Roger, This is the FIRST topic I have ever disagreed with you on...however, see below:
Klez - http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.gen.html Email spoofing Some variants of this worm use a technique known as "spoofing." If so, the worm randomly selects an address that it finds on an infected computer. It uses this address as the "From" address that it uses when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to someone else. Bugbear - http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] l Uses its own SMTP engine to send itself to all the email addresses it finds. As part of the routine, the worm spoofs the From: address. Fizzer - http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] tml Retrieves the email addresses from the Windows Address Book, cookie files, Internet temporary files, and from files in your personal folder. The worm sends itself to all the email addresses it finds. The worm may spoof the sender's name and email address. Not even counting: http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] tml http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] http://securityresponse.symantec.com/avcenter/venc/data/w32.aspam.trojan.b.h tml http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] html http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] and on and on and on...unfortunately. :0) Jim -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 5:05 AM To: Exchange Discussions Subject: RE: Virus Notifications to Sender? We have what I consider a finely tuned AV system, utilizing multiple vendors and multiple layers. I'm also willing to share that in the 4 years since we've implemented our current approach, we have not been the victims of any major virus outbreaks. That's not to say we don't get hit with the occasional virus, but we've never had to enter firedrill mode to contain them. I do get administrative virus notifications. But considering I see between 100 and 1000 virus notifications a day from inbound mail, the added assurance of my user being notified is worth it. Maybe I'm just lucky that most of my users will pick up the phone and ask why they got the message in the first place. With regards to spoofed source addresses, there are relatively few that actually spoof source address. Looking over my recent notifications, I'm seeing BugBear.B, Klez, and Fizzer the most, none of which are spoofed source addresses. The only one that currently spoofs source is Sobig, but that's no longer high traffic. So, I honestly thing that you're overstating the impact of notifications being sent to hapless victims of spoofing. As someone else said, its obvious we're not going to change each other's minds. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Durkee, Peter [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 10, 2003 1:44 PM > To: Exchange Discussions > Subject: RE: Virus Notifications to Sender? > > > If our user is the sender then all the e-mails will still > have the wrong Sender address, we'd still be sending > notifications to a bunch of people that didn't send any > viruses, and it's still a bad idea. In fact it's a worse idea > for internal infections because then everyone would get > bombarded with both viruses and virus warnings. > > In our case, I do get notified when viruses are blocked, and > the notifications contain the complete headers of the blocked > messages, so we can keep an eye on things and act accordingly. > > -Peter > > > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 10, 2003 9:27 > To: Exchange Discussions > Subject: RE: Virus Notifications to Sender? > > > Here's the problem with not performing sender notifications: > > What if your user is the sender? > > Don't say it doesn't happen. It does, and sometimes that's > the best way for you to know it happened. > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Dan Bartley [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, June 10, 2003 12:03 PM > > To: Exchange Discussions > > Subject: RE: Virus Notifications to Sender? > > > > > > We don't send sender notifications. It is bad Netiquette in the > > current Trojan environment. It is bad for email lists, it is bad for > > IT departments and it is bad for individual users. > > > > However, we do look at the recipient and administrative > > notifications. If it is klez, sobig, etc. we pretty much ignore it. > > If it is something else we look at the headers and see if we can > > trace it. If we can, we send a notification. > > > > A little extra work for us, but we are not causing extra work for > > others by doing it this way. That is where the above "bad > > Netiquette" comment comes from. > > > > Best Regards, > > > > Dan Bartley > > > > -----Original Message----- > > From: Christopher Hummert [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, June 10, 2003 11:56 > > To: Exchange Discussions > > > > A simple change in the notification could solve this problem. You > > could say "your system might possibly be infected with a > > virus" or something along those line. But the problem of > > spoofing your trying to get across is more of a problem with > > e-mail in general then with anti-virus software. What going > > to happen when p*rn spammers start sending messages to users > > as [EMAIL PROTECTED] > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Harmer, > > Michael > > Sent: Tuesday, June 10, 2003 8:49 AM > > To: Exchange Discussions > > Subject: RE: Virus Notifications to Sender? > > > > > > Ah, but "Don't send me viruses and I won't send you those > > notifications in the first place." is the flaw. They did not send > > you the virus. They mearly were member of some distribution list, > > had their e-mail on a web site, or corrisponded with the person that > > was actually infected. Unfortunatly, in your desire to 'assist' > > those that have no technical ability(A noble cause), you send many > > messages to people who have done you no wrong. 99 out of 100 times > > your sending someone a message that indicates that they are > > infected. This causes any responsible person to panic, scan > > their system, and find nothing. In the end this has as much > > or more 'cost' as most of the viruses put together. There is > > nothing wrong with sending the message if you are 99% sure > > the from or reply address is correct, but otherwise, your > > risking offending people and causing increases in costs for > > other companies and individuals. > > > > Here are a couple of possible situations that currently can happen. > > 1 : The CEO of your company is the member of a Senior Executive > > group and they have a mailing list. Someone who is infected visits > > the web site for the group, which has the posting e-mail list on it. > > You receive a infected message to someone inside your network. Your > > system replys with the 'Your Infected' e-mail. Your CEO gets a copy. > > He has his favorite computer savvy family member check his computer. > > The family member says that the computer is fine and that the > > message was incorrect. The CEO is displeased at the wasted > > time trying to fix a unknown problem. You get a memo the next > > day, one that I doubt would be plesant. 