Handling infection notifications sent to forged addresses

[Joe St Sauver <JOE () OREGON UOREGON EDU>]

Hi,

The recent novarg/mydoom infection has made it clear to *lots* of
people that antivirus vendors are not correctly handling the
"AV notification problem."

That is:

-- virtually all modern viruses forge the message body From: address in
   the mail they emit

-- unfortunately, some antivirus gateway products still are configured,
   or are user/administrator *configurable*, to send very excited
   "hey!!! you're infected!!!!" av notifications to those forged
   From: addresses

-- For large worms, those misdirected warnings can generate a substantial
   amount of unwanted direct mail traffic, as well as substantial
   un-necessary work load for support staff who may already be busy dealing
   with customers who really ARE infected, and who've been identified based
   on netflow data, IDS reports, campus wide scans, or other means.

At least some folks have begun to consider those AV mis-notifications
to be a sort of "spam" in-and-of themselves (see, for example
http://www.attrition.org/security/rant/av-spammers.html )

You should also know that DNSBL's are beginning to get created which
will begin to list misconfigured hosts emitting virus "notifications" to
forged From: addresses. If your mail host ends up on one of those
lists, your mail will begin to get rejected just as if you were a
spammer.

One example of this sort of DNSBL which I'm aware of is
http://www.five-ten-sg.com/blackhole.php where a 127.0.0.9 code is
associated with

   "Systems that send virus notifications (klez, sobig, etc) to the
   supposed sender. Most modern virii forge the return address, so
   these automated notifications are worthless and are treated here
   as spam."

I have excellent reason to believe/I *know* that there will be others.

Given the possibility that you may end up being blacklisted if you
operate an antivirus gateway that emits notifications to forged sender
From: addresses, if you are currently configured that way, I would
very carefully reconsider the desirability of continuing that strategy.

[Alternatively, if you've been looking for a DNSBL that lists folks
who run misconfigured antivirus gateways of this sort, take heart,
they're here/coming. :-) ]

Some alternatives to mis-notifying forged From:'s which you might want
to consider might include:

-- returning a rejection code to the sending *MTA* before the sending
   host disconnects (sometimes possible, sometimes not, depending on
   your mail processing and virus detection architecture, I know, I know)

-- silently dropping the infected message (yes, this violates the
   "deliver it or notify the originator about the non-delivery" principle,
   but remember, if you notify a forged From:, you're still not
   REALLY notifying the true originator of the message, now are you?)

-- notifying the *recipient* that a virus was blocked, and providing
   the host/dotted quad from which that traffic was received and who
   the blocked message was "From:" (ideally on an electable/opt-outable
   basis, and even then only on a periodic summary basis, not a realtime
   message-for-message basis)

You should also talk to your antivirus vendors to make SURE that THEY
understand this issue. There aren't all that many antivirus vendors out
there, and I'm firmly convinced that they CAN be educated.

Regards,

Joe St Sauver (joe () oregon uoregon edu)
University of Oregon Computing Center

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.