Home | Mail | Resume | Karsten M. Self

AntiVirus / Bounce Spam

The following is a standard "rant" I send to sites which send inappropriate AV / AntiVirus / Anti Virus notices, or inappropriate nondelivery notification messages to me (or mailing lists I subscribe to).

Rights to use, copy, modify, or distribute freely, with attribution and this notice, granted.

Turn off your viral autoresponder, if you are using one.

Ensure that your mail server is generating 5XX REJECT messages, NOT sending a notification to the 'From:' or Envelope From sender, as these are SPOOFED.

If you cannot make an SMTP-time assessment of deliverability of a message, filter content for obvious viral and spam signatures, and do not generate nondelivery notices for such messages, as they frequently spoof sender. Not taking these precautions makes you a vector for a DDoS Joe-job attack:

The Joe Job DoS attack
By John Leyden
Published Tuesday 6th April 2004 17:30 GMT

A problem with the way that non-delivery notifications are sent by many mail servers could be exploited to launch "mail bomb" denial of service attacks.

Incorrectly configured mail servers may respond to mail delivery failure with as many non-delivery reports as there are undeliverable cc: and bcc: addresses contained in the original email. By forging the source of an email, hackers could bombard systems with spurious emails.

MyDoom is the worst virus ever
By John Leyden
Published Wednesday 28th January 2004 13:11 GMT

Just like SoBig-F, much of the huge volume of crap generated by MyDoom is the result of auto-responder messages. As well as replies that someone is out of the office users are getting a stream of accusatory messages from anti-virus gateway products accusing them of sending a virus.

Auto-responders magnify Sobig problem
By John Leyden
Published Wednesday 20th August 2003 17:30 GMT

Graham Cluley, senior technology consultant for Sophos Anti-Virus, said that the current generation of anti-virus gateway products are incapable of determining the email address in a virus contaminated email are spoofed.

"In the circumstances, it might be better for people to turn off their auto-responder," Cluley advised, adding the auto responder messages could be taken of an accusation that someone wholly innocent was sending out viruses.


http://www.businessweek.com/magazine/content/04_12/b3875032.htm http://www.attrition.org/security/rant/av-spammers.html

My own systems are not susceptible to legacy MS Windows viruses (I run GNU/Linux exclusively). For sites unfortunate enough to rely on Microsoft products, such false reports waste staff and administrative time on wild-goose chases.

Your email system is generating "bounce" messages to spoofed "from" addresses. These are widely considered spam on the UBE basis:

The sending address has been added to the local spamlist; any further mail from that address will be treated and reported as spam. Multiple such reports will result in your site being listed on spam-origin lists, including SPEWS, SpamCop, Spamhaus, and others.

Further similar messages from your domain will be reported as spam.

Any prior and subsequent mail can and will be forwarded to public services not limited to NANAE (news:news.admin.net-abuse.email) at my sole discretion. All "confidentiality" email disclaimers are specifically rejected.

mail: kmself@ix.netcom.com
Last updated 2004/04/11 22:29:00