Re: To send or not to send 'virus in email' notifications?

[Gerardo A. Gregory]

I attest to Amavis on this one.  Message headers, virus found, and also if 
you quarentine the message it sends the quarentined file name. 

Gerardo 

Joe Maimon writes: 

 

Patrick Muldoon wrote: 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1 

On Thursday 21 August 2003 12:08 am, David Schwartz wrote:
  

	One of my pet peeves is anti-virus programs that detect a virus by 
name,
so they should know that it always spoofs the sender address, still 
sending
messages referring to the "message you sent". I wonder if people receive
those, scan for viruses, and then when they don't find one, do one of 
the
following: 

	1) Take their computer to a computer store and pay for needless 
'repairs',
or 

	2) Reinstall/reformat rather than take chances.


	3)Call up their Geeky son and panic...

On this subject, my major pet peeve would be that at least 85% of the 
bounce messages that I have seen coming back here, don't contain enough 
information to figure out where the Original Message 


Amavis sends back in the notification message the original message's 
headers (plus more if you wish).
amavis-new has templates and such. 

You would think other people who pay their developers nice sums of money 
could do the same. 

Re: To send or not to send 'virus in email' notifications?

[Joe Maimon]

Patrick Muldoon wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thursday 21 August 2003 12:08 am, David Schwartz wrote:
 

One of my pet peeves is anti-virus programs that detect a virus by name,
so they should know that it always spoofs the sender address, still sending
messages referring to the "message you sent". I wonder if people receive
those, scan for viruses, and then when they don't find one, do one of the
following:
1) Take their computer to a computer store and pay for needless 'repairs',
or
	2) Reinstall/reformat rather than take chances.
   

	3)Call up their Geeky son and panic...

On this subject, my major pet peeve would be that at least 85% of the bounce 
messages that I have seen coming back here, don't contain enough information 
to figure out where the Original Message


Amavis sends back in the notification message the original message's 
headers (plus more if you wish).
amavis-new has templates and such.

You would think other people who pay their developers nice sums of money 
could do the same.

Re: To send or not to send 'virus in email' notifications?

[Patrick Muldoon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thursday 21 August 2003 12:08 am, David Schwartz wrote:
>   One of my pet peeves is anti-virus programs that detect a virus by name,
> so they should know that it always spoofs the sender address, still sending
> messages referring to the "message you sent". I wonder if people receive
> those, scan for viruses, and then when they don't find one, do one of the
> following:
>
>   1) Take their computer to a computer store and pay for needless 'repairs',
> or
>
>   2) Reinstall/reformat rather than take chances.

3)Call up their Geeky son and panic...

On this subject, my major pet peeve would be that at least 85% of the bounce 
messages that I have seen coming back here, don't contain enough information 
to figure out where the Original Message came from. How very nice of you to 
tell me that my FreeBSD laptop is sending on  A Windows Virus. Maybe if you 
gave back the headers of the message, I could have a chance of guessing which 
of the unlucky people that has my e-mail in their address book might be 
infected.  Or when previously mentioned panicing Dad calls up, we can figure 
out which one of his friends has it. But my vote is still a flag in the 
avscanner that says virus forges from/ don't e-mail ...


- -Patrick

- -- 
Patrick Muldoon
Network/Software Engineer
INOC (http://www.inoc.net)
PGPKEY (http://www.inoc.net/~doon)
Key fingerprint = 8F70 6306 F0A7 B8DA BA95  76C4 606A 7DC1 370D 752C

Me no internet, only janitor, me just wax floors.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE/RMFiYGp9wTcNdSwRAlmvAJ0RqhZqli8gK1EfNTocxYi3ZDxlxQCgna/Q
x7eBHZri+v7RqACQC5gV6l4=
=n1/Q
-END PGP SIGNATURE-

RE: To send or not to send 'virus in email' notifications?

[David Schwartz]

> For virus scanners that run at other stages in the delivery process,
> the right decision about whether to do a notification or not
> is virus-dependent, if your anti-virus package supports it.
> Sobig almost always forges sender addresses, so it shouldn't get a
> reply,
> but some other viruses don't forge the sender, and should get the
> reply.
> Limiting the responses to once a week per sender or whatever may
> help,
> but only if the same sender gets forged a lot.

