Hello All. As most of you are technical, you should for the most part be in control of, or have the ear of the person who is in control of your corporate anti-virus solutions. Please for the sake of the internet can you STOP your servers sending virus notifications to the originators of the message as with today's modern virii 90% of virii use spoofed "from:" addresses. So, every time some poor person out there with MY name in their address book, or contacts folder gets a virus, I get 3000 messages (as I am sure do most of you on this list at least) telling me that I sent a virus to someone I have never heard of in my life before. This form of server administration is a very very poor form of security as you are willfully informing people who have possibly never thought of you or your servers before several key steps that it may have taken them some time to figure out. Things like... Antigen for Exchange found ScanMail for Microsoft Exchange took action on the message. The message details were: Symantec AVF detected an unrepairable NAV for Microsoft Exchange etc etc etc. Sending out mass mailer responses to virii wastes as much respource as coping with the virii themselves. Stop wasting your and my bandwidth, send reports only to admin, check the headers and if you receive mail form an address or domain often and the headers check out, THEN notify the admin/postmaster of that domain. I mean please, telling Lucy in the clerks dept about the fact that she is sending virii to somebody she has never met in Luxembourg is only going to cost her tima and money as she will call out her IT people to clean her "infected machine" Sorry about the rant, this is just one of the most annoying things that for some reason no-one ever seems to consider when setting up all this AV stuff. Barry
On Thu, 2004-03-11 at 09:40, Barry Gill wrote:
Hello All. Hi Barry
This form of server administration is a very very poor form of security as you are willfully informing people who have possibly never thought of you or your servers before several key steps that it may have taken them some time to figure out. Better yet, configure your smtp server to require authentication when sending smtp. Only allow clients on your network to send smtp via the mail server. The viruses you are talking about rely on open smtp through the firewall, or unauthenticated smtp via the mail server.
Sending out mass mailer responses to virii wastes as much respource as coping with the virii themselves.
So does html mail, but we have two chances of that stopping, right?
Stop wasting your and my bandwidth, send reports only to admin, check the headers and if you receive mail form an address or domain often and the headers check out, THEN notify the admin/postmaster of that domain.
Too much work for the average Exchange 'administrator' ... First they have to figure out how to turn on message tracking ...
I mean please, telling Lucy in the clerks dept about the fact that she is sending virii to somebody she has never met in Luxembourg is only going to cost her tima and money as she will call out her IT people to clean her "infected machine"
Lucy in the clerks dept is the most likely cause that the virus is spreading. Virus education should be top priority in any company.
Sorry about the rant, this is just one of the most annoying things that for some reason no-one ever seems to consider when setting up all this AV stuff.
Yeah, like someone using Frontpage to 'design' a web page and then call themselves a web developer ...
Barry -- -- Raymond Leach <raymondl@knowledgefactory.co.za> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
Stop wasting your and my bandwidth, send reports only to admin, check the headers and if you receive mail form an address or domain often and the headers check out, THEN notify the admin/postmaster of that domain.
Too much work for the average Exchange 'administrator' ... First they have to figure out how to turn on message tracking ...
We're also talking about clueless Linux admin, there are a hell of a lot of them too...
I mean please, telling Lucy in the clerks dept about the fact that she is sending virii to somebody she has never met in Luxembourg is only going to cost her tima and money as she will call out her IT people to clean her "infected machine"
Lucy in the clerks dept is the most likely cause that the virus is spreading. Virus education should be top priority in any company.
Yes and no. I have some very aware users who nonetheless are spooked by being told they're infected. They've done their part in not opening dodgy emails, they trust my AV regime, and what happens? Some clueless admin makes the user think that all these prcautions don't work in the first place. Tom.
-----Original Message----- From: Barry Gill [mailto:b@rry.co.za] Sent: 11 March 2004 07:40 To: suse-security@suse.com Subject: [suse-security] Anti-Virus reports
Hello All.
As most of you are technical, you should for the most part be in control of, or have the ear of the person who is in control of your corporate anti-virus solutions.
I don't agree with this bit, but...
Please for the sake of the internet can you STOP your servers sending virus notifications to the originators of the message as with today's modern virii 90% of virii use spoofed "from:" addresses.
<snip not unjustified rant> Here I agree totally and wholeheartedly. This really pisses me off, big time, if only because it confuses the hell out of the people I support. I normally send emails to the sysadmin of the site explaining the problem, and if I get no response from them (I do ask for one, just to make sure my message is read by a human, not just piped through to an unread mailbox), I try to contact the management, suggesting they retrain or dump their sysadmins. Petty, but _I_ enjoy it! Tom.
The 2004-03-11 at 09:40 +0200, Barry Gill wrote:
Please for the sake of the internet can you STOP your servers sending virus notifications to the originators of the message as with today's modern virii 90% of virii use spoofed "from:" addresses.
Agreed. Even SuSE is sending those bounces (I got one). Worse: a number of those bounces include the virus attached to the end of the email, which may trigger another bounce if the second machine has an antivirus email checker configured to bounce. Antivirus email checkers should only notify the local recipient or sender, not the external one. And bounces should be limited in size and not include the virus (like the one I got from SuSE). -- Cheers, Carlos Robinson
Carlos E. R. wrote:
The 2004-03-11 at 09:40 +0200, Barry Gill wrote:
Please for the sake of the internet can you STOP your servers sending virus notifications to the originators of the message as with today's modern virii 90% of virii use spoofed "from:" addresses.
Agreed. Even SuSE is sending those bounces (I got one).
Dear god these are annoying. I'm going to do some body_checks for postfix to filter these stupid things out. Dave.
Worse: a number of those bounces include the virus attached to the end of the email, which may trigger another bounce if the second machine has an antivirus email checker configured to bounce.
Antivirus email checkers should only notify the local recipient or sender, not the external one. And bounces should be limited in size and not include the virus (like the one I got from SuSE).
On Fri, 12 Mar 2004, Dave made the net somewhat safer by saying: [..]
Dear god these are annoying. I'm going to do some body_checks for postfix to filter these stupid things out.
http://www.timj.co.uk/linux/bogus-virus-warnings.cf Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. + ICQ: 277217131 SUSE 8.2 + Jabber: gurp@jabber.org Kernel k_athlon-2.4.20 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +
participants (6)
-
Barry Gill -
Carlos E. R. -
Dave Lists -
Ray Leach -
Theo v. Werkhoven -
Tom Knight