Re: MEI Whitelist Autoresponse
on Mon, Sep 01, 2003 at 10:51:06AM +1000, Andrew Pollock ([EMAIL PROTECTED]) wrote: On Sat, Aug 30, 2003 at 01:45:18PM +0300, Richard Braakman wrote: I think virus scanners are in a different class, though. Mailing list software isn't designed to recognize viruses, while virus scanners are. It's disgustingly incompetent to recognize a mail as Sobig.F, which is known to fake the sender, and then reply to it anyway. (And yes, I get a lot of notifications that mention Sobig.F by name.) The (granted, commercial) SMTP virus scanners that I've had experience with don't allow you to modify the notification behavior on a per virus signature basis, it's either all on or all off. That is a problem for the vendor. If the vendor can't modify their software to differentiate, then notifation should simply be off. Peace. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? Scandinavian Designs: Cool furniture, affordable prices, great service, satisfied customer. http://www.scandinaviandesigns.com/ pgpxE1V22AqLV.pgp Description: PGP signature
Re: MEI Whitelist Autoresponse
Andrew writes: The (granted, commercial) SMTP virus scanners that I've had experience with don't allow you to modify the notification behavior on a per virus signature basis, it's either all on or all off. The signature file sent out by the vendor should tell the scanner whether or not to send notices. -- John Hasler [EMAIL PROTECTED] Dancing Horse Hill Elmwood, Wisconsin
Re: MEI Whitelist Autoresponse
On Fri, Aug 29, 2003 at 09:20:53AM +1000, Russell Coker wrote: The comparison to mailing list software makes no sense. Maybe not in the context of viruses, but for the Joe Job problem it does. Viruses can and should be filtered out before they reach the C-R system. --Adam -- Adam McKenna [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: MEI Whitelist Autoresponse
On Thu, Aug 28, 2003 at 07:12:47PM -0700, Joshua Kwan wrote: Hmm, how about giving tmda its own special header so we can auto-filter out messages from people who use C-R systems? It adds itself to X-Delivery-Agent, so it's not hard to filter out. I've started capturing C-R signatures where I can find them and adding them to procmail /dev/null recipies. Haven't got many yet, but I'm working on it. -- Marc Wilson | Stop searching. Happiness is right next to you. [EMAIL PROTECTED] | Now, if they'd only take a bath ... pgpaBsXpKihMD.pgp Description: PGP signature
Re: MEI Whitelist Autoresponse
On Thu, Aug 28, 2003 at 02:55:35PM -0700, Adam McKenna wrote: How many were challenges from mailing list software? Yes, another class of software that automatically issues challenges (specifically, to new subscriptions and to non-list members if the list is closed). So I guess you should also file bugs against majordomo, mailman, ezmlm-src, and any other mailing list managers that do this. I think virus scanners are in a different class, though. Mailing list software isn't designed to recognize viruses, while virus scanners are. It's disgustingly incompetent to recognize a mail as Sobig.F, which is known to fake the sender, and then reply to it anyway. (And yes, I get a lot of notifications that mention Sobig.F by name.) Richard Braakman
Re: MEI Whitelist Autoresponse
On Thu, Aug 28, 2003 at 08:59:04PM -0700, Joshua Kwan wrote: On Fri, Aug 29, 2003 at 01:51:58PM +1000, Russell Coker wrote: It's a bit extreme but I'm sick of deleting such messages, especially in light of the Blaster worm. Not extreme at all. I imagine there are some legitimate people I might receive emails from, reply to them and never know it didn't get sent. That's my only problem with this approach, although it would be possible to tell procmail to stick C-R responses into some special folder... Do you *really* want to converse with people so clue-adverse that they don't whitelist people they send mail to? I don't think I'd want to. Might catch some of that stupidity. Lord knows I suffer enough already. - Matt
Re: MEI Whitelist Autoresponse
on Fri, Aug 29, 2003 at 09:20:53AM +1000, Russell Coker ([EMAIL PROTECTED]) wrote: On Fri, 29 Aug 2003 07:55, Adam McKenna wrote: My own inbox supports this statement. 140 responses to Sobig.F mails, of which 43 are virus or other content-based autoresponders, and 97 being delivery failure messages or other autoresponders (e.g.: ISP help desk). How many were challenges from mailing list software? Yes, another class of software that automatically issues challenges (specifically, to new subscriptions and to non-list members if the list is closed). So I guess you should also file bugs against majordomo, mailman, ezmlm-src, and any other mailing list managers that do this. The comparison to mailing list software makes no sense. I am prepared to put up with majordomo or mailman responses to virus messages because it's for the greater good. Having a single unwanted message go to me is much better than having that message being sent out to each of the 10,000 people on a big mailing list! For challenge-response systems it's totally different. I don't want to receive a single message because a lazy asshole wants to push all his problems on other people. People who take the attitude of Sobig wasn't a problem, my machine just sent out 4000 challenge messages to random victims can only be described as lazy assholes. Karsten M. Self repeats the preceding allegations of the Complaint as if set forth here in full[1]. Mailing lists are a rather small subset of all mail recipients, though they may be overrepresented in address lists harvested by spammers. In addition, however, list software _should_ filter virus and spam mail prior to sending a your message to foo list awaits moderation. Peace. Notes: 1. Someone has been sending too much time reading legal docs. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? SCO vs IBM Linux lawsuit info: http://sco.iwethey.org pgp79zv54k5Uj.pgp Description: PGP signature
Re: MEI Whitelist Autoresponse
On Thu, Aug 28, 2003 at 09:20:49PM +0100, Karsten M. Self wrote: The virus responses are irresponsible, and have been for almost two years as the number of sender-spoofing emails has grown. BTW, amavisd-new has # Treat envelope sender address as unreliable and don't send sender # notification / bounces if name(s) of detected virus(es) match the list. # Note that virus names are supplied by external virus scanner(s) and are # not standardized, so virus names may need to be adjusted. # See README.lookups for syntax. # $viruses_that_fake_sender_re = new_RE( qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i ); -- 2. That which causes joy or happiness.
