Discussion:
Why reply to forged sender about virus?
(too old to reply)
nutso fasst
2003-08-21 18:48:26 UTC
Permalink
OK, everyone should be aware by now that self-mailing viruses/worms don't
use actual 'From' addresses. So why do server-side virus scanners email 'You
sent virus-infected mail' notices to the 'From' address?

We are getting hit with scads of these auto-notifications to 'support' and
'webmaster' users on our domain, when it is clear from the originating IP in
the message header that the infected message did not originate here.

While I'm ranting, I'd also like to know why ISPs can't filter mail with
forged headers, where the originating IP doesn't belong to the domain of the
'From' sender. Surely the gateways could automatically catch most of this
trash, and it seems quite possible to spot the actual infected or malicious
sender.

nf
Boyd Williston
2003-08-21 23:33:38 UTC
Permalink
Post by nutso fasst
OK, everyone should be aware by now that self-mailing viruses/worms
don't use actual 'From' addresses. So why do server-side virus
scanners email 'You sent virus-infected mail' notices to the 'From'
address?
To notify the sender, who may not be aware, that they have a virus.
But since many, probably most, return addresses are now forged, what's the
point of that? It just adds more useless traffic to the Internet.
Post by nutso fasst
We are getting hit with scads of these auto-notifications to 'support'
and 'webmaster' users on our domain, when it is clear from the
originating IP in the message header that the infected message did not
originate here.
I should be able to use any ISP to send mail specifying the return
email address of my choice, as long as I'm not misrepresenting myself,
unless it's against the ISP's TOS. There are people for instance that
keep a persistent email box around through various changes of ISP.
There are other examples, just give it a minutes though. I don't
consider this forging.
Irrelevant to the original post.
Post by nutso fasst
While I'm ranting, I'd also like to know why ISPs can't filter mail
with forged headers, where the originating IP doesn't belong to the
domain of the 'From' sender.
This is heavy handed and would create problems.
Not really. If the header is obviously forged, it should go to the big bit
bucket in the sky.
Post by nutso fasst
Surely the gateways could automatically catch most of this trash, and
it seems quite possible to spot the actual infected or malicious
sender.
If viruses that forge return addresses become more common, certainly
you will see enhancement to virus auto reply programs. Either for a
particular virus notices won't be sent, or perhaps ISP side mail
daemons will at least keep you from seeing more than one such message.
My thoughts.
Post by nutso fasst
nf
mailman
2003-08-21 23:42:28 UTC
Permalink
Post by Boyd Williston
I should be able to use any ISP to send mail specifying the return
email address of my choice, as long as I'm not misrepresenting myself,
unless it's against the ISP's TOS. There are people for instance that
keep a persistent email box around through various changes of ISP.
There are other examples, just give it a minutes though. I don't
consider this forging.
Irrelevant to the original post.
Post by nutso fasst
While I'm ranting, I'd also like to know why ISPs can't filter mail
with forged headers, where the originating IP doesn't belong to the
domain of the 'From' sender.
This is heavy handed and would create problems.
Not really. If the header is obviously forged, it should go to the big bit
bucket in the sky.
Define "obviously forged", and keep in mind the statements I made above
which you deemed irrelevant.
FromTheRafters
2003-08-22 01:07:27 UTC
Permalink
Post by nutso fasst
OK, everyone should be aware by now that self-mailing viruses/worms don't
use actual 'From' addresses. So why do server-side virus scanners email
'You
Post by nutso fasst
sent virus-infected mail' notices to the 'From' address?
To notify the sender, who may not be aware, that they have a virus.
Then the notice should go to the real sender, not the apparent sender.
Post by nutso fasst
We are getting hit with scads of these auto-notifications to 'support' and
'webmaster' users on our domain, when it is clear from the originating IP
in
Post by nutso fasst
the message header that the infected message did not originate here.
I should be able to use any ISP to send mail...
Why not only the SMTP server at the ISP you are connected to?
specifying the return email address of my choice,
The "Reply-to:" should address this option well enough.
as long as I'm not misrepresenting myself, unless
it's against the ISP's TOS. There are people for instance that keep a
persistent email box around through various changes of ISP. There are other
examples, just give it a minutes though. I don't consider this forging.
All of this has little to do with the "From:" field.
Ted Davis
2003-08-22 01:42:25 UTC
Permalink
On Thu, 21 Aug 2003 18:48:26 GMT, "nutso fasst"
Post by nutso fasst
OK, everyone should be aware by now that self-mailing viruses/worms don't
use actual 'From' addresses. So why do server-side virus scanners email 'You
sent virus-infected mail' notices to the 'From' address?
We are getting hit with scads of these auto-notifications to 'support' and
'webmaster' users on our domain, when it is clear from the originating IP in
the message header that the infected message did not originate here.
While I'm ranting, I'd also like to know why ISPs can't filter mail with
forged headers, where the originating IP doesn't belong to the domain of the
'From' sender. Surely the gateways could automatically catch most of this
trash, and it seems quite possible to spot the actual infected or malicious
sender.
They can't filter mismatched originating servers and From fields
because they must not. Many people quite legitimately use a return
address from one domain and a server on another - I do because there
is a firewall between me and my primary servers when I'm at home, but
I can access the home ISPs server from home even though I never use
the e-mail address associated with that ISP.

