The email that it sends out has the following details:

From: <Spoofed and selected from the harvested list of email addresses>
...

Suggestion for anti virus software vendors: If so many of your users are too dumb to know they shouldn't notify apparent senders of email worms, why don't you fix your software so they can't?

Please, while I still have some hair.

Category: Dumb and Dumber
Technorati: Dumb and Dumber

1. Christopher Harvey26/02/2004 02:48:27
Homepage: http://chris.brotherhoodmutual.com

Yes, and Amen. In the mean time, I'm going to have to come up with some boilerplate text I can email to users who call with that concern so I can shoot them an email instead of explaining for the zillionth time that day why someone thinks they sent a message that they didn't send. Or maybe if I can find a good URL to link them to.

But you are right on the money that the real solution should come from the anti-virus vendors. They know exactly which virus they just detected and so they should know if it spoofs the from addr. And if so, the software should simply not send a response to someone who didn't send the virus.

Also, in the mean time, it would be great if I could create a server-side rule that would block all these bogus "you sent me a virus" messages. Any ideas there?

2. Chris Linfoot26/02/2004 08:44:03

Sadly not many ideas there at all.

I have tried as it happens because with the recent Mydoom.A worm, we were getting so many of these reports of "you sent a virus" to innocent bystanders and most of them said they had detected "Mydoom.A". So we just made a rule that denied messages containing "Mydoom.A" but that is rather a blunt instrument and high maintenance too.

Trend Micro has some built in rules to stop virus hoaxes and chain letters and these seem to work very effectively even when the wording of hoaxes and chain letters has been altered substantially and I have never seent a false positive. So posssibly an adaptaion of that might work but we have not really had time to look into it.

Finally, if Microsoft Caller ID really does take off (as I said, I suspect it won't but hope it will), then this would kill all mass mailing worms that spoof sender addresses.

3. Vanessa05/03/2004 12:41:30

Unfortunately I'm stuck with Sophos MailMonitor for email virus detection as we have this product for our PC's & we get 'free' licenses for servers. MailMonitor does NOT HAVE THE OPTION to not notify the sender - there is no way I can change this. This really sucks because it results in a tonne of dead mail from this product that I have to deal with (trying to send to spoofed non-existant addresses).

4. Chris Linfoot05/03/2004 12:55:35

Perhaps time to tell software's creators a few simple truths...

5. Paul Inglis29/09/2004 07:02:45

Even a lot of mail/virus admins that use content filtering software that can be set to NOT notify the sender are too dumb to make the necessary adjustments.

I try to block anything sent from "postmaster@" as it's 99.9% junk and that equals 110% heartburn. Oh, and don't expect most anti-virus vendors to have a clue about what their products do. Only Trend and a couple of other vendors even use decent anti-virus engines. The rest of them are just scanning for virus sigs. I mean give me a break - if it looks like a virus, and smells like a virus, it's a virus!

6. Chris Linfoot29/09/2004 08:42:40

Not sure I'd advocate blocking email from postmaster@ - might be a useful item to filter on though.

I do filter on sender addresses the local part of which contains "antivirus" - that catches a lot of garbage and no false positives.

Unable to post a comment? Please read this for a possible explanation...