Re: MEI Whitelist Autoresponse
On Fri, 29 Aug 2003 07:55, Adam McKenna wrote: My own inbox supports this statement. 140 responses to Sobig.F mails, of which 43 are virus or other content-based autoresponders, and 97 being delivery failure messages or other autoresponders (e.g.: ISP help desk). How many were challenges from mailing list software? Yes, another class of software that automatically issues challenges (specifically, to new subscriptions and to non-list members if the list is closed). So I guess you should also file bugs against majordomo, mailman, ezmlm-src, and any other mailing list managers that do this. The comparison to mailing list software makes no sense. I am prepared to put up with majordomo or mailman responses to virus messages because it's for the greater good. Having a single unwanted message go to me is much better than having that message being sent out to each of the 10,000 people on a big mailing list! For challenge-response systems it's totally different. I don't want to receive a single message because a lazy asshole wants to push all his problems on other people. People who take the attitude of Sobig wasn't a problem, my machine just sent out 4000 challenge messages to random victims can only be described as lazy assholes. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: MEI Whitelist Autoresponse
On Fri, Aug 29, 2003 at 11:37:57AM +1000, Russell Coker wrote: If someone is to Joe-Job me then I'd rather that mailing lists bounce the messages, if it gets bad I could filter out all mailing list messages temporarily. Hmm, how about giving tmda its own special header so we can auto-filter out messages from people who use C-R systems? It's a bit extreme but I'm sick of deleting such messages, especially in light of the Blaster worm. -- Joshua Kwan pgp5YUHB41QSw.pgp Description: PGP signature
Re: MEI Whitelist Autoresponse
On Fri, 29 Aug 2003 09:47, Adam McKenna wrote: On Fri, Aug 29, 2003 at 09:20:53AM +1000, Russell Coker wrote: The comparison to mailing list software makes no sense. Maybe not in the context of viruses, but for the Joe Job problem it does. If someone is to Joe-Job me then I'd rather that mailing lists bounce the messages, if it gets bad I could filter out all mailing list messages temporarily. If someone Joe-Jobbing me results in messages from me getting delivered to mailing lists then that would be worse than having the lists bounce them IMHO (before you ask, I've been Joe-Jobbed before). When someone else gets Joe-Jobbed I'd rather deal with the spam using DNSBL and spam-assasin to protect myself. For spam that gets through that I would rather just report it to SpamCop myself than add to the problems of the poor sod who's being Joe-Jobbed. Viruses can and should be filtered out before they reach the C-R system. True, that's one of the things that should be in large warnings on any C-R system in Debian. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: MEI Whitelist Autoresponse
On Thu, Aug 28, 2003 at 09:20:49PM +0100, Karsten M. Self wrote: on Thu, Aug 28, 2003 at 01:03:37AM -0700, Adam McKenna ([EMAIL PROTECTED]) wrote: Also, I don't have any hard data to support this, but it's obvious to me that the volume of mail generated by virus scanners in response to Sobig.f eclipses the volume of TMDA challenges by at least a factor of 10. So far, I haven't received *one* TMDA challenge that was due to Sobig, but I've received *hundreds* of messages from virus scanners all over the net. So, I guess we should add virus scanners to the list of verboten software. My own inbox supports this statement. 140 responses to Sobig.F mails, of which 43 are virus or other content-based autoresponders, and 97 being delivery failure messages or other autoresponders (e.g.: ISP help desk). How many were challenges from mailing list software? Yes, another class of software that automatically issues challenges (specifically, to new subscriptions and to non-list members if the list is closed). So I guess you should also file bugs against majordomo, mailman, ezmlm-src, and any other mailing list managers that do this. --Adam -- Adam McKenna [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: MEI Whitelist Autoresponse
On Fri, 29 Aug 2003 12:12, Joshua Kwan wrote: On Fri, Aug 29, 2003 at 11:37:57AM +1000, Russell Coker wrote: If someone is to Joe-Job me then I'd rather that mailing lists bounce the messages, if it gets bad I could filter out all mailing list messages temporarily. Hmm, how about giving tmda its own special header so we can auto-filter out messages from people who use C-R systems? Sounds like a good idea! Or even better don't make it a TMDA header make it a generic C-R header, I don't want a header check rule for every C-R system out there. It's a bit extreme but I'm sick of deleting such messages, especially in light of the Blaster worm. Not extreme at all. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: MEI Whitelist Autoresponse
On Fri, Aug 29, 2003 at 01:51:58PM +1000, Russell Coker wrote: It's a bit extreme but I'm sick of deleting such messages, especially in light of the Blaster worm. Not extreme at all. I imagine there are some legitimate people I might receive emails from, reply to them and never know it didn't get sent. That's my only problem with this approach, although it would be possible to tell procmail to stick C-R responses into some special folder... And once you have reached that point it's nearly as bad as not filtering them at all. Granted, lack of a reply is earned punishment for using a C-R system IMNSHO. -- Joshua Kwan pgpH4aEhJ3Y8L.pgp Description: PGP signature
Re: MEI Whitelist Autoresponse
On Wed, Aug 27, 2003 at 09:26:34PM -0700, Aaron Lehmann wrote: On Wed, Aug 27, 2003 at 08:30:05AM -0400, [EMAIL PROTECTED] wrote: Your message to [EMAIL PROTECTED] has been quarantined! You only need to do this once, but this time, you must verify that you are a human. I almost wonder if someone sent this intentionally in light of the TDMA bug thread. Either way, it presents a convincing argument. Yes, it does present a very good example of poorly written C-R software. Paul should switch to TMDA. --Adam -- Adam McKenna [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: MEI Whitelist Autoresponse
On Wed, Aug 27, 2003 at 08:30:05AM -0400, [EMAIL PROTECTED] wrote: Your message to [EMAIL PROTECTED] has been quarantined! You only need to do this once, but this time, you must verify that you are a human. I almost wonder if someone sent this intentionally in light of the TDMA bug thread. Either way, it presents a convincing argument.
Re: MEI Whitelist Autoresponse
On Wed, 27 Aug 2003 21:39:43 -0700, Adam McKenna [EMAIL PROTECTED] wrote: Yes, it does present a very good example of poorly written C-R software. Paul should switch to TMDA. In which way would have TMDA avoided sending a challenge to the header-from: of a sobig.f instance? Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29
Re: MEI Whitelist Autoresponse
On Thu, Aug 28, 2003 at 08:20:52AM +0200, Marc Haber wrote: On Wed, 27 Aug 2003 21:39:43 -0700, Adam McKenna [EMAIL PROTECTED] wrote: Yes, it does present a very good example of poorly written C-R software. Paul should switch to TMDA. In which way would have TMDA avoided sending a challenge to the header-from: of a sobig.f instance? TMDA doesn't send challenges to From: addresses, it sends them to the envelope sender (Return-Path) address. But to answer your question, it is trivial to create a filter that drops such messages instead of sending challenges. I have updated my personal filters to make sure this doesn't happen again, and other users of TMDA should do the same. Also, I don't have any hard data to support this, but it's obvious to me that the volume of mail generated by virus scanners in response to Sobig.f eclipses the volume of TMDA challenges by at least a factor of 10. So far, I haven't received *one* TMDA challenge that was due to Sobig, but I've received *hundreds* of messages from virus scanners all over the net. So, I guess we should add virus scanners to the list of verboten software. --Adam -- Adam McKenna [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: MEI Whitelist Autoresponse
Le jeu 28/08/2003 à 10:03, Adam McKenna a écrit : In which way would have TMDA avoided sending a challenge to the header-from: of a sobig.f instance? TMDA doesn't send challenges to From: addresses, it sends them to the envelope sender (Return-Path) address. Nice, but sobig.f also forges the return-path. Also, I don't have any hard data to support this, but it's obvious to me that the volume of mail generated by virus scanners in response to Sobig.f eclipses the volume of TMDA challenges by at least a factor of 10. So far, I haven't received *one* TMDA challenge that was due to Sobig, but I've received *hundreds* of messages from virus scanners all over the net. So, I guess we should add virus scanners to the list of verboten software
Re: MEI Whitelist Autoresponse
