North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Clueless anti-virus products/vendors (was Re: Sober)

  • From: Daniel Senie
  • Date: Fri Dec 02 15:28:32 2005 
At 03:12 PM 12/2/2005, Michael Loftis wrote:
--On December 2, 2005 2:02:15 PM -0600 Dennis Dayman <[email protected]> wrote:

Interested, but I see many Sober postings and outages on other lists and
not here...has anyone been having issues? I know the ISP's are fighting
the living out of the virus.
I've been seeing a few really large bursts into our mailserver. Not sure if it's a new variant or a reoccurrence of an old strain. I put in a good number of new port 25 inbound blocks for infected systems and attempted to put up a few checks inside of our front end mail servers rather than in the virus and spam filtering (which happens later for us, so for bad surges we put a few custom rules up front early in postfix).
Only stuff we're seeing is a lot of blowback from dumb mail systems that accept email, THEN scan for viruses, and ultimately decide to send a note back to the From: address in the body of the infected email. Since the From: is invariably forged, the uninvolved owner of those forged email addresses gets hammered.

Can people building virus scanning devices PLEASE GET A %^&*^ CLUE? This means you, Barricuda Networks, more than anyone else, but we also see this annoyance from Symantec devices, and from some AOL systems as well.

Blasting a note back does two things:

1. It allows the worm or virus author an opportunity to implement an amplified attack on a third party using your filtering systems.

2. The bounce messages mostly include an advertisement for the filtering box's vendor. Get a clue... this is a REALLY negative advertisement for your spam & virus filtering technology. If you can't manage to realize the virus laden email should perhaps be dropped, then it makes your box look poorly designed.

Oh, and please delete the infected file rather than sending that along too.

OK, off my soapbox.

Dan