> This came in through Nanog from Paul Vixie. > > Dont know if you'd want to block notifications like this or not but as > most of the FROM's on the worm mails are spoofed anyway, why notify > someone who didnt send anything in the first place?
Yes, "helpful" bounce messages have been a nusance since 2000. And in some cases, people have been DoSed by the Joe Job parts of the virus! I created the following form letter for when people try to tell me their notifications are "helpful" or "good." Feel free to use or paraphrase this if you feel the same way I do. ---- Your server sends out "helpful" messages to people it thinks sent viruses. Unfortunately, they are not at all "helpful" in the modern age of forged sender viruses. The "helpful" messages have actually been proven to create denial of service levels of email. This was well documented the times it happened in the past, and is expected to happen in the future. http://www.ijs.si/software/amavisd/README.policy-on-notifications http://www.lancs.ac.uk/iss/a-virus/falsesender.htm http://www.aloha.net/support/antivirus.php#sender http://www.kaspersky.com/news.html?id=986631 As a minimum, any responsible admin who used an auto-notify system will keep on top of which viruses forge address. That way they can quickly eliminate bogus notifications through the settings in their anti-viruses program. If you choose to notify, and not filter out bogus forgeries based off the viruses involved, then you will be used as a DoS platform by viruses. It is that simple. Every decent server level email anti-virus software that does notifications has the ability to discriminate forged from addresses based off the virus involved. If yours is lacking in this, then they are VERY much behind the times. The principal of selectively not sending notifications has been in place since the year 2000. Responsible notifications are fine, but at this moment you are spreading FUD, which can be WORSE than the virus itself. Notifications like your can cause thousands of dollars in damages when people go out in masse and replace perfectly working anti-virus software that they believe is broken. Why would they think it is broken? Because your email told them so. Simple logic: Person A gets warning from you, but it is a bogus notification. Person A scans machine with their anti-virus program, and finds nothing. Person A panics, and buys another anti-virus program, $50. Person A scans machine with their new anti-virus program, and finds nothing. Person A panics, and takes their machine to a computer shop. $150. Your false notification just cost $200. Repeat 10 times for 10 people. $2000. Therefore, thousands is easily reached. So if only one tenth of one percent (0.1% or *0.001) of the people that get notifications from you go to such extremes, then all you would need to do is get probed by this virus 10,000 times to cause thousands of dollars to be spent FOR NO REASON. Since most of the forged sender viruses have reached millions of addresses within a couple days, it is VERY likely that tens of thousands have already been fooled into thinking they have a problem. And I know of sites that have been hit by 50,000 to 80,000 copies of a virus on the first day. So if your site gained that sort of popularity for some reason, you could do some rather substantial financial damage just because you think you are helping people. So please, get up to date on how viruses work, and realize your notifications are just as dangerous and damaging as the viruses themselves. ------- --Eric
