-------- Original Message -------- Subject: FIY: Turn off virus alerts to sender (slightly OT) Date: Wed, 11 Feb 2004 17:58:33 +0200 From: Willie Viljoen <[EMAIL PROTECTED]> Newsgroups: gmane.mail.exim.user
This is slightly off topic, as it applies to anybody doing virus checking and sending alerts to the sender, not just Exim users. I feel I should post it anyway, in the hope that it helps.
Variants of the MyDoom worm that spread via e-mail seem to be following the pattern not only to harvest target addresses from mailing lists, infected address books, etc, but to also harvest addresses for use in forging a sender address. This is probably a way for the virus to get around callbacks and other verification procedures, i.e., forging an e-mail from a valid address in a valid domain.
The problem I wish everyone to take note of is that many content checking systems which send alerts to the sender, can not distinguish between fake and real sender addresses. As MyDoom is spreading, we have been getting several complaints about our servers sending "bogus" virus alerts to users who are not infected. Thus, our server was sending the virus alert to the valid addresses that were fraudulently put there by the virus.
There are several reasons why sending these replies to senders is a bad idea, I won't go into them all as I am sure I don't need to. The basic symptom of all of them is a mass of collateral spam every time a big worm breaks loose. So far, I have been unable to convince clients for which I manage systems that sending these warning messages is a bad idea, however, with the volume of complaints we have been getting due to MyDoom, the management have mostly become more sensitive to the problem, and I am happy to report that none of my clients' server now send these warnings.
If your server is sending such warnings, please disable them, or if it is a managerial decision, try your best to obtain permission to disable them. Alternatively, if your content checker supports this, disable the warning messages only for MyDoom, that will already help to decrease the problems posed by these reply messages.
I apologise for this not being strictly on topic, but it is posted in the hope that it will help to curb this problem.
Will
-- Willie Viljoen Freelance IT Consultant
214 Paul Kruger Avenue Universitas 9321 South Africa
+27 (51) 522 15 60 +27 (82) 404 03 27
[EMAIL PROTECTED]
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
-- Sandip Bhattacharya http://www.sandipb.net sandip at puroga.com Puroga Technologies Pvt. Ltd. http://www.puroga.com
_______________________________________________ ilugd mailing list [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd
