I've put up on my home page a plea for mail admins to stop bouncing email viruses as it just adds to the problem.
I'm wondering what it would take to really amplify this message to the point it becomes common knowledge. How do we get the message out there that bouncing viruses is harmful to the point where Joe Corp Mail Admin knows this?
I'll let you decide which are which.
Re:Ideas, some stupid, some maybe not so stupid
bart on 2003-08-24T16:09:40
Add them in the next version of SpamAssasin.
Disclaimer: I do AV/Anti-spam for ~ 250,000 folk. Many of my e-mail addresses are also plastered all over the 'net, so I get plenty of these bounces too.
Still, from my perspective, mail must *not* get lost. Failure to deliver a message to it's recipient must *always* generate a bounce message (i.e., an SMTP 5xx error).
Why? Because I don't trust anti-virus software to always do the right thing. I don't trust anti-spam software to always do the right thing. I don't trust *BLs and local block lists to always be 100% accurate.
Silently dropping mail on the floor just isn't an option. Because sooner or later you'll drop something important.
N
Re:Is bouncing bad?
chromatic on 2003-08-20T17:00:06
I fail to see how an automated message saying "A message you didn't send to someone you don't know couldn't be delivered" is useful.
Re:Is bouncing bad?
nik on 2003-08-20T20:08:47
I fail to see how an automated message saying "A message you didn't send to someone you don't know couldn't be delivered" is useful.It's not. And if you've got an algorithm that can determine when to silently drop mail on the floor with no false positives, I'm all ears. But RFC 2821, s4.2.5 is quite clear on an MTA's responsibilities after it accepts a message. I don't think picking and choosing which bits of an RFC to implement is a good idea.
Yes, 2821 is in need of an update to deal with today's Internet, but at the moment, it's the best we've got.
Although having said that, things like SPF and RMX look interesting.
N
Re:Is bouncing bad?
gav on 2003-08-21T00:18:09
> I don't think picking and choosing which bits of an RFC to implement is a good idea
I do. Please feel free to not do things that are obviously broken. It wasn't that long ago that an RFC called for all SMTP servers to be open relays.Re:Is bouncing bad?
chromatic on 2003-08-21T01:11:02
If you can detect that the message contains a virus, don't send the virus back. If you can detect which virus the message contains, you can tell whether the virus spoofs e-mail addresses. If it does, don't even send a bounce.
I gather from the fact that so many of these bounce messages say "Your message tested positive for Sobig" that both points are actually possible — and pratical.
Re:Is bouncing bad?
nik on 2003-08-21T08:54:29
If you can detect that the message contains a virus, don't send the virus back.Doesn't work if you're trying to save cycles for wanted mail, and rejecting messages based on attachment types, or other content (e.g., the presence of web bugs).
To be specific, consider three sites, A, B, and C. B has the virus, and is sending mail to C, with forged headers that look like it came from A.
If C refuses to accept the message (SMTP 5xx), it's B that generates the bounce message to A. The mail logs at B should show (a) a high number of bounces going to A, (b) a large number of 5xx rejections from C. The mail admins at B *should* notice this, and do something about it, and (c) admins at both A and C should notice this, and start complaining to B.
If C simply drops the messages on the floor then (a) B is going to keep sending them (chewing up more of C's resources), and (b) B is going to take longer to realise its got a problem.
N
Of course bouncing due to viruses is bad!
grantm on 2003-08-21T09:26:26
If C accepted the message and silently refused to deilver it then why would B retry? That makes no sense.
As Schwern pointed out the anti-virus vendors do know which virus is which and they do know which ones spoof sender addresses so of course they shouldn't bounce those ones back to the 'sender'. They should simply say '200 Hmm Yummy' and do nothing more.
But I have an even simpler rule
... Never generate a bounce response when a virus is detected. Any virus. Ever. By all means have your virus scanning software alert the recipient - as a human being, they can eyeball the sender address and decide whether they want to do anything about it. But the chances that the apparent 'sender' is going to find the bounce message useful is so close to zero that it simply isn't worth sending. I've received close on 200MB of unsolicited mail at my personal email address in the last 48hrs. The vast bulk of it (well over 90%) is bounce messages. Even if there was a useful nugget of information in one of those bounce messages, I would never see it since I'm deleting messages 20-30 at a time.
Re:Of course bouncing due to viruses is bad!
nik on 2003-08-21T09:56:10
Never generate a bounce response when a virus is detected. Any virus.As I say -- doesn't work if you're bouncing because of something else in the message (e.g., an attachment type that you don't want to see --
.exe, .pif, etc). This is much simpler to check for than doing a full virus scan, so it runs faster, so it's a better use of resources. By all means have your virus scanning software alert the recipient - as a human being, they can eyeball the sender address and decide whether they want to do anything about it.Doesn't work in a large user population. Especially one that's been well trained to avoid opening attachments or messages from people they don't recognise. All you do is flood your helpdesks with calls from employees who think they're doing the right thing by being cautious.
It also pushes your costs up if you, for example, have a regulatory requirement to archive all mail that makes it in to the system.
Remember, the system that's generating the bounce is the system that's infected. Systems that want to reject messages for policy reasons (whatever that policy is -- "Looks like spam", "Contains a web bug", "Has an attachment type we don't want", "Contains a virus") have a duty to respond with a 5xx, and not silently swallow mail.
If you want to block bounce messages then filter mail from <> at your site. Then it's your decision to be RFC non-compliant, and the consequences of that decision are yours.
N
PS: Railing against AV software that sends helpful notifications back (instead of a 5xx), is a completely different kettle of fish, of course. There's a special level of hell reserved for the authors of Norton AV, which is particularly offensive in this regard.
Re:Of course bouncing due to viruses is bad!
grantm on 2003-08-21T19:20:14
As I say -- doesn't work if you're bouncing because of something else in the message (e.g.,... .exe, .pif, etc). Nonsense. You are treating messages with those file types as if they contained a virus. So the rule still stands don't bounce it, drop it.
If your SMTP server makes a quantitative decision that it can't handle the message (eg: unknown user or out of disk space) then by all means bounce it. On the other hand if your server examines the contents of the message and makes a qualitative decision that it doesn't want to accept it due to your security policy then generating a reply which details those policies helps no-one but a potential attacker.
Doesn't work in a large user population.... All you do is flood your helpdesks with calls ... Ok your real motivation is becoming apparent. There is no monetary cost associated with sending thousands of bounce messages to people that you know didn't send the original viruses. Since these people don't work for your company, it also doesn't matter if you piss them off. Hmm, good business.
Remember, the system that's generating the bounce is the system that's infected.No, it's relaying mail on behalf of the system that's infected.
But to get back to the point, there are two problems:
- email messages containing viruses
- bounce messages resulting from email servers refusing to accept messages containing viruses
Unfortunately there's not much we can do about number 1 - that's a whole separate discussion. This discussion is about number 2, which in the experience of many people here is a much bigger problem. This morning I woke up to 175 emails of which 3 were real mail (it was a good day), 172 were bounce messages and 0 were viruses!
Re:Of course bouncing due to viruses is bad!
nik on 2003-08-21T20:16:27
Nonsense. You are treating messages with those file types as if they contained a virus. So the rule still stands don't bounce it, drop it.Not true. It's being treated as 'content not wanted'. There's a large amount of content that's not wanted, and 'has a virus' is just a subset of it. And on a typical day, virus infected content is a tiny fraction of the stuff that gets 5xx'd.
If your SMTP server makes a quantitative decision that it can't handle the message (eg: unknown user or out of disk space) then by all means bounce it. On the other hand if your server examines the contents of the message and makes a qualitative decision that it doesn't want to accept it due to your security policy then generating a reply which details those policies helps no-one but a potential attacker.Again, not true. Differentiated response messages make troubleshooting much easier, and assist the technical support at the sender's site in determining whether the problem is at their end or ours.
And there's really not that much information you can leak in 70 or so characters that's going to be of any use to an attacked. And, to be clear, I'm not talking about a system that composes a multi page reply and fires it off to the envelope FROM -- I'm talking about a SMTP 5xx response code.
If your system doesn't want to handle bounce messages and other adminstrivia, send mail from <> to
/dev/null (or just refuse to accept it). That'll generate a double-bounce, and the recipient site is free to choose how it wants to handle double bounces. N
Re:Of course bouncing due to viruses is bad!
chromatic on 2003-08-21T19:53:52
This is much simpler to check for than doing a full virus scan, so it runs faster, so it's a better use of resources.Randomly send bounce messages to random e-mail addresses 10% of the time. Don't bother scanning messages. That should keep your system almost as efficient as possible, at the completely ignorable expense of everyone else on the Internet.
I don't care if the RFC was handed down on stone tables from Jon Postel. If a bad guy says "Harass innocent people!" and your system does, it's broken.
Your cheapskate virus scanning is NOT MY PROBLEM!
schwern on 2003-08-22T20:13:50
As I say -- doesn't work if you're bouncing because of something else in the message (e.g., an attachment type that you don't want to see --.exe, .pif, etc). This is much simpler to check for than doing a full virus scan, so it runs faster, so it's a better use of resources. A better use of YOUR resources. What about MINE, the poor slob getting flooded?
How selfish. You want to employ the world as a giant meat verification system for your overly simplistic virus scanning so you can save a buck!
Get a real virus scanner and don't shovel off your problem onto me. I'm up to 200K of bounces just for the last 8 hours and I haven't even pulled all my mail down yet.
Re:Of course bouncing due to viruses is bad!
nicholas on 2003-08-23T08:30:11
Beware of talking cross purposes
PS: Railing against AV software that sends helpful notifications back (instead of a 5xx), is a completely different kettle of fish, of course. There's a special level of hell reserved for the authors of Norton AV, which is particularly offensive in this regard.Agree. In the past 24 or so hours, I think I've had 185 "helpful" messages about viruses, versus 21 bounces. So it appears that both sides of this "argument" are right.
Personally I'd like
- Fuckwits who create AV software that sends me "helpful messages" for positively identified viruses that are known to forge headers to change career. (Yes. If you're reading this and you wrote one of those, however insulted you feel by me right now, you were doing something fuckwitted)
- all mail systems to 500 spam and other unacceptable content, rather than bounce it to the "envelope from". Given that most of this shit has faked envelope froms, once they drop their STMP connection it's the last you're going to see of the real sender. So only while that connection is still up can you co anything to send feedback to the true sender. (Although the feedback I'd like to send spammers isn't valid binary, given that 1 is only 5V)
Schwern != chromatic
schwern on 2003-08-22T20:15:26
As Schwern pointed out
chromatic and I really are different people. I swear.;) He says potato, I say potato. Re:Schwern != chromatic
grantm on 2003-08-23T00:18:19
Yes, I realised my mistake about 3 seconds after pressing submit (and hoped you wouldn't take offense).
And certain high ranking politicans have been known to say potatoe.
Re:Schwern != chromatic
schwern on 2003-08-23T00:59:35
I'm used to being mistaken for other peo ple by now.What's a 5xx rejection?
schwern on 2003-08-22T20:17:49
Perhaps we're talking about different things. Could you explain the difference between a 5xx rejection and a normal "You sent us a virus!" message? Which does NAV, InterScan, etc... send out? More importantly, does the 5xx show up as regular mail?Re:What's a 5xx rejection?
nik on 2003-08-26T09:08:21
Perhaps we're talking about different things. Could you explain the difference between a 5xx rejection and a normal "You sent us a virus!" message? Which does NAV, InterScan, etc... send out? More importantly, does the 5xx show up as regular mail?The "You sent us a virus" messages are the ones from products like NAV that try to be helpful, while at the same time marketing the product. They're generated by the site that's doing the scanning (so if B is infected, sends a message to C, forged to appear to be from A, it's the software running at C that generates the message and sends it to A).