One of my pet peeves is anti-virus programs that detect a virus by name, so
they should know that it always spoofs the sender address, still sending
messages referring to the "message you sent". I wonder if people receive
those, scan for viruses, and then when they don't find one, do one of the
following:

1) Take their computer to a computer store and pay for needless 'repairs',
or

2) Reinstall/reformat rather than take chances.

At a very minimum, guys, adjust your messages to say "an email that appears
to have been sent by you" or similar language to indicate that you don't
know for sure who sent the message.

DS

RE: To send or not to send 'virus in email' notifications?

[Stewart, William C (Bill), RTSLS]

 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

The right answer for the original question is probably
"Buy an email server package with virus scanning hooks" or
"Get a virus scanner with sendmail milter hooks"
rather than specific details of how to set it...

The suggestion to do virus filtering during the 
message transfer stage rather than the delivery stage is good.
It looks like sendmail milters can be tweaked to do this,
though unless they can recognize the virus from the mail headers,
they have to wait until the end-of-message hook to do it,
i.e. after the whole virus has been transferred
but before the message acceptance codes get transferred.
It's too bad that it's difficult to send a reject code 
and continue a teergrube at the same time.

For virus scanners that run at other stages in the delivery process,
the right decision about whether to do a notification or not
is virus-dependent, if your anti-virus package supports it.
Sobig almost always forges sender addresses, so it shouldn't get a
reply,
but some other viruses don't forge the sender, and should get the
reply.
Limiting the responses to once a week per sender or whatever may
help,
but only if the same sender gets forged a lot.

Yet another reason to cryptographically sign your outgoing mail,
not that I usually do so or that most people or mail clients check.

Thanks; Bill Stewart

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 7.0.3 for non-commercial use 
Comment: PGP Freeware 703

iQA/AwUBP0QHO7JBeu7P+eyUEQK4xACgwIEKFP47bIyOZ3ABzm5fxm8AsyQAoI8L
mnmDP9h63r+REIlTzTBdltSM
=8pMy
-END PGP SIGNATURE-

RE: To send or not to send 'virus in email' notifications?

[Wesley Vaux]

Has anyone else gotten hit by this and know how to stop it? the new dats
from McAffee have not effectof course...and I can't find a tool
anywhere.  Does anyone have any ideas?

Wes Vaux, CCNA, CCDA
Network Security Engineer,
9000 Regency Pkwy
Ste 500
Cary, NC 27511
t 919.463.6782
f 919.463.1290

Global Knowledge
Experts Teaching Experts
http://www.globalknowledge.com



-Original Message-
From: Daniel Senie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 12:37 PM
To: [EMAIL PROTECTED]
Subject: Re: To send or not to send 'virus in email' notifications?



Notifications from virus scanners is backscatter, just the same as the 
backscatter generated by Smurf attacks. The virus scanners are contributory 
technology in the conduct of a denial of service attack in exactly the same 
way as having directed broadcasts enabled on your routers was (read RFC 
2644 for the details).

Please let's stop building technology that aids in the conduct of DoS
attacks.

Re: To send or not to send 'virus in email' notifications?

[Eric A. Hall]

on 8/20/2003 9:25 AM Joe Maimon wrote:

> Considering the amount of email traffic generated by responding to 
> forged  virus laden email from culprits like sobig should email virus 
> scanning systems be configured to send notifications back to sender or not?

The least-harmful yet still-compliant mechanism is to reject the message
during the transfer stage, instead of during the delivery stage. If the
victim is sending their mail using an MTA that is built into the worm,
that should be the end of it. If the victim is sending the mail by way of
a real server (eg, a submission server or a smarthost), then the transfer
rejects will probaly still result in delivery failure notifications being
sent to the spoofed sender address.

-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/

Re: To send or not to send 'virus in email' notifications?

