.ia.us barracuda.ci.garner.nc.us barracuda.ship.k12.pa.us and many, many more. Perhaps Barracuda should simply rename those switches as spam random individuals and/or get yourself blacklisted, as those are the only two things likely to result from turning them on. (Virus warnings to forged addresses are UBE, plain and simple.) When sent in bulk (as they inevitably are), absolutely. There's no exception in the canonical definition of spam (which _is_ UBE) for messages sent by broken anti-virus software, nor should there be. ---Rsk
RE: Clueless anti-virus products/vendors (was Re: Sober)
On Sun, 4 Dec 2005, W.D.McKinney wrote: (Virus warnings to forged addresses are UBE, plain and simple.) Since when? I disagree. UBE = unsolicited bulk e-mail. Which of those three words do[es] not apply to virus warning backscatter to forged envelope/From: addresses? Think carefully before answering. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Clueless anti-virus products/vendors (was Re: Sober)
Rich Kulawiec wrote: And thus we now have blacklist entries such as: barracuda1.aus.texas.net barracuda.yale-wrexham.ac.uk barracuda.morro-bay.ca.us barracuda.ci.mtnview.ca.us barracuda.elbert.k12.ga.us barracuda.fort-dodge.k12.ia.us barracuda.ci.garner.nc.us barracuda.ship.k12.pa.us and many, many more. Blocking based on rDNS simply because it implies that a certain piece of equipment is at that address is... not advisable. -- Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED Company website: http://JustThe.net/ Personal blog, resume, portfolio: http://SteveSobol.com/ E: [EMAIL PROTECTED] Snail: 22674 Motnocab Road, Apple Valley, CA 92307
Re: Clueless anti-virus products/vendors (was Re: Sober)
From [EMAIL PROTECTED] Sun Dec 4 17:19:43 2005 Date: Sun, 04 Dec 2005 15:18:29 -0800 From: Steve Sobol [EMAIL PROTECTED] To: Rich Kulawiec [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Clueless anti-virus products/vendors (was Re: Sober) Rich Kulawiec wrote: And thus we now have blacklist entries such as: barracuda1.aus.texas.net barracuda.yale-wrexham.ac.uk barracuda.morro-bay.ca.us barracuda.ci.mtnview.ca.us barracuda.elbert.k12.ga.us barracuda.fort-dodge.k12.ia.us barracuda.ci.garner.nc.us barracuda.ship.k12.pa.us and many, many more. Blocking based on rDNS simply because it implies that a certain piece of equipment is at that address is... not advisable. _UNTIL_ the first backscatter arrives from 'that' equipment, that is. *wry*grin*
Re: trollage (Re: Akamai server reliability)
CO Date: Mon, 28 Nov 2005 14:57:58 -0600 (CST) CO From: Chris Owen CO However, I do think Akamai would be better off getting their issues with CO their replacement boxes straightened out. I agree that we get value for CO having the boxes on our network (and so do they lets not forget). *shrug* It's not that expensive to ship boxen back and forth, and I'd hazard a guess they have people who troubleshoot the dead en masse. If a dead box costs $50, the question becomes how much more would prolonging box death cost? CO However, it is a bit frustrating to replace the same box 3 times in less Heh. Never had _that_ bad, personally. CO than a month. Hauling a box down to the colo is no big deal but when the Depends. In Kansas, no. In $big_metro_area during rush hour... well, I've learned why people state distance in terms of hours. :-) CO box you are taking down there has a dead CPU fan and two dead case fans CO it's hard not to think you might be wasting your time. True. So if the CPU fan is dead, just say the box is plugged in; act surprised when doesn't ping. ;-) CO It isn't just that they are wasting my time. They are also wasting their CO own time. It's the overall lack efficiency that bothers me ;-] There are enough clue-challenged networks that I wouldn't want arbitrary people playing around with my gear. Shipping can be more efficient. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
RE: Clueless anti-virus products/vendors (was Re: Sober)
What about all the viruses out there that don't forge addresses? Sending a warning message makes sense for these. Unless someone has done the research to determine the majority of viruses forge addresses, you really can't complain about the fact that the default is to warn. Calling vendors 'clueless' because a default doesn't match your needs is a little extreme, don't you think? The ideal solution would be for the scanning software to send a warning only if the virus detected is known to use real addresses, otherwise it won't warn. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Vierling Sent: Sunday, December 04, 2005 4:53 PM To: W.D.McKinney Cc: nanog@merit.edu Subject: RE: Clueless anti-virus products/vendors (was Re: Sober) On Sun, 4 Dec 2005, W.D.McKinney wrote: (Virus warnings to forged addresses are UBE, plain and simple.) Since when? I disagree. UBE = unsolicited bulk e-mail. Which of those three words do[es] not apply to virus warning backscatter to forged envelope/From: addresses? Think carefully before answering. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Clueless anti-virus products/vendors (was Re: Sober)