A 5xx rejection is where C refuses to accept the e-mail from B for some reason. This might be because the address to which the message has been sent doesn't exist at C's site, or B is trying to use C as an open relay, or the sender is not allowed to send mail to the recipient. Or it might be because C thinks the message has a virus.
In this instance, the message that's sent to A is generated by B, and will normally (a) be fairly terse, (b) be sent from MAILER-DAEMON, or similar, and (c) have an empty envelope sender. The format of that message will depend on the mail software running at B. For example, if B are running qmail, then the message will start something like this:
Hi. This is the qmail-send program at smtp.utexas.edu.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.followed by a (hopefully useful) transcript of the SMTP session up to the point where the error occured. This might include text like:
554 Might contain a virus: Sobig.for:
553 joe@example.com is not a valid address hereor:
552 joe@example.com has exceeded their mailbox quotaOr similar.
N
Re:What's a 5xx rejection?
schwern on 2003-08-27T21:39:15
I get so few of those.
:( Most are of the NAV variety. But it doesn't seem anyone's hit upon the simple idea of a mail header:
SMTP-Reponse: 554 May contain nutsDifferent SMTP servers encode their response code in different ways in the body of the mail. That its just more mail that I have to scan and junk. Since the format isn't unambiguous, I'm back to writing rules.
:( However, they are significantly easier rules than what NAV and friends are causing me to write. Ideally what I'd want is for server A to tell my SMTP server "Hey, you sent me a virus" in a clear way so that my SMTP server can throw it away before I ever see it. A simple mail header would be nice.
For no particular purpose, here's a very small sampling of the transcripts I've been getting that contain "554".
----- Transcript of session follows -----
... while talking to smtp-bounce.mac.com.:
>>> DATA
<<< 550 5.1.1 unknown or illegal alias: 6bcb192e-5b33-11d6-aee8-0003937ae4da@mac
.com
550 5.1.1 <6BCB192E-5B33-11D6-AEE8-0003937AE4DA@mac.com>... User unknown
<<< 554 5.5.0 No recipients have been specified.
----- Transcript of session follows -----
... while talking to ms-mta-01-fn.nyroc.rr.com.:
>>> DATA
<<< 550 5.1.1 unknown or illegal alias: jc@rochester.rr.com
550 5.1.1 <jc@rochester.rr.com>... User unknown
<<< 554 5.5.0 No recipients have been specified.
----- Transcript of session follows -----
... while talking to ams-msg-core-1.cisco.com.:
>>> DATA
<<< 552 5.0.0 SOBIG.F Virus outbreak - temp fix
554 5.0.0 Service unavailable
----- Transcript of session follows -----
... while talking to filter-a.smig.net.:
>>> DATA
<<< 554 5.6.0 Message rejected because it contains one or more viruses
554 5.0.0 Service unavailable
----- Transcript of session follows -----
... while talking to ams-msg-core-1.cisco.com.:
>>> DATA
<<< 552 5.0.0 SOBIG.F Virus outbreak - temp fix
554 5.0.0 Service unavailable
----- Transcript of session follows -----
... while talking to [172.31.255.102]:
>>> RCPT To:<scarrie@maginfo.fr>
<<< 554 Mail for scarrie@maginfo.fr rejected for policy reasons.
554 <scarrie@maginfo.fr>... Service unavailable
----- Transcript of session follows -----
... while talking to syd-msg-core-1.cisco.com.:
>>> DATA
<<< 552 5.0.0 SOBIG.F Virus outbreak - temp fix
554 5.0.0 Service unavailable
----- Transcript of session follows -----
ANTIVIRUS SYSTEM FOUND VIRUSES
From: <schwern@pobox.com>
Subject: Re: Details
dfh7RCTwv16840/text infected: I-Worm.Sobig.f.txt
dfh7RCTwv16840/document_9446.pif infected: I-Worm.Sobig.f
554 5.6.0 Viruses were detected
501 5.6.0 Data format error
----- Transcript of session follows -----
!!! POZOR !!! POSTOVNI SERVER MU NALEZL VE VASI POSTE VIRUS.