[Leo Bicknell]

FWIW

In a message written on Wed, Aug 20, 2003 at 10:04:05AM -0700, Steve Thomas wrote:
> From: Steve Thomas <[EMAIL PROTECTED]>
> To: Leo Bicknell <[EMAIL PROTECTED]>
> Subject: Re: To send or not to send 'virus in email' notifications?
[other headers editied]
> NO! Some organizations (the company I work for, for instance) use MailScanner on 
> incoming AND outgoing mail. I tried telling this to the person who sent the Postfix 
> regex, but, of course, my mail was rejected.
> 
> MailScanner is a very widely used product, and adding rules/filters like the one 
> above only adds to the problems that the virus author is trying to create. Please 
> forward this to NANOG - I tried subscribing to NANOG-POST, but my subscription 
> request was bounced with "content rejected".

Note, unlike the postfix rule his message still made it past
spamassassin has he had enough "non-spam" qualities to offset the
rule I suggested adding.

Please keep in mind there may be legitimate e-mail with these headers
if you're going to use rules such have been suggested here.

-- 
   Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - [EMAIL PROTECTED], www.tmbg.org


pgp0.pgp
Description: PGP signature

RE: To send or not to send 'virus in email' notifications?

[Claire Kelly]

http://support.microsoft.com/default.aspx?scid=kb;[LN];823980

Cheers,
Cade Kelly
System/Network Administrator
ECONnergy Co. Inc
Spring Valley, NY


-Original Message-
From: Wesley Vaux [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 11:58 AM
To: 'Stephen J. Wilcox'; Joe Maimon
Cc: [EMAIL PROTECTED]
Subject: RE: To send or not to send 'virus in email' notifications?



At 10:30:43 my systems rebooted after installing hotfix "Windows 2000 Hotfix
KB823980 was installed" and machines rebooted.  Any ideas on how to remove
this or what it may be?

Wes Vaux, CCNA, CCDA
Network Security Engineer,
9000 Regency Pkwy
Ste 500
Cary, NC 27511
t 919.463.6782
f 919.463.1290

Global Knowledge
Experts Teaching Experts
http://www.globalknowledge.com



-Original Message-
From: Stephen J. Wilcox [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 10:33 AM
To: Joe Maimon
Cc: [EMAIL PROTECTED]
Subject: Re: To send or not to send 'virus in email' notifications?




On Wed, 20 Aug 2003, Joe Maimon wrote:

> 
> Considering the amount of email traffic generated by responding to 
> forged  virus laden email from culprits like sobig should email virus 
> scanning systems be configured to send notifications back to sender or
not?

well if you dont tell them they wont know, altho with sobig the return
address 
is false anyhow

it would probably be best to cache the sender/virus combinations and send a 
single message per 7 days 

Steve

RE: To send or not to send 'virus in email' notifications?

[Stephen J. Wilcox]

On Wed, 20 Aug 2003, Wesley Vaux wrote:

> At 10:30:43 my systems rebooted after installing hotfix "Windows 2000 Hotfix
> KB823980 was installed" and machines rebooted.  Any ideas on how to remove
> this or what it may be?

http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/HFDeploy.htm#what_is_a_hotfix__mbbi

http://www.microsoft.com/windows2000/downloads/servicepacks/SP4/HFDeploy.htm#removing_a_windows_hotfix_adbb

KB823980 appears to be the patch against DCOM

why do you wish to remove it?

Steve

> 
>   Wes Vaux, CCNA, CCDA
>   Network Security Engineer,
>   9000 Regency Pkwy
>   Ste 500
>   Cary, NC 27511
>   t 919.463.6782
>   f 919.463.1290
> 
>   Global Knowledge
>   Experts Teaching Experts
>   http://www.globalknowledge.com
> 
> 
> 
> -Original Message-
> From: Stephen J. Wilcox [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, August 20, 2003 10:33 AM
> To: Joe Maimon
> Cc: [EMAIL PROTECTED]
> Subject: Re: To send or not to send 'virus in email' notifications?
> 
> 
> 
> 
> On Wed, 20 Aug 2003, Joe Maimon wrote:
> 
> > 
> > Considering the amount of email traffic generated by responding to 
> > forged  virus laden email from culprits like sobig should email virus 
> > scanning systems be configured to send notifications back to sender or
> not?
> 
> well if you dont tell them they wont know, altho with sobig the return
> address 
> is false anyhow
> 
> it would probably be best to cache the sender/virus combinations and send a 
> single message per 7 days 
> 
> Steve
> 

RE: To send or not to send 'virus in email' notifications?