Anyone using a remote computer, for example while on a trip, would
still use his real address as the return.


T.E.D. (***@gearbox.maem.umr.edu - e-mail must contain "T.E.D." or my .sig in the body)
nutso fasst
2003-08-22 02:02:19 UTC
Permalink
Post by Ted Davis
Anyone using a remote computer, for example while on a trip, would
still use his real address as the return.
When I'm on a trip I connect to my ISP's local connect, and my return
address is still within the ISP's network. However, wherever you connect,
you must still log on. If a gateway is scanning for viruses (which initially
only requires a scan for a relevant file extension on an attachment) then a
viral message could still be traced to you.

nf
JK_Deth
2003-08-22 13:29:05 UTC
Permalink
Nearly Complete BS. No self respecting virus these days will even use
the
smtp server you logged onto. The 'log on' wouldn't mean squat.
Did I write anything about logging on to an SMTP server? When you connect
through an ISP you log on to the network and are assigned an IP address.
Everything you send then originates from that IP, and every bit passes
through the system you connected to. If the destination port is 110 then
it's mail to the ISPs POP3 server. If the destination port is 25 then it's
mail sent from a local SMTP client, and it CAN be scanned. If you think
that
is BS, explain, but don't read what I didn't write.
Okay I'll give you that bit, I did misinterpret what you wrote. Many ISPs
will allow remote use of smtp servers from authenticated users, i.e. the
smtp client has to logon with a username and password to send mail, as
opposed to local clients who need not authenicate to send mail. That was
what I believed you were refering to.
BTW, an SMTP *server* accepts mail from the SMTP *client* that sends it. A
virus with an SMTP server would be laughable.
nf
I really don't need any lessons in smtp, but thanks anyway. I made no
statement implying a "virus with an smtp server" so I'll have to ask you as
well, don't read what I didn't write. Could be that you just didn't
understand what I said so I'll clarify. There's no guarantee that infected
mail from a given computer will use the smtp server info from that computer,
the smtp client and server addresses can have been coded directly into the
virus or worm. Could it still be scanned? Sure, as long as your scanning the
ALL the network traffic rather than simply the traffic to a given networks
smtp server(s), could be blocked as well, but then how far do you take that?
Do you really want everything you do logged and recorded?
n***@novirus.com
2003-08-23 04:07:18 UTC
Permalink
Post by JK_Deth
There's no guarantee that infected
mail from a given computer will use the smtp server info from that computer,
the smtp client and server addresses can have been coded directly into the
virus or worm.
I believe it's already established that sobig is doing nameserver lookups to
find the correct MXs - as you'd expect it to
--
Ken
n***@novirus.com
2003-08-23 04:05:44 UTC
Permalink
BTW, an SMTP *server* accepts mail from the SMTP *client* that sends it. A
virus with an SMTP server would be laughable.
not laughable. we'll probably see a worm that starts up a mail server to be
used by spammers - creating a large supply of non-logging open relays
--
Ken
nutso fasst
2003-08-22 01:44:55 UTC
Permalink
Post by nutso fasst
OK, everyone should be aware by now that self-mailing viruses/worms don't
use actual 'From' addresses. So why do server-side virus scanners email
'You
Post by nutso fasst
sent virus-infected mail' notices to the 'From' address?
To notify the sender, who may not be aware, that they have a virus.
Apparently you don't understand the point of my message. The actual sender
is NOT being notified, because it is almost NEVER the real sender who is in
the From field in the mail header. My mail server quarantines infected mail.
The From field has NEVER been the actual sender. So why notify the person in
the infected mail's From field without first checking if the originating IP
matches the IP of the sender's domain?

nf
Ralph
2003-08-22 05:40:29 UTC
Permalink
Post by nutso fasst
Post by nutso fasst
OK, everyone should be aware by now that self-mailing viruses/worms
don't
Post by nutso fasst
use actual 'From' addresses. So why do server-side virus scanners email
'You
Post by nutso fasst
sent virus-infected mail' notices to the 'From' address?
To notify the sender, who may not be aware, that they have a virus.
Apparently you don't understand the point of my message. The actual sender
is NOT being notified, because it is almost NEVER the real sender who is
in\

Dumbass,

I've played around with you yeah, but now I'm bored.

It seems you can't differentiate between normal email and so-called obvious
forgery email, and you know it, so I say LMAO at your dumbass for even
thinking you could try.

If you have some crack left to smoke - and I think you probably do, to post
such stupid stuff, you must...feel free to crosspost to
news.admin.net-abuse.email. with your heuristic, you dumbass, for
identifying obvious forgery.

Better yet, you want to make some money? Yes you do, after all you have to
finance your crack smoking somehow, right?

Contact a patent atorney. Just say, you have a foolproof method for
differntiating between normal mail and obviously forged mail.

Get a patent, and/or also get writen up some non-disclosure agreements and
contact the pro's with your knowledge.

