Educause Security Discussion mailing list archives
Handling infection notifications sent to forged addresses
From: Joe St Sauver <JOE () OREGON UOREGON EDU>
Date: Wed, 4 Feb 2004 07:44:45 -0800
Hi, The recent novarg/mydoom infection has made it clear to *lots* of people that antivirus vendors are not correctly handling the "AV notification problem." That is: -- virtually all modern viruses forge the message body From: address in the mail they emit -- unfortunately, some antivirus gateway products still are configured, or are user/administrator *configurable*, to send very excited "hey!!! you're infected!!!!" av notifications to those forged From: addresses -- For large worms, those misdirected warnings can generate a substantial amount of unwanted direct mail traffic, as well as substantial un-necessary work load for support staff who may already be busy dealing with customers who really ARE infected, and who've been identified based on netflow data, IDS reports, campus wide scans, or other means. At least some folks have begun to consider those AV mis-notifications to be a sort of "spam" in-and-of themselves (see, for example http://www.attrition.org/security/rant/av-spammers.html ) You should also know that DNSBL's are beginning to get created which will begin to list misconfigured hosts emitting virus "notifications" to forged From: addresses. If your mail host ends up on one of those lists, your mail will begin to get rejected just as if you were a spammer. One example of this sort of DNSBL which I'm aware of is http://www.five-ten-sg.com/blackhole.php where a 127.0.0.9 code is associated with "Systems that send virus notifications (klez, sobig, etc) to the supposed sender. Most modern virii forge the return address, so these automated notifications are worthless and are treated here as spam." I have excellent reason to believe/I *know* that there will be others. Given the possibility that you may end up being blacklisted if you operate an antivirus gateway that emits notifications to forged sender From: addresses, if you are currently configured that way, I would very carefully reconsider the desirability of continuing that strategy. [Alternatively, if you've been looking for a DNSBL that lists folks who run misconfigured antivirus gateways of this sort, take heart, they're here/coming. :-) ] Some alternatives to mis-notifying forged From:'s which you might want to consider might include: -- returning a rejection code to the sending *MTA* before the sending host disconnects (sometimes possible, sometimes not, depending on your mail processing and virus detection architecture, I know, I know) -- silently dropping the infected message (yes, this violates the "deliver it or notify the originator about the non-delivery" principle, but remember, if you notify a forged From:, you're still not REALLY notifying the true originator of the message, now are you?) -- notifying the *recipient* that a virus was blocked, and providing the host/dotted quad from which that traffic was received and who the blocked message was "From:" (ideally on an electable/opt-outable basis, and even then only on a periodic summary basis, not a realtime message-for-message basis) You should also talk to your antivirus vendors to make SURE that THEY understand this issue. There aren't all that many antivirus vendors out there, and I'm firmly convinced that they CAN be educated. Regards, Joe St Sauver (joe () oregon uoregon edu) University of Oregon Computing Center ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Handling infection notifications sent to forged addresses Joe St Sauver (Feb 04)
- <Possible follow-ups>
- Re: Handling infection notifications sent to forged addresses Jere Retzer (Feb 05)