[Wesley Vaux]

At 10:30:43 my systems rebooted after installing hotfix "Windows 2000 Hotfix
KB823980 was installed" and machines rebooted.  Any ideas on how to remove
this or what it may be?

Wes Vaux, CCNA, CCDA
Network Security Engineer,
9000 Regency Pkwy
Ste 500
Cary, NC 27511
t 919.463.6782
f 919.463.1290

Global Knowledge
Experts Teaching Experts
http://www.globalknowledge.com



-Original Message-
From: Stephen J. Wilcox [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 10:33 AM
To: Joe Maimon
Cc: [EMAIL PROTECTED]
Subject: Re: To send or not to send 'virus in email' notifications?




On Wed, 20 Aug 2003, Joe Maimon wrote:

> 
> Considering the amount of email traffic generated by responding to 
> forged  virus laden email from culprits like sobig should email virus 
> scanning systems be configured to send notifications back to sender or
not?

well if you dont tell them they wont know, altho with sobig the return
address 
is false anyhow

it would probably be best to cache the sender/virus combinations and send a 
single message per 7 days 

Steve

Re: To send or not to send 'virus in email' notifications?

[Leo Bicknell]

In a message written on Wed, Aug 20, 2003 at 11:40:53AM -0400, D'Arcy J.M. Cain wrote:
> Absolutely not.  My spam filters are handling the original spam fine but I am 
> getting tons of responses to email I didn't send in the first place.  It's 
> legitimate email from legitimate sources so the filters don't catch it but it 
> is garbage nonetheless.

For those that use spamassassin, in ~/.spamassassin/user_prefs:

header VIRUS_BOUNCE X-MailScanner =~ /Found to be clean/
describe VIRUS_BOUNCE   Has X-MailScanner with virus signature.
score VIRUS_BOUNCE  5.0

-- 
   Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - [EMAIL PROTECTED], www.tmbg.org


pgp0.pgp
Description: PGP signature

Re: To send or not to send 'virus in email' notifications?

[Daniel Senie]

Notifications from virus scanners is backscatter, just the same as the 
backscatter generated by Smurf attacks. The virus scanners are contributory 
technology in the conduct of a denial of service attack in exactly the same 
way as having directed broadcasts enabled on your routers was (read RFC 
2644 for the details).

Please let's stop building technology that aids in the conduct of DoS attacks.

Re: To send or not to send 'virus in email' notifications?

[Gerardo A. Gregory]

virus laden email from culprits like sobig should email virus
scanning systems be configured to send notifications back to sender or >not?


Virus notification was great in times past.  With forged addresses, now the 
double edged sword is pointed back at the victim system, since some of the 
notifications are sent to invalid domains or accounts the mail rests 
undeliverable in a mail queue awaiting to expire. 

My mail queue rose yesterday to over 100 undeliverable mails.  All of these 
from sorbid notifications to illegal domains or accounts.  I shutdown 
notifications ASAP, saving myself (and my systems) some processing time. 

The notification piece of most scanner engines need to be revamped by the 
software manufacturers and developers to keep up in the new trends in virii 
behavior (i.e. forged addresses). 

Someone posted that Amavis-new has this feature, and this is open source 
software, you imagine the commercial companies could have figured this one 
out by now since klez also used forged addresses. 

Gerardo 

D'Arcy J.M. Cain writes: 

On Wednesday 20 August 2003 10:25, Joe Maimon wrote:
Considering the amount of email traffic generated by responding to
forged  virus laden email from culprits like sobig should email virus
scanning systems be configured to send notifications back to sender or not?
Absolutely not.  My spam filters are handling the original spam fine but I am 
getting tons of responses to email I didn't send in the first place.  It's 
legitimate email from legitimate sources so the filters don't catch it but it 
is garbage nonetheless. 

--
D'Arcy J.M. Cain <[EMAIL PROTECTED]|vex}.net>   |  Democracy is three wolves
http://www.druid.net/darcy/|  and a sheep voting on
+1 416 425 1212 (DoD#0082)(eNTP)   |  what's for dinner.


Gerardo A. Gregory
Manager Network Administration and Security
402-970-1463 (Direct)
402-850-4008 (Cell)

Affinitas - Latin for "Relationship"
Helping Businesses Acquire, Retain, and Cultivate
Customers
Visit us at http://www.affinitas.net 

Re: To send or not to send 'virus in email' notifications?

