Clueless virus filters spam innocent third parties
Every major virus written over the last three years has used fake sender addresses. Despite this well-documented fact, many widely used virus filter applications will contact the innocent third parties, whose addresses have been abused by a virus, suggesting they were the senders. In many cases, filters do this after specifically having identified the type of virus as one that fakes sender addresses, such as NetSky. Even though I advocate virus filtering at the mail server level, I have to conclude that much of the software available for that job today is either badly written or misconfigured.
If you receive a virus today, you can be almost certain that the computer of the person whose address is listed in the From: statement of the mail header is not infected with a virus. Current viruses scan the hard disk of the infected machine. They look through the email address book, the webbrowser cache and just about any other file on the disk. Basically any string with an '@' in it becomes fair game. The virus mails itself to such addresses, using another address from the same pool as the fake sender. That is the reason why the "sender address" of a virus is often related to the recipient - they may share a common contact, the person whose computer got infected.
If someone visits website X or receives an order confirmation by company Y and then – possibly months later – opens a virus infected email attachment, chances are some of the new virus mails that result will list company X or Y as the sender, even though they are totally innocent. Not only will these innocent parties receive bounce notifications for all virus mails that turn out to be undeliverable (for example, because the sender address has become invalid or a mailbox is full). Badly written virus filter software will also send them emails complaining that their machines are infected with Netsky, MyDoom, Swen or some other virus, even though these viruses are known to fake every sender address. It would be pure coincidence if the machine listed as the sender by the virus was really infected.
You would have thought that any software smart enought to recognize the Netsky virus should be smart enough to know that Netsky fakes the From-address. Apparently not. Until that changes, virus warnings will have to be treated the same way as other spam and viruses: By filtering them.
Articles on this subject:
Clueless filters by sender domain
Virus filters for the following domains have sent us bogus virus warning spam. As you can see, the problem gets worse. In March I sometimes went for a week without a bogus warning. Now I get warning spam almost every day, often even multiple warnings per day. We notify postmasters of all servers sending us virus warning spam. Though we have not received a reply from most of them, neither have we received more spams. Only the few entries listed in bold are repeat offenders, i.e. servers that have sent one or more virus warning spams after their postmaster had already been notified of the problem. Postmasters who do reply generally do so to notify us that they have fixed the problem.
Clueless filters by product
Here are some of the clueless notifications we have received over the course of the last two months. We received multiple examples by all listed filters, these are only examples:
Clueless filter sample messages
David by Tobit Software
From: email@example.com Date: Wednesday, 31 March, 2004 18:40 To: myaddress Subject: Virus detected WARNING! This site is protected by David from Tobit Software. David's Doorkeeper detected that one or several attachments of the following message sent by you may NOT have been delivered to the recipient because they were infected by a virus! See the list below for details. Subject...: Re: Message Error Recipient.: firstname.lastname@example.org Date/Time.: Fri, 05 Mar 2004 12:29:35 +0200 Infected file(s): Virus..: W32/Netsky (ED) File...: msg.zip Status.: The file has been deleted. This is a notification message only. Please visit www.tobit.com for further information about David, Tobit's outstanding unified messaging system.
This one is nicely cryptic:
From: ANTIGEN_IRIS <ANTIGEN_IRIS@saltspring.com> To: "'myaddress'" <myaddress> Subject: Antigen found VIRUS= W32/Mydoom@MM (NAI) virus Date: Tue, 27 Jan 2004 20:10:47 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Antigen for Exchange found data.zip->data.pif infected with VIRUS= W32/Mydoom@MM (NAI) worm. The message is currently Purged. The message, "Test", was sent from myaddress and was discovered in IMC Queues\Inbound located at Imagen/NEPTUNE1/IRIS.