On Thu, Aug 28, 2003 at 01:03:37AM -0700, Adam McKenna wrote: On Thu, Aug 28, 2003 at 08:20:52AM +0200, Marc Haber wrote: On Wed, 27 Aug 2003 21:39:43 -0700, Adam McKenna [EMAIL PROTECTED] wrote: Yes, it does present a very good example of poorly written C-R software. Paul should switch to TMDA. In which way would have TMDA avoided sending a challenge to the header-from: of a sobig.f instance? TMDA doesn't send challenges to From: addresses, it sends them to the envelope sender (Return-Path) address. FWIW, the From: and envelope sender of every sample of Sobig.F I have are identical. -- Colin Watson [EMAIL PROTECTED]
Re: MEI Whitelist Autoresponse
On Wed, 27 Aug 2003, Aaron Lehmann wrote: On Wed, Aug 27, 2003 at 08:30:05AM -0400, [EMAIL PROTECTED] wrote: Your message to [EMAIL PROTECTED] has been quarantined! You only need to do this once, but this time, you must verify that you are a human. I almost wonder if someone sent this intentionally in light of the TDMA bug thread. Either way, it presents a convincing argument. For me, it's a convincing argument that this list (debian-devel) should only be open to subscribers and registered people (via the whitelist) The listmaster reports that they have no less than 42 different checks for anti-virus notices and dozens more for other random crap, and as everybody will clearly see, it's still not enough to have the list clean and probably it will never be. Not that I'm in favor or against C-R systems, but I think our mailing lists should not multiply the stupidity of people by several thousands.
Re: MEI Whitelist Autoresponse
on Thu, Aug 28, 2003, Adam McKenna ([EMAIL PROTECTED]) wrote: So, I guess we should add virus scanners to the list of verboten software. How about we qualify that; virus scanners that stupidly send email ? P. -- [EMAIL PROTECTED] The IWETHEY project: http://www.iwethey.org pgp0MEXmH8lzK.pgp Description: PGP signature
Re: MEI Whitelist Autoresponse
On Thu, Aug 28, 2003 at 01:03:37AM -0700, Adam McKenna wrote: Also, I don't have any hard data to support this, but it's obvious to me that the volume of mail generated by virus scanners in response to Sobig.f eclipses the volume of TMDA challenges by at least a factor of 10. So far, I haven't received *one* TMDA challenge that was due to Sobig, but I've received *hundreds* of messages from virus scanners all over the net. Yes, and every single administrator that's configured their virus scanner to bounce to envelope deserves a swift kick upside the head. So, I guess we should add virus scanners to the list of verboten software. No, but they should be configured to *not* bounce to envelope sender. As for email challenges, I've actually received a lot of them. Every single one of them so far has been for messages I have not sent (spam and viruses with my forged email address). I no longer read them, but dump them just like I dump the 'virus in your email' messages. So, if I ever send mail to a legitimate person who has CR, he's never going to get my message, because I refuse to waste my time reading CR requests any more. -- Dave Carrigan Seattle, WA, USA [EMAIL PROTECTED] | http://www.rudedog.org/ | ICQ:161669680 UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL
Re: MEI Whitelist Autoresponse
on Thu, Aug 28, 2003 at 01:03:37AM -0700, Adam McKenna ([EMAIL PROTECTED]) wrote: Also, I don't have any hard data to support this, but it's obvious to me that the volume of mail generated by virus scanners in response to Sobig.f eclipses the volume of TMDA challenges by at least a factor of 10. So far, I haven't received *one* TMDA challenge that was due to Sobig, but I've received *hundreds* of messages from virus scanners all over the net. So, I guess we should add virus scanners to the list of verboten software. My own inbox supports this statement. 140 responses to Sobig.F mails, of which 43 are virus or other content-based autoresponders, and 97 being delivery failure messages or other autoresponders (e.g.: ISP help desk). The bounces can be reduced. The virus responses are irresponsible, and have been for almost two years as the number of sender-spoofing emails has grown. I LART a fair number of the responders, report them to spam-reporting systems, and frequently bounce the mail to the AV vendor(s) responsible with a nastygram (procmail recipies). Strongly encouraging virus autoresponders be disabled is also an independent campaign I've been active in and plan to take to the IT media mainstream. Peace. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? I managed to love simultaneously -- and this is not easy -- women and justice. -- Albert Camus, _The Fall_ pgp0a13OgRHJC.pgp Description: PGP signature