[Joe Maimon]

Joe Maimon wrote:

Considering the amount of email traffic generated by responding to 
forged  virus laden email from culprits like sobig should email virus 
scanning systems be configured to send notifications back to sender or 
not? 
I guess we can summarise and say that:
(intelligent virus scanner) ? notify : dont notify

Re: To send or not to send 'virus in email' notifications?

[D'Arcy J.M. Cain]

On Wednesday 20 August 2003 10:25, Joe Maimon wrote:
> Considering the amount of email traffic generated by responding to
> forged  virus laden email from culprits like sobig should email virus
> scanning systems be configured to send notifications back to sender or not?

Absolutely not.  My spam filters are handling the original spam fine but I am 
getting tons of responses to email I didn't send in the first place.  It's 
legitimate email from legitimate sources so the filters don't catch it but it 
is garbage nonetheless.

-- 
D'Arcy J.M. Cain <[EMAIL PROTECTED]|vex}.net>   |  Democracy is three wolves
http://www.druid.net/darcy/|  and a sheep voting on
+1 416 425 1212 (DoD#0082)(eNTP)   |  what's for dinner.

RE: To send or not to send 'virus in email' notifications?

[Brandon Butterworth]

> > Considering the amount of email traffic generated by responding to 
> > forged  virus laden email from culprits like sobig should email virus 
> > scanning systems be configured to send notifications back to 
> > sender or not?

If your scanner doesn't know if a virus forges addresses, and hence no
point replying, then bin it and buy a proper one

brandon

Re: To send or not to send 'virus in email' notifications?

[Damian Gerow]

Thus spake Tomas Daniska ([EMAIL PROTECTED]) [20/08/03 10:56]:
> maybe the AV vendors could suply a 'to mail or not to mail' flag within
> their databases, based on character of the virus...

amavisd-new maintains a list of viruses that are known to forge sender
addresses.  It won't notify the sender (if configured) if the virus found is
in the list.

I can't speak for the other amavis* projects.

Re: To send or not to send 'virus in email' notifications?

[Valdis . Kletnieks]

On Wed, 20 Aug 2003 10:25:28 EDT, Joe Maimon <[EMAIL PROTECTED]>  said:
> Considering the amount of email traffic generated by responding to 
> forged  virus laden email from culprits like sobig should email virus 
> scanning systems be configured to send notifications back to sender or not?

It isn't like the A/V vendors can't put a single bit in the description that says
"uses real address" or "uses forged address" and only send a notification when
the "real" bit is set.  However, a lot of them seem to be more interested in
pumping out PR and FUD.

Worst part is if one of them had been smart, they'd have invented such a bit,
patented it, and then shipped "New! Improved! Now with less confusing
messages", and used the patent to make sure nobody else did.  Now *that* would
be a selling point for their product, but n... ;)  They've missed their
chance.  Feel free to cite this e-mail as prior art if somebody tries it now...
;)



pgp0.pgp
Description: PGP signature

RE: To send or not to send 'virus in email' notifications?

[Tomas Daniska]

maybe the AV vendors could suply a 'to mail or not to mail' flag within
their databases, based on character of the virus...


any of them lurking here? :)

--

deejay 

> -Original Message-
> From: Matthew Kaufman [mailto:[EMAIL PROTECTED] 
> Sent: 20. augusta 2003 16:41
> To: 'Joe Maimon'; [EMAIL PROTECTED]
> Subject: RE: To send or not to send 'virus in email' notifications?
> 
> 
> 
> Absolutely not.
> 
> SoBig.F, like many others, forges the sender address. That 
> means that your
> notifications:
>   1) Don't make it back to the person with the infection
>   2) Simply add more clutter to the mailbox of the person 
> whose address was
> used (in addition to all the bounce messages)
> 
> In the enterprise, this is a great argument for scanning 
> outbound email with
> positive identification of whose outbound mail you're scanning.
> 
> Matthew Kaufman
> [EMAIL PROTECTED] 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> > Behalf Of Joe Maimon
> > Sent: Wednesday, August 20, 2003 7:25 AM
> > To: [EMAIL PROTECTED]
> > Subject: To send or not to send 'virus in email' notifications?
> > 
> > 
> > 
> > Considering the amount of email traffic generated by responding to 
> > forged  virus laden email from culprits like sobig should 
> email virus 
> > scanning systems be configured to send notifications back to 
> > sender or not?
> > 
> > 
> > 
> > 
> 
> 

RE: To send or not to send 'virus in email' notifications?