AMaViS - amavis-milter
This one at least provides the original message headers, allowing the recipient of the "warning" to notify the abuse department of the provider of the real sender:
Received: from DE618910X00001.DE618910.vw-group.com (p508E87D4.dip0.t-ipconnect.de [126.96.36.199]) by powerbox.prohost.de (8.11.6/8.11.6) with ESMTP id i22BkWj07116 for <myaddress>; Tue, 2 Mar 2004 12:46:32 +0100 Received: from DE618910X00001.DE618910.vw-group.com (localhost [127.0.0.1]) by DE618910X00001.DE618910.vw-group.com (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id i22BOS1j003733 for <myaddress>; Tue, 2 Mar 2004 12:24:28 +0100 Received: (from vscan@localhost) by DE618910X00001.DE618910.vw-group.com (8.12.6/8.12.6/Submit) id i22BORV8003732; Tue, 2 Mar 2004 12:24:27 +0100 Date: Tue, 2 Mar 2004 12:24:27 +0100 From: postmaster@DE618910X00001.DE618910.vw-group.com Message-Id: <200403021124.i22BORV8003732@DE618910X00001.DE618910.vw-group.com> To: <myaddress> Subject: VIRUS IN YOUR MAIL X-Virus-Scanned: by AMaViS - amavis-milter (http://www.amavis.org/) V I R U S A L E R T Our viruschecker found the W32/Netsky.D@mm virus in your email to the following recipient: -> <admin@localhost> Delivery of the email was stopped! Please check your system for viruses, or ask your system administrator to do so. For your reference, here are the SMTP envelope originator and headers from your email: From <myaddress> ------------------------- BEGIN HEADERS ----------------------------- Received: from mail.autohausXXXXX.de [188.8.131.52] by localhost with POP3 (fetchmail-5.9.13) for admin@localhost (multi-drop); Tue, 02 Mar 2004 12:24:26 +0100 (CET) Received: (from mail@localhost) by powerbox.prohost.de (8.11.6/8.11.6) id i22BjZ406331 for autohausXXXXX@autohausXXXXX.de; Tue, 2 Mar 2004 12:45:35 +0100 Received: from mail42.mobile.de (mail42.mobile.de [184.108.40.206]) by powerbox.prohost.de (8.11.6/8.11.6) with ESMTP id i22BjYt06310 for
A different version of Amavis, it seems, also with original message headers, but annoying nonetheless:
Subject: VIRUS (W32/Netsky.d@MM) IN YOUR MAIL In-Reply-To: <20040304060820.F15B16E08E@ns1.so.ch> Message-Id: <VS21652email@example.com> Content-Type: multipart/report; report-type=delivery-status; boundary="----------=_1078380504-21652-1" From: amavisd-new <firstname.lastname@example.org> To: <myaddress> Date: Thu, 4 Mar 2004 07:08:24 +0100 (CET) This is a multi-part message in MIME format... ------------=_1078380504-21652-1 Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit VIRUS ALERT Our virus checker found virus: W32/Netsky.d@MM in your email to the following recipient: -> XXXXXXX@aio.so.ch Delivery of the email was stopped! Please check your system for viruses, or ask your system administrator to do so. For your reference, here are headers from your email: ------------------------- BEGIN HEADERS ----------------------------- Received: from aio.so.ch (adsl-213-180-162-205.cybernet.ch [220.127.116.11]) by ns1.so.ch (Postfix) with ESMTP id F15B16E08E for <XXXXXXX@aio.so.ch>; Thu, 4 Mar 2004 07:08:20 +0100 (CET) From: myaddress To: XXXXXXX@aio.so.ch Subject: Re: Your website Date: Thu, 4 Mar 2004 07:08:32 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0002_000009CF.00002243" X-Priority: 3 X-MSMail-Priority: Normal Message-Id: <20040304060820.F15B16E08E@ns1.so.ch> -------------------------- END HEADERS ------------------------------ ------------=_1078380504-21652-1 Content-Type: message/delivery-status Content-Disposition: inline Content-Transfer-Encoding: 7bit Content-Description: Delivery error report Reporting-MTA: dns; ns1.so.ch Received-From-MTA: smtp; ns1.so.ch ([127.0.0.1]) Arrival-Date: Thu, 4 Mar 2004 07:08:22 +0100 (CET) Final-Recipient: rfc822; XXXXXXX@aio.so.ch Action: failed Status: 5.7.1 Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, id=21652-01 - VIRUS: W32/Netsky.d@MM Last-Attempt-Date: Thu, 4 Mar 2004 07:08:24 +0100 (CET) ------------=_1078380504-21652-1 Content-Type: text/rfc822-headers Content-Disposition: inline Content-Transfer-Encoding: 7bit Content-Description: Undelivered-message headers Received: from aio.so.ch (adsl-213-180-162-205.cybernet.ch [18.104.22.168]) by ns1.so.ch (Postfix) with ESMTP id F15B16E08E for <XXXXXXX@aio.so.ch>; Thu, 4 Mar 2004 07:08:20 +0100 (CET) From: myaddress To: XXXXXXX@aio.so.ch Subject: Re: Your website Date: Thu, 4 Mar 2004 07:08:32 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0002_000009CF.00002243" X-Priority: 3 X-MSMail-Priority: Normal Message-Id: <20040304060820.F15B16E08E@ns1.so.ch> ------------=_1078380504-21652-1--