What about all the viruses out there that don't forge addresses? What virus in the past 2 years doesn't forge the from address? George Roettger
Re: Clueless anti-virus products/vendors (was Re: Sober)
Better safe than sorry. Unless you can determine that it isn't forged, you shouldn't be sending anything because there is so much out there forging From: addresses (or To: for that matter, with Bcc:). So, this isn't about ideal vs ok-close-enough. Don't send me crap unless you have a reasonable level of confidence. I don't believe that you can pass a straight face test with virus scanning responses on that one. If you can, I think you need your head examined ;-) On Dec 4, 2005, at 10:27 PM, Church, Chuck wrote: What about all the viruses out there that don't forge addresses? Sending a warning message makes sense for these. Unless someone has done the research to determine the majority of viruses forge addresses, you really can't complain about the fact that the default is to warn. Calling vendors 'clueless' because a default doesn't match your needs is a little extreme, don't you think? The ideal solution would be for the scanning software to send a warning only if the virus detected is known to use real addresses, otherwise it won't warn. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Vierling Sent: Sunday, December 04, 2005 4:53 PM To: W.D.McKinney Cc: nanog@merit.edu Subject: RE: Clueless anti-virus products/vendors (was Re: Sober) On Sun, 4 Dec 2005, W.D.McKinney wrote: (Virus warnings to forged addresses are UBE, plain and simple.) Since when? I disagree. UBE = unsolicited bulk e-mail. Which of those three words do[es] not apply to virus warning backscatter to forged envelope/From: addresses? Think carefully before answering. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Clueless anti-virus products/vendors (was Re: Sober)
On Sunday 04 December 2005 21:27, Church, Chuck wrote: What about all the viruses out there that don't forge addresses? Sending a warning message makes sense for these. Unless someone has done the research to determine the majority of viruses forge addresses, you really can't complain about the fact that the default is to warn. Calling vendors 'clueless' because a default doesn't match your needs is a little extreme, don't you think? The ideal solution would be for the scanning software to send a warning only if the virus detected is known to use real addresses, otherwise it won't warn. True, but the capability has been in most AV software for quite a long time now to know which ones forge and which do not. Clamav has a list of which virii are forging and which are not - I am reasonably certain that most other AV products have the same information at hand (a quick search of Symantec confirms that they know [ref sober worm, para 23, From: (spoofed)). So while I agree with your basic concept of notifying someone that they are infected - when you can notify the right person - blanket notifications are more trouble than the virus itself in many cases. And yes, as of yesterday I have more blowback from sober than from the worm itself -- Larry Smith SysAd ECSIS.NET [EMAIL PROTECTED]
Re: Clueless anti-virus products/vendors (was Re: Sober)
In message [EMAIL PROTECTED], Chur ch, Chuck writes: What about all the viruses out there that don't forge addresses? Sending a warning message makes sense for these. Unless someone has done the research to determine the majority of viruses forge addresses, you really can't complain about the fact that the default is to warn. Calling vendors 'clueless' because a default doesn't match your needs is a little extreme, don't you think? The ideal solution would be for the scanning software to send a warning only if the virus detected is known to use real addresses, otherwise it won't warn. A-V companies are in the business of analyzing viruses. They should *know* how a particular virus behaves. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: Clueless anti-virus products/vendors (was Re: Sober)
SMB Date: Sun, 04 Dec 2005 23:04:52 -0500 SMB From: Steven M. Bellovin SMB A-V companies are in the business of analyzing viruses. They should SMB *know* how a particular virus behaves. The cynical would say they _do_ know, and accidental backscatter is a way to advertise their products. ;-) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Clueless anti-virus products/vendors (was Re: Sober)
