North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Clueless anti-virus products/vendors (was Re: Sober)

  • From: W.D.McKinney
  • Date: Fri Dec 02 19:46:21 2005
  • Sensitivity: Normal

>-----Original Message-----
>From: Daniel Senie [mailto:[email protected]]
>Sent: Friday, December 2, 2005 11:27 AM
>To: [email protected]
>Subject: Clueless anti-virus products/vendors (was Re: Sober)
>At 03:12 PM 12/2/2005, Michael Loftis wrote:
>>--On December 2, 2005 2:02:15 PM -0600 Dennis Dayman 
>><[email protected]> wrote:
>>>Interested, but I see many Sober postings and outages on other lists and
>>>not here...has anyone been having issues? I know the ISP's are fighting
>>>the living out of the virus.
>>I've been seeing a few really large bursts into our mailserver.  Not 
>>sure if it's a new variant or a reoccurrence of an old strain.  I 
>>put in a good number of new port 25 inbound blocks for infected 
>>systems and attempted to put up a few checks inside of our front end 
>>mail servers rather than in the virus and spam filtering (which 
>>happens later for us, so for bad surges we put a few custom rules up 
>>front early in postfix).
>Only stuff we're seeing is a lot of blowback from dumb mail systems 
>that accept email, THEN scan for viruses, and ultimately decide to 
>send a note back to the From: address in the body of the infected 
>email. Since the From: is invariably forged, the uninvolved owner of 
>those forged email addresses gets hammered.
>Can people building virus scanning devices PLEASE GET A %^&*^ CLUE? 
>This means you, Barricuda Networks, more than anyone else, but we 
>also see this annoyance from Symantec devices, and from some AOL 
>systems as well.

It's a simple switch in the GUI of Barracuda Networks to turn of this annoyance. More operator error than Barracuda's fault, IMHO.


>Blasting a note back does two things:
>1. It allows the worm or virus author an opportunity to implement an 
>amplified attack on a third party using your filtering systems.
>2. The bounce messages mostly include an advertisement for the 
>filtering box's vendor. Get a clue... this is a REALLY negative 
>advertisement for your spam & virus filtering technology. If you 
>can't manage to realize the virus laden email should perhaps be 
>dropped, then it makes your box look poorly designed.
>Oh, and please delete the infected file rather than sending that along too.
>OK, off my soapbox.