Unless you have been asleep for the past 7 hours, you probably have been hit by the latest virus infection for our great globe, the Novarg or Doom or MiMail (new version). Ho-hum, another fast-spreading virus:
Time will tell if this is a serious problem or just a blipple on the pimple of email. But, since this is GQ, my question is, why do the email filter programs assume so trustingly that the address in the “from” field is the true sender of a malware email? Don’t we (humans) all know that the sender is routinely spoofed, and the “from” field is most likely bogus?
So why am I so concerned? Because, along the the hundreds of true virus-attached emails I have been getting today are many more that have been bounced by virus scanners (typically hosted at ISPs, who should know better). This just increases the traffic by attempting to warn me that my computer is sending out the junk. (It’s not, I am not infected, and you can take that to the bank.) This just makes the problem worse.
So why haven’t the scanners learned what we all knew many years ago? Why is the solution software part of the problem?
Yes, it can be a pain in the ass, but in the long run it’s probably better than silence.
The bounce messages probably ought to be worded differently, based on the detected virus, and they bleeding well ought not to forward any attachments, (WTF?) but they contain useful information, in a global sense.
Someone who is being flooded with bounced messages is motivated to try to find out who on their contact list is infected and give them a heads up. (I found myself in this position with klez at its peak.) I was able to deduce who was infected based on where the messages were being bounced back from, after taking the time to contact some of the live addresses that were being filtered.
Which means the virus-scanner is basically saying “I know my user is to stupid to deal with this alone so I’m going to inflict pain on random people to force them to come to his aid”. Sure it works, but it’s a sociopathic strategy.
The virus scanners know perfectly well that the email addresses aren’t valid and the bounce messages are not just ineffective but counterproductive because they add virtually useless traffic at a time when traffic is already spiked and a lot of systems (both infected and under deluge) are trying to dig out from under. They bounce because that’s what they’ve always done and they’re too lazy to change. It’s been pointed out to the virus-scanner makers many times and some of them are starting to get clueful, at least claiming that they will add config options to turn off bounces.
That works if you have a small address book, and if the virus (like Klez) obtains all its addrs from scanning thru an infected computer.
But the Doom virus also generates a list from common names like Bob, Joe, Alice, Adam and concatenates these with @(domain).
The amount of effort that would go into diagnosing my junk would be unrewarding.
I wonder why the bouncer/scanner programs don’t read the actual header – there are IP numbers in there that are more likely reliable than the visible “public” header info that is apparently being used.
Exactly right. If the virus scanners were so motivated, they could include SpamCop-esque features to assist the user. They could provide reports which correlated data from multiple bounce messages. Or they could just shut up and not make matters worse. Instead, they DoS innocent bystanders.
Virus scanners have very little motivation to change their bounces. If you want to be cynical, it is in their best interest to make every virus outbreak as “loud” and painful as possible in order to draw attention to themselves. By bouncing messages to obviously forged addresses, they increase the overall bandwidth consumed by the virus and make it that much more likely that the media will take notice and publish stories about the problem. This raises public awareness and people go out to buy/upgrade their virus protection. In addition, every bounce acts as a banner ad for the virus scanner; I may know I didn’t really send those infected emails and be annoyed by the bounces, but I’m subliminally impressed that the scanner caught them all. If the virus scanners thought they could get away with spontaneously broadcasting a “look at me” ad to everyone in your address book, they would. Since they know that might bring a backlash, indiscriminately bouncing to forged addresses is the next best thing.
Since this is GQ and not GD or the Pit, I won’t tell you how I really feel…
I’m sure there is something in what you say, micco, but a lot of that sounds like “conspiracy theory.” Wouldn’t it be a good sales tool for scanners to say that they were intelligent and actually helping?
I’m not complaining about the bounces; those can be useful in legitimate cases. My complain/question is about the lack of concern as to where the messages really came from and where they get bounced to.
And GorillaMan, you may be spared, but I’ll bet your ISP is going crazy with extra traffic, and if his scanner is like most, is adding to the problem for others. Consider yourself lucky.
Just FTR, I’m definitely not endorsing any of the conspiracy theories which say companies like McAfee and Symantec create viruses. I’m just pointing out that these companies have very little motivation to fix their bounce messages because they’re a marketing feature regardless of where they go. It would be a nice feature for a virus scanner to handle this well, but that’s a fairly minor feature. They’re banking on their main features of blocking effectiveness and update convenience, and how they handle bounces isn’t even an issue for most users. Until the majority of users starts regarding the current behavior as broken, there’s no motivation to change, and it’s completely possible that the majority of users simply don’t care one way or the other.
As GorillaMan points out, a lot of this filtering is being driven upstream to the ISP. That doesn’t change the problem since the filtering used at the ISP is still sending bounces to forged senders, but it may motivate change. The ISPs are generally more clueful, their mailservers are hit by the traffic of all the irrelevant bounces, and they are in a better position to pressure the virus scanner companies who want to market “enterprise” class solutions to them.
It all goes under “It seemed like a good idea at the time” – and it was.
Back when mass mailers used existing mail servers, the message helped people learn that they were infected. A warning that you sent and e-mail with the Melissa virus was very helpful and helped cut its spread.
Now that mass mailers spoof the e-mail address, though, it’s less useful, flooding mailboxes with messages that aren’t useful at all (and scare a lot of people who aren’t really infected). However, it isn’t the software that’s the problem. It can be configured so that it doesn’t send out a warning. It’s the ISPs, who don’t turn that feature off.
In addition, it is still useful for some viruses. I think you can shut it off for particular viruses, but the problem is that a new virus is automatically in the “warn the sender” list.
Well, blow me down and infect me with a with a virginal worm. Here’s a pretty good rant about the anti-virus industry being no better than the viruses themselves, at least bounced-message-wise. Pretty much what micco said.
Good idea, but that would be a full-time job for my mailbox.