An even more cynical way would be to say that most antivirus companies aren't in the business of analyzing viruses - they are in the business of selling antivirus software. I believe that is the fundamental problem. Jamie -- Jamie C. Pole [EMAIL PROTECTED] http://www.jcpa.com InfoSec / InfoWar / Forensics On Dec 4, 2005, at 11:18 PM, Edward B. Dreger wrote: SMB Date: Sun, 04 Dec 2005 23:04:52 -0500 SMB From: Steven M. Bellovin SMB A-V companies are in the business of analyzing viruses. They should SMB *know* how a particular virus behaves. The cynical would say they _do_ know, and accidental backscatter is a way to advertise their products. ;-) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita __ __ DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
RE: Clueless anti-virus products/vendors (was Re: Sober)
On Sun, 4 Dec 2005, Church, Chuck wrote: What about all the viruses out there that don't forge addresses? Not that there are nearly as many -- the main scourge is sender-forging worms by a better than 90%/10% margin -- but I very specifically mentioned: (Virus warnings to forged addresses are UBE, plain and simple.) I think that was pretty clear. Sending a warning message makes sense for these. Unless someone has done the research to determine the majority of viruses forge addresses, Are you living on Earth in 2005? Unless your filters are VERY strict, no research should be necessary; look at your own mailbox[es]. If you don't know that most worm-viruses forge senders these days, you haven't been using Internet e-mail long enough. 8-) That said, it takes only a cursory glance through the worms listed on Symantec's or F-Secure's or Sophos's web sites in reverse chronological order to see, very clearly, that *nearly every* worm in recent history forges sender addresses. Finding three or more worms in the past two years that don't forge is a challenge for the bored reader. Some do it for a very good reason -- in the eyes of the worm's writer, mind you. A worm is more likely to get through if the user in envelope-FROM has some sort of relationship with the recipient, because so many sites use weighted scoring that includes auto-whitelist bias. To a worm writer, just using the address in the luser's settings isn't enough, as folks are starting to understand don't click on any random attachment. So, gambling on the luser having a circle of friends close enough to know each other, the worm forges many different combinations. (If you want more details on this reasoning, take it off-list.) Calling vendors 'clueless' because a default doesn't match your needs is a little extreme, don't you think? The vendors sending worm-virus warning UBE are indeed clueless now, because they aren't paying attention to (often their own!) virus statistics showing that the majority of worm-viruses forge sender addresses today. Let me repeat myself: (Virus warnings to forged addresses are UBE, plain and simple.) Not sending UBE is not just my needs; I think we can both agree on that. To extend that concept, virus warnings triggered by worm-viruses for which the forgery status is unknown is either UBE or very close to it. With the massive amount if spew that is forged, any warning option that is not absolutely confined to trigger on problem mail *known* not to be forged is a part of the problem, not part of the solution. The option for warning on forged senders shouldn't just be off -- it should not exist. The ideal solution would be for the scanning software to send a warning only if the virus detected is known to use real addresses, otherwise it won't warn. Symantec reportedly did this at long last in one of their products recently (see [EMAIL PROTECTED] archives for details). I truly hope others follow suit. However, unless the option to warn forged senders is removed entirely from their products, anti-malware vendors still have a large amount of fault on their shoulders. Things like clamav have had the option properly separated for some time, but I'm mainly counting the slow-moving, commercial anti-malware products in the prior pragraph. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Clueless anti-virus products/vendors (was Re: Sober)
On Sun, 4 Dec 2005, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Chur ch, Chuck writes: What about all the viruses out there that don't forge addresses? Sending a warning message makes sense for these. Unless someone has A-V companies are in the business of analyzing viruses. They should *know* how a particular virus behaves. This has also been said before, but... they are also in the business of SELLING their product. It seems that the 'default' (note I don't either: use av, nor scan emails for virii so I'm not sure what defaults to what... just use something other than outlook and you can care less about it) is possibly there for advertising effect more than anything else :( Hey, bob's company stopped this virus with $PRODUCT_12, why aren't we using that product $VP_O_IT ??