[Mark Segal]

All of "my" bounces are coming from emails that originated from
195.157.87.253...  Maybe it's the same guy with others here?

Mark

Fyi..
[EMAIL PROTECTED]:~> whois -h whois.ripe.net 195.157.87.253
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:  195.157.70.0 - 195.157.87.255
netname:  NSUK-PARTITION-LL
descr:Connectivity
country:  GB
admin-c:  NSUK2-RIPE
tech-c:   NSUK1-RIPE
status:   LIR-PARTITIONED PA
remarks:  **
remarks:  * Please do not send abuse reports to tech or admin contacts *
remarks:  *  All abuse reports to [EMAIL PROTECTED]  *
remarks:  **
remarks:  * This is an partition object and does not represent a valid #
remarks:  # assignment.  Valid assignments have status: ASSIGNED PA#
remarks:  ##
notify:   [EMAIL PROTECTED]
mnt-by:   NETSCALIBURUK-MNT
mnt-lower:NETSCALIBURUK-MNT
changed:  [EMAIL PROTECTED] 20011025
changed:  [EMAIL PROTECTED] 20020110
changed:  [EMAIL PROTECTED] 20020514
source:   RIPE

route:195.157.0.0/16
descr:Netscalibur UK Ltd
origin:   AS8272
mnt-by:   NETSCALIBURUK-MNT
changed:  [EMAIL PROTECTED] 20010706
source:   RIPE

role: Netscalibur UK Hostmaster
address:  Netscalibur UK Ltd
address:  9 Selsdon Way
address:  Cityharbour
address:  London E14 9GL
address:  UK
phone:+44 (0)870 887 8800
fax-no:   +44 (0)870 887 8867
e-mail:   [EMAIL PROTECTED]
admin-c:  CSP3-RIPE
admin-c:  SY131-RIPE
tech-c:   NSUK1-RIPE
tech-c:   NSUK3-RIPE
nic-hdl:  NSUK2-RIPE
remarks:  Hostmaster
remarks:  
remarks:  * All abuse reports to [EMAIL PROTECTED]
remarks:  
notify:   [EMAIL PROTECTED]
mnt-by:   NETSCALIBURUK-MNT
changed:  [EMAIL PROTECTED] 20010712
changed:  [EMAIL PROTECTED] 20010731
changed:  [EMAIL PROTECTED] 20020109
changed:  [EMAIL PROTECTED] 20020116
source:   RIPE

role: Netscalibur UK NOC
address:  Netscalibur UK Ltd
address:  9 Selsdon Way
address:  Cityharbour
address:  London E14 9GL
address:  UK
phone:+44 (0)845 117 2200
fax-no:   +44 (0)870 887 8867
e-mail:   [EMAIL PROTECTED]
admin-c:  ZP64-RIPE
admin-c:  DJH8-RIPE
tech-c:   NSUK2-RIPE
tech-c:   NSUK3-RIPE
nic-hdl:  NSUK1-RIPE
remarks:  Network Operations Center
remarks:  
remarks:  * All abuse reports to [EMAIL PROTECTED]
remarks:  
notify:   [EMAIL PROTECTED]
mnt-by:   NETSCALIBURUK-MNT
changed:  [EMAIL PROTECTED] 20010711
changed:  [EMAIL PROTECTED] 20020116
source:   RIPE




--
Mark Segal 
Director, Network Planning
FCI Broadband 
Tel: 905-284-4070 
Fax: 416-987-4701 
http://www.fcibroadband.com

Futureway Communications Inc. is now FCI Broadband


-Original Message-
From: Jim Deleskie [mailto:[EMAIL PROTECTED] 
Sent: August 20, 2003 10:36 AM
To: [EMAIL PROTECTED]
Subject: RE: To send or not to send 'virus in email' notifications?