This notification is short but wrong and totally useless (no headers):
Date: Wed, 10 Mar 2004 11:18:14 +0100 From: email@example.com To: <myaddress> Subject: InterScan NT Alert Message-Id: <E1B114V-0001fWfirstname.lastname@example.org> Sender, InterScan has detected virus(es) in your e-mail attachment. Date: Wed, 10 Mar 2004 11:18:14 +0100 Method: Mail From: <myaddress> To: XXXXXXXXXX@jowa.ch File: your_letter.pif Action: clean failed - deleted Virus: WORM_NETSKY.D
ScanMail for Microsoft Exchange
This notification is short but wrong and totally useless (no headers):
Return-path: <AT1EX1-SA@nextiraone.at> Received: from at1ex1.nextiraone.at (unknown [22.214.171.124]) by integer.pobox.com (Postfix) with ESMTP for <myaddress>; Mon, 19 Apr 2004 02:31:40 -0400 (EDT) Received: by at1ex1.nextiraone.at with Internet Mail Service (5.5.2653.19) id <HGFH23Z4>; Mon, 19 Apr 2004 08:31:27 +0200 Message-ID: <C5AA968999484043B79F3C4A1B45D64303C37F90@at1ex1.nextiraone.at> From: System Attendant <AT1EX1-SA@nextiraone.at> To: "'myaddress'" <myaddress> Subject: ScanMail Message: To Sender virus found or matched file blocking setting. Date: Mon, 19 Apr 2004 08:31:26 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain ScanMail for Microsoft Exchange has taken action on the message, please refer to the contents of this message for further details. Sender = myaddress Recipient(s) = SURNAME firstname Subject = denied! Scanning Time = 04/19/2004 08:31:25 Engine/Pattern = 7.000-1004/859 Action on message: The attachment associal.zip contained WORM_NETSKY.C virus. ScanMail has taken the Deleted action. Warning to sender. ScanMail has detected a virus in an email you sent.
This notification is short but wrong and totally useless (no headers):
From: "MailScanner" <email@example.com> To: myaddress Subject: Warning: E-mail viruses detected X-MailScanner: generated, Found to be clean X-MailScanner-Information: Please contact the ISP for more information Our virus detector has just been triggered by a message you sent:- To: someguy@somedomain Subject: solve the problem! Date: Fri Apr 30 12:09:57 2004 Any infected parts of the message (part2.zip) have not been delivered. This message is simply to warn you that your computer system may have a virus present and should be checked. The virus detector said this about the message: Report: >>> Virus 'W32/Netsky-C' found in file part2.zip/part2.com -- MailScanner Email Virus Scanner www.mailscanner.info Mailscanner thanks transtec Computers for their support
Webshield by Networks Associates "returns" the mail with an advertisement for the filter, including a link to their website: Unsolicited commercial bulk email = spam. What they don't provid is header information. It is likely though that the final Received-line of the virus warning spam indicates the virus sender.
Received: from dmzws2.antwerpen.be ([126.96.36.199] helo=DMZWS2.webshield) by mymailserver with smtp (Exim 4.33) id 1BQOhA-0000o5-9O for Myname@mydomain; Wed, 19 May 2004 12:53:10 +0200 Received: from 82-168-49-148-bbxl.xdsl.tiscali.nl(188.8.131.52) by DMZWS2.webshield via csmap id 6ccf54aa_a982_11d8_9528_0030482986b3_24584; Wed, 19 May 2004 12:51:13 +0200 (CEST) From: Myname@mydomain To: firstname.lastname@example.org Date: Wed, 19 May 2004 10:50:17 GMT Subject: Returned due to virus; was:Delivery failure notice (5339) Importance: Normal X-Priority: 3 (Normal) X-MSMail-Priority: Normal Message-ID: <90367b85cbb168.9ffb0.qmail@mydomain> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="======ae95ab28.e472" Content-Transfer-Encoding: 7bit This is a multi-part message in MIME format. --======ae95ab28.e472 This e-mail was generated automatically. Information about -MYDOMAINROOT- under: http://www.mydomain ----- Errors: 184.108.40.206_does_not_like_sender. # 469: Giving_up_on_220.127.116.11. # 431: Remote_host_said:_delivery_error # 392: mailbox_unavailable # 231: MAILBOX NOT FOUND End ----- The full mail is attached. Auto-ReMail.System#: [mydomainroot] --======ae95ab28.e472 Content-Disposition: attachment Content-Type: Text/HTML; name="mail.txt.zip.htm" Content-Transfer-Encoding: 7bit X-NAI-WebShielde500-mimepp: Attachment removed <html><head><meta HTTP-EQUIV="Content-Type" content="text/html; charset=UTF-8"> <title>VIRUS INFECTION ALERT</title></head> <body> <h1><font color="#FF0000">VIRUS INFECTION ALERT</font></h1> <p>The WebShield® e500 Appliance discovered a virus in this file. The file was not cleaned and has been removed.