Re: Clueless anti-virus products/vendors (was Re: Sober)
From [EMAIL PROTECTED] Sun Dec 4 22:34:54 2005 Date: Mon, 05 Dec 2005 04:30:26 + (GMT) From: Christopher L. Morrow [EMAIL PROTECTED] Subject: Re: Clueless anti-virus products/vendors (was Re: Sober) To: Steven M. Bellovin [EMAIL PROTECTED] Cc: Church, Chuck [EMAIL PROTECTED], nanog@merit.edu On Sun, 4 Dec 2005, Steven M. Bellovin wrote: In message [EMAIL PROTECTED], Chur ch, Chuck writes: What about all the viruses out there that don't forge addresses? Sending a warning message makes sense for these. Unless someone has A-V companies are in the business of analyzing viruses. They should *know* how a particular virus behaves. This has also been said before, but... they are also in the business of SELLING their product. It seems that the 'default' (note I don't either: use av, nor scan emails for virii so I'm not sure what defaults to what... just use something other than outlook and you can care less about it) is possibly there for advertising effect more than anything else :( Hey, bob's company stopped this virus with $PRODUCT_12, why aren't we using that product $VP_O_IT ?? Because they 'very thoughtfully' fowarded the entire message, INCLUDING THE VIRUS ITSELF, to us. _Even_though_ the original message did not originate here. Do you _really_ think we should start forwarding viruses to our customers, 'just because' their address was forged into a message sent us? Just how do you think our customers would respond to _that_? There _is_ an art-form to backing management into an untennable corner, when they are bound and determined to do something 'wrong'. It's simply a matter of finding the right consequences of the action, to illustrate _why_ the proposed thing is 'wrong'. 'Revenues', and 'customer satisfaction' are almost _universal_ hot buttons that can frequently be used to advantage.
RE: Clueless anti-virus products/vendors (was Re: Sober)
At 10:27 PM 12/4/2005, Church, Chuck wrote: What about all the viruses out there that don't forge addresses? As others have noted, these are so far lost in the noise as to not be a factor. Sending a warning message makes sense for these. Why? Because you need to be the one to tell the sender they are infected? Let sites patrol their own users. Furthermore, if you did your virus scanning during the SMTP transaction, you'd be able to send back a 5xx error response during the transaction, thereby avoiding any concern about spamming an innocent third party. Unless someone has done the research to determine the majority of viruses forge addresses, you really can't complain about the fact that the default is to warn. As others have noted, the vendors can and should know. Calling vendors 'clueless' because a default doesn't match your needs Excuse me, I think you may notice that a LOT of folks have piped up on this issue. The simple fact is as configured many vendors spam third parties adding to the noise floor. While backbone operators might in fact make a bit extra as a result, those of us who actually pay for bandwidth do not appreciate it. We certainly can and do blacklist sites that hammer us with bogus bounces, just the same as we'd block any company knowingly sending us undesired email. is a little extreme, don't you think? The ideal solution would be for the scanning software to send a warning only if the virus detected is known to use real addresses, otherwise it won't warn. See question above, re: why do you think it's your systems' place to police the rest of the Internet, sending warnings out? Either reject virus-laden email during the SMTP session, or quietly own it (and dispose of it). Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Vierling Sent: Sunday, December 04, 2005 4:53 PM To: W.D.McKinney Cc: nanog@merit.edu Subject: RE: Clueless anti-virus products/vendors (was Re: Sober) On Sun, 4 Dec 2005, W.D.McKinney wrote: (Virus warnings to forged addresses are UBE, plain and simple.) Since when? I disagree. UBE = unsolicited bulk e-mail. Which of those three words do[es] not apply to virus warning backscatter to forged envelope/From: addresses? Think carefully before answering. -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