Kind of like a statement made @ a security conference I was recently at,
'Hacking from the conference = Dismissal, if you have to ask No you
shouldn't'




-Original Message-
From: Gregory Hicks [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 10:30 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: To send or not to send 'virus in email' notifications?




> Date: Wed, 20 Aug 2003 10:25:28 -0400
> From: Joe Maimon <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: To send or not to send 'virus in email' notifications?
> 
> 
> Considering the amount of email traffic generated by responding to
> forged  virus laden email from culprits like sobig should email virus 
> scanning systems be configured to send notifications back to sender or 
not?

Not.

RE: To send or not to send 'virus in email' notifications?

[Matthew Kaufman]

Absolutely not.

SoBig.F, like many others, forges the sender address. That means that your
notifications:
  1) Don't make it back to the person with the infection
  2) Simply add more clutter to the mailbox of the person whose address was
used (in addition to all the bounce messages)

In the enterprise, this is a great argument for scanning outbound email with
positive identification of whose outbound mail you're scanning.

Matthew Kaufman
[EMAIL PROTECTED] 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Joe Maimon
> Sent: Wednesday, August 20, 2003 7:25 AM
> To: [EMAIL PROTECTED]
> Subject: To send or not to send 'virus in email' notifications?
> 
> 
> 
> Considering the amount of email traffic generated by responding to 
> forged  virus laden email from culprits like sobig should email virus 
> scanning systems be configured to send notifications back to 
> sender or not?
> 
> 
> 
> 

RE: To send or not to send 'virus in email' notifications?

[Jim Deleskie]

Kind of like a statement made @ a security conference I was recently at,
'Hacking from the conference = Dismissal, if you have to ask No you
shouldn't'




-Original Message-
From: Gregory Hicks [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 20, 2003 10:30 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: To send or not to send 'virus in email' notifications?




> Date: Wed, 20 Aug 2003 10:25:28 -0400
> From: Joe Maimon <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: To send or not to send 'virus in email' notifications?
> 
> 
> Considering the amount of email traffic generated by responding to 
> forged  virus laden email from culprits like sobig should email virus 
> scanning systems be configured to send notifications back to sender or 
not?

Not.

RE: To send or not to send 'virus in email' notifications?

[John Ferriby]

> Considering the amount of email traffic generated by responding to 
> forged  virus laden email from culprits like sobig should email virus 
> scanning systems be configured to send notifications back to 
> sender or not?

IMO: No.  I have had around 200 of these alerts this morning alone,
most of which originate from [EMAIL PROTECTED] which received
email using my forged address. I can't blithely ignore the
postmaster, but I'm sorely tempted to filter them.

Side note: I'm seeing about a 20x increase in smtp traffic over
the daily norm.

-John

Re: To send or not to send 'virus in email' notifications?

[Stephen J. Wilcox]

On Wed, 20 Aug 2003, Joe Maimon wrote:

> 
> Considering the amount of email traffic generated by responding to 
> forged  virus laden email from culprits like sobig should email virus 
> scanning systems be configured to send notifications back to sender or not?

well if you dont tell them they wont know, altho with sobig the return address 
is false anyhow

it would probably be best to cache the sender/virus combinations and send a 
single message per 7 days 

Steve

Re: To send or not to send 'virus in email' notifications?

[Pascal Gloor]

> Considering the amount of email traffic generated by responding to
> forged  virus laden email from culprits like sobig should email virus
> scanning systems be configured to send notifications back to sender or
not?

Considering that the "From" is almost always not the right one, I think
sending notifications back will only help to increase the mail traffic and
wont help anyone.

Pascal

Re: To send or not to send 'virus in email' notifications?

[Gregory Hicks]

> Date: Wed, 20 Aug 2003 10:25:28 -0400
> From: Joe Maimon <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: To send or not to send 'virus in email' notifications?
> 
> 
> Considering the amount of email traffic generated by responding to 
> forged  virus laden email from culprits like sobig should email virus 
> scanning systems be configured to send notifications back to sender or 
not?

Not.

To send or not to send 'virus in email' notifications?

[Joe Maimon]

Considering the amount of email traffic generated by responding to 
forged  virus laden email from culprits like sobig should email virus 
scanning systems be configured to send notifications back to sender or not?