2 : Assume that your > > company values corprate relations. Some random person is > > infected with one of these spoofing viruses. They had visited > > the web site for a company that your company values in the > > corprate relationship sense. Note that the value could be any > > number of things. The other companies web site had a sales or > > management e-mail address for contacting them. This random > > person sends to you the virus with the other companies list > > address. You will be sending a message that WILL cause the > > other company expense and frustration. That WILL damage > > relationships with that company. Will it break them, probibly > > not, but you can not say with 100% certainty that it will not. > > > > Yes, the other company could have had a virus of the non-spoofing > > kind, but your job is to protect your computers first, and I assume > > you have done that or this conversation would not be happening. So > > it costs you nothing if they send you a virus short of the continued > > maintence costs for the software. Which you will have to spend > > anyway as there will always be > 0 viruses in the wild. Responding > > that they have a virus in the case of a non-spoofing virus is fine, > > few would argue that it is not fair. However, the problem is that > > now the viruses are lieing about where they came from, so the > > increadbly simple rules of the past are no longer just or > > safe for our carears. What we need to do is get the mail > > monitor product vendors to get some smarts and add the > > ability to suppress mail back in the case of a spoofing > > virus. That way you could continue to crusade to end viruses > > and not risk anything. Untill then, I disagree with punishing > > innocent people and letting the criminal go free. > > > > --------------------------------------------- > > Michael > > --------------------------------------------- > > > > > > -----Original Message----- > > From: Christopher Hummert [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, June 10, 2003 11:14 AM > > To: Exchange Discussions > > > > For us the 1% just happened to be one of our employees mother. She > > was receiving those "what was that strange message you sent?" for at > > least 3 months from people. It wasn't until she sent a message here, > > got one of our virus notifications and then eventually asked me > > about it, that the problem got cleared up. This was some 70ish year > > old woman that uses her computer for e-mail, small time web surfing, > > the occasional online banking session, and the perfect target > > for virus writers. > > > > For me it's more then worth it if you can help one person from > > sending viruses to the rest of us. If I get accused of being a > > spammer for sending those notifications, then so be it. Don't send > > me viruses and I won't send you those notifications in the first > > place. > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Harmer, > > Michael > > Sent: Tuesday, June 10, 2003 6:32 AM > > To: Exchange Discussions > > Subject: RE: Virus Notifications to Sender? > > > > > > First, let me say that I understand what your saying if you are > > saying that you are concerned about the 1% and wish to help make the > > internet a better place by assisting them to control viruses on > > their computers. > > > > Now for my POV > > The one percent are basically causing the hardliners to spam the > > rest of us. Because most of the virus mail you receive is spoofed, > > leaving on the warning send back is the same as spamming. Basically > > you will be accusing someone of having a virus that they do not > > have, generating bad will between your company and the one you just > > spammed. I am speaking from person experience. One company late last > > week, sent us 5 e-mails indicating that we were infected with the > > active virus at that time. We were not infected, but because we are > > good admins, we sat down and verified that we were not > > infected, wasting our time. We knew the virus lied about the > > FROM address, but we checked anyway just to be safe. We then > > called the offending party(The company that spammed us). They > > told us we were infected and we deserved to get the message. > > Needless to say, we informed them what the virus does, and > > they said they could do nothing about the messages as they > > wanted to stop others from spreading infection. BTW, did I > > mention that their e-mail said that we wasted their time > > because we did not have a e-mail scanner on our systems? > > Needless to say, I will probably never do business with that > > ISP. They proved that they did not care about corporate > > relations, proper etiquette or virus control in general. > > > > The other problem with this is that the hardliners are propagating a > > 99% false positive system. If my AV system was that bad, I would get > > a new one. Heck my spam system does better that 3% false positive. > > What is worse is that the false positives are going to people who > > did not 'sign up' in the first place.(Hence the spam title) > > > > Basically, to me, this comes down to a matter of fairness. If the > > hardliners believe it is ok to call 100 people 'jerks' just because > > one of them has a foul mouth, go right ahead, but they will find it > > hard to make friends. If on the other hand, they instead pay > > attention to what your receiving and respond only where you have > > proof of 'jerkiness', they will have no problem making friends and > > they will make the community much happier. (No one likes a jerk) > > > > Michael > > --------------------------------------------- > > > > > > -----Original Message----- > > From: Christopher Hummert [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 09, 2003 11:54 AM > > To: Exchange Discussions > > > > Yea but what about that 1% that has no clue their sending out > > viruses? <SNIP> > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang > =english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=& > lang=english > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] ______________________________________________ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
