Clueless anti-virus products/vendors (was Re: Sober)
Daniel Senie
dts at senie.com
Fri Dec 2 20:27:16 UTC 2005
At 03:12 PM 12/2/2005, Michael Loftis wrote:
>--On December 2, 2005 2:02:15 PM -0600 Dennis Dayman
><dennis at thenose.net> wrote:
>
>>
>>Interested, but I see many Sober postings and outages on other lists and
>>not here...has anyone been having issues? I know the ISP's are fighting
>>the living out of the virus.
>
>I've been seeing a few really large bursts into our mailserver. Not
>sure if it's a new variant or a reoccurrence of an old strain. I
>put in a good number of new port 25 inbound blocks for infected
>systems and attempted to put up a few checks inside of our front end
>mail servers rather than in the virus and spam filtering (which
>happens later for us, so for bad surges we put a few custom rules up
>front early in postfix).
Only stuff we're seeing is a lot of blowback from dumb mail systems
that accept email, THEN scan for viruses, and ultimately decide to
send a note back to the From: address in the body of the infected
email. Since the From: is invariably forged, the uninvolved owner of
those forged email addresses gets hammered.
Can people building virus scanning devices PLEASE GET A %^&*^ CLUE?
This means you, Barricuda Networks, more than anyone else, but we
also see this annoyance from Symantec devices, and from some AOL
systems as well.
Blasting a note back does two things:
1. It allows the worm or virus author an opportunity to implement an
amplified attack on a third party using your filtering systems.
2. The bounce messages mostly include an advertisement for the
filtering box's vendor. Get a clue... this is a REALLY negative
advertisement for your spam & virus filtering technology. If you
can't manage to realize the virus laden email should perhaps be
dropped, then it makes your box look poorly designed.
Oh, and please delete the infected file rather than sending that along too.
OK, off my soapbox.
Dan
More information about the NANOG
mailing list