!!! POZOR !!! V PRILOZE MATE HLAVICKU MAILU PRO PRIPADNY
!!! POZOR !!! KONTAKT NA ODESILATELE
ANTIVIRUS SYSTEM FOUND VIRUSES
From: <schwern@pobox.com>
To: <yeti@physics.muni.cz>
Subject: Re: Details
dfh7RCnaa7031411 archive: Mail
dfh7RCnaa7031411/text infected: I-Worm.Sobig.f.txt
dfh7RCnaa7031411/movie0045.pif infected: I-Worm.Sobig.f
This message contain viruses. Virus was detected
with Antiviral Toolkit Pro from http://www.avp.ru.
554 5.6.0 Viruses were detected
501 5.6.0 Data format error
----- Transcript of session follows -----
... while talking to ms-mta-02-fn.nyroc.rr.com.:
>>> DATA
<<< 550 5.1.1 unknown or illegal alias: jc@rochester.rr.com
550 5.1.1 <jc@rochester.rr.com>... User unknown
<<< 554 5.5.0 No recipients have been specified.Re:Is bouncing bad?
schwern on 2003-08-27T21:52:46
If C refuses to accept the message (SMTP 5xx), it's B that generates the bounce message to A. The mail logs at B should show (a) a high number of bounces going to A, (b) a large number of 5xx rejections from C. The mail admins at B *should* notice this, and do something about it, and (c) admins at both A and C should notice this, and start complaining to B.Oh yeah, I remember the problem I had with this idea. WHAT MAIL ADMIN?!
I'm it. One guy with a laptop. I'm sure there's lots and lots and lots of other people out there in the same boat. The scenario above seems circa 1992 when either you got a mail account from a university or your computer savvy employeer. Both involve large numbers of users with dedicated system administrators. While there's still plenty of places like this, you can't simply ignore Joe Single User.
The other problem is its not three sites. Its three THOUSAND sites! Its not B sending the virus to C making it look like A. Its half the Internet sending the virus to the other half making it look like A. I'm A.
To give you an idea of the magnitude of the problem...
~ $ ls -l/var/mail/schwern
-rw------- 1 schwern schwern 2725439 Aug 27 14:29/var/mail/schwern
~ $ ls -l ~/Mail/spam
-rw------- 1 schwern schwern 4852022 Aug 27 14:45/Users/schwern/Mail/spam This is about 18 hours worth of my personal mail. Keeping in mind that my inbox contains about 340 old messages. I got about 130 new messages that weren't filtered. About 30% of them are unfiltered bounces. I got 667 filtered pieces of spam. The overwhelming majority is bounces from all over the Internet.
You really think the proper solution is for me to contact them all?
1% false negative vs 50% false positive
schwern on 2003-08-21T00:29:11
You might not trust it to do the right thing, but right now its doing a Very, Very Wrong Thing to such an extent that its effecting the health of the Internet. I don't think you quite understand the magnitude of the problem. I got another 1000 bounce messages overnight. That's absurd.
With the current setup you're generating a massive quantity of false positives. So much so that I'm now likely to ignore *all* bounce messages. In effect, by flooding the system with false positives you're social engineering far more false negatives than you would have by simply not sending the virus warning.
Furthermore, with the current setup there's almost no chance that your virus warning will get back to the infected machine. No modern virus sends out mail with a legit From line.
Here's a simple solution. Check the Received headers to see if the originating machine and the From line or Reply-To are even vaguely related before sending out a warning. That would slash the number of false positives by at least an order of magnitude while still avoiding most false negatives. Those of us who use services like pobox.com will suffer gladly. In the case of an obviously bogus From line, send to the originating machine's postmaster.