</p><p> See your system administrator for further information. </p> <p>File name: mail.txt.zip<br> Virus name: W32/Sober.g@MM</p> <p>Copyright © 1993-2003, Networks Associates Technology, Inc.<br> All Rights Reserved.<br> <a href="http://www.mcafeeb2b.com">http://www.mcafeeb2b.com</a></p> </body></html> --======ae95ab28.e472--
Another totally useless warning, as it doesn't include any header information. The filter recognizes the exact virus type (W32/NetSky.D@mm, which is known to spoof the sender address), yet goes ahead and spams the fake sender:
Received: from mail.khis.de ([18.104.22.168] helo=mail006.thyssenkrupp.com) by delta.mc1.hosteurope.de with esmtp (Exim 4.33) id 1BNXMl-0000l5-57 for myaddress; Tue, 11 May 2004 15:32:16 +0200 Received: from n0501208.triaton.com (n0501208.triaton.com [22.214.171.124]) by mail006.thyssenkrupp.com (8.12.11/8.12.11) with ESMTP id i4BDWDE7006453 for <myaddress>; Tue, 11 May 2004 15:32:13 +0200 Message-Id: <200405111332.i4BDWDE7006453@mail006.thyssenkrupp.com> From: interner-SMTP-Backbone-Service@triaton.com To: myaddress Date: Tue, 11 May 2004 15:32:20 +0200 (MEST) Subject: Virus detected in: [Spam?] Re: Document MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Scenarios/Incoming/F-Secure Anti-Virus: Virus W32/NetSky.D@mm found by F-Secure Orion details W32/NetSky.D@mm Die E-Mail von myaddress an email@example.com enthielt einen Computer Virus. Eine Zustellung erfolgt nicht. Bitte lassen Sie umgehend ihr Computer-System pruefen! Mehr Informationen ueber den Virus: http://www.f-secure.com/virus-info The e-mail from myaddress to firstname.lastname@example.org contained a computer virus. The delivery was blocked. Immediately check your compter, please! More information about the detected virus: http://www.f-secure.com/virus-info
Informationsverbund Bonn-Berlin (IVBB)
Here's another example of a "warning" from a braindead virus scanner that is smart enough to recognize Netsky-emails, but too dumb to understand that all Netsky sender addresses are picked at random from email addresses found on the computer.
Received: from [126.96.36.199] (helo=Augsburg.bund.de) by mxng09.kundenserver.de with esmtp (Exim 3.35 #1) id 1CDLvF-0006mC-00 for ####@###########; Fri, 01 Oct 2004 13:50:01 +0200 Received: (from root@localhost) by Augsburg.bund.de (8.9.3p2/8.9.3) id NAA04221 for <####@###########>; Fri, 1 Oct 2004 13:50:00 +0200 From: email@example.com Message-Id: <200410011149.NAA04120@Augsburg.bund.de> To: ####@########### Subject: IVBB-VIRENWARNUNG: WORM_NETSKY.P MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Date: Fri, 1 Oct 2004 13:49:57 +0200 Warnung! Wir haben eine E-Mail mit Ihrem Absender abgefangen, die einen Virus enthält. Diese E-Mail muss nicht unbedingt von Ihrem Computer aus versandt worden sein, da Computer-Viren und Würmer oft die Adresse des Absenders fälschen. Möglicherweise erreicht diese Warnung daher nicht den eigentlichen Verursacher. In diesem Falle können Sie diese Meldung ignorieren. Warning! We received an e-mail with your sender adress containing a virus. This e-mail was not necessarily sent from your computer, because viruses and worms are often able to fake the senders adress. Therefore it is possible, that this warning reaches not the right originator of the infected e-mail. In such occasions please ignore this warning. Sender: ####@########### Empfänger: firstname.lastname@example.org Betreff: [VIRUS] Mail Delivery (failure email@example.com) Datum: Fri, 1 Oct 2004 13:49:16 +0200 Grund : Es wurde eine Schadfunktion z.B. Virus entdeckt. Reason: It contained a virus infected attachment. Viren Name(n): WORM_NETSKY.P Anhang Name(n): UNBEKANNT!
Sample replies to clueless virus notifications
Subject: Badly configured virus scanner at yourdomain
Sample replies to clueless virus notifications (in German)