Needless to say, You are hereby killfilied, you Dumbass.
Greg Samson
2003-08-22 09:36:53 UTC
Permalink
[snip]
Needless to say, You are hereby killfilied, you Dumbass.
"Double dumb-ass on you!"

*plonk*
n***@novirus.com
2003-08-22 02:25:40 UTC
Permalink
I don't believe it can be done, so the point is moot. An MX handling incoming
mail can't know if your IP should or should not be sending mail with any given
domain in the From: field.

Even if it could do a matchup of IP vis-a-vis domain, it shouldn't - because
it doesn't make sense in all cases to do so.

Using Reply-to: as a workaround works (and is done for anti-spamming), but
only on outgoing mail.
Post by nutso fasst
While I'm ranting, I'd also like to know why ISPs can't filter mail with
forged headers, where the originating IP doesn't belong to the domain of the
'From' sender. Surely the gateways could automatically catch most of this
trash, and it seems quite possible to spot the actual infected or malicious
sender.
--
Ken
JK_Deth
2003-08-22 02:32:00 UTC
Permalink
Post by nutso fasst
OK, everyone should be aware by now that self-mailing viruses/worms don't
use actual 'From' addresses. So why do server-side virus scanners email
'You
Post by nutso fasst
sent virus-infected mail' notices to the 'From' address?
To notify the sender, who may not be aware, that they have a virus.
Pretty seldom that would ever actual be the correct sender.
Post by nutso fasst
We are getting hit with scads of these auto-notifications to 'support' and
'webmaster' users on our domain, when it is clear from the originating
IP
in
Post by nutso fasst
the message header that the infected message did not originate here.
I should be able to use any ISP to send mail specifying the return email
address of my choice, as long as I'm not misrepresenting myself, unless
it's against the ISP's TOS. There are people for instance that keep a
persistent email box around through various changes of ISP. There are
other
examples, just give it a minutes though. I don't consider this forging.
No, you shouldn't. Or are you a frustrated spammer. There shouldn't be any
ISP allowing smtp mail to be sent from anyone outside of local IP blocks or
with invalid or non local domains in return addresses. The only ones who do
are either ignorant or blatantly supporting spammers.
Post by nutso fasst
While I'm ranting, I'd also like to know why ISPs can't filter mail with
forged headers, where the originating IP doesn't belong to the domain of
the
Post by nutso fasst
'From' sender.
This is heavy handed and would create problems.
Post by nutso fasst
Surely the gateways could automatically catch most of this
trash, and it seems quite possible to spot the actual infected or
malicious
Post by nutso fasst
sender.
If viruses that forge return addresses become more common, certainly you
will see enhancement to virus auto reply programs. Either for a
particular
virus notices won't be sent, or perhaps ISP side mail daemons will at
least
keep you from seeing more than one such message.
Where have you been? Is this the first virus you ever had to deal with as a
mail admin or are you just speculating?
Ralph
2003-08-22 05:44:38 UTC
Permalink
Post by JK_Deth
Post by nutso fasst
OK, everyone should be aware by now that self-mailing viruses/worms
don't
Post by nutso fasst
use actual 'From' addresses. So why do server-side virus scanners email
'You
Post by nutso fasst
sent virus-infected mail' notices to the 'From' address?
To notify the sender, who may not be aware, that they have a virus.
Pretty seldom that would ever actual be the correct sender.
Post by nutso fasst
We are getting hit with scads of these auto-notifications to 'support'
and
Post by nutso fasst
'webmaster' users on our domain, when it is clear from the originating
IP
in
Post by nutso fasst
the message header that the infected message did not originate here.
I should be able to use any ISP to send mail specifying the return email
address of my choice, as long as I'm not misrepresenting myself, unless
it's against the ISP's TOS. There are people for instance that keep a
persistent email box around through various changes of ISP. There are
other
examples, just give it a minutes though. I don't consider this forging.
No, you shouldn't.
"JK_Deth" you should take note of my response to you, because this is the
last time I respond to a newbie dumbass on this newsgroup.

Re-read this entire thread in context and stop spewing stupid shit. That's
the best advice I can give you.






Or are you a frustrated spammer. There shouldn't be any
Post by JK_Deth
ISP allowing smtp mail to be sent from anyone outside of local IP blocks or
with invalid or non local domains in return addresses. The only ones who do
are either ignorant or blatantly supporting spammers.
Post by nutso fasst
While I'm ranting, I'd also like to know why ISPs can't filter mail with
forged headers, where the originating IP doesn't belong to the domain of
the
Post by nutso fasst
'From' sender.
This is heavy handed and would create problems.
Post by nutso fasst
Surely the gateways could automatically catch most of this
trash, and it seems quite possible to spot the actual infected or
malicious
Post by nutso fasst
sender.
If viruses that forge return addresses become more common, certainly you
will see enhancement to virus auto reply programs. Either for a
particular
virus notices won't be sent, or perhaps ISP side mail daemons will at
least
keep you from seeing more than one such message.
Where have you been? Is this the first virus you ever had to deal with as a
mail admin or are you just speculating?
Loading...