posted by ![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
eftychia at 12:57pm on 2004-03-23
eftychia at 12:57pm on 2004-03-23[Actual domain filed off because *lots* of sites have sent me
such bounce messages.]
From dglenn
To: postmaster@[XXXXX].com
Subject: Your MTA is spreading a virus. Please correct this.
I received the following, apparently from the SMTP daemon
at [XXXXX].com:
> This message was created automatically by mail delivery software.
>
> A message that you sent could not be delivered to one or more of its
> recipients. This is a permanent error. The following address(es) failed:
>
> nobody@[XXXXX].com
> This message has been rejected because it has
> a potentially executable attachment "all_document.pif"
> This form of attachment has been used by
> recent viruses or other malware.
> If you meant to send this file then please
> package it up as a zip file and resend it.
>
> ------ This is a copy of the message, including all the headers. ------
Please note (and _correct_) the following problems:
1) The message was *not* sent by me, from one of my computers, or
from my account. Like most modern worms, it forged the From
address. Sometimes very rudimentary checking of the headers
will reveal a forgery (note that the suspicious message was
injected from h134.221.40.162.ip.alltel.net, and not from
radix.net); otherwise assume that if a message is a worm, the
sender will be forged and the _alleged_ sender will not want
a potentially infectious message. I can understand not wanting
to "black hole" any messages, but if a forgery can be detected,
drop it on the floor; and if the forgery is not detectable/uncertain,
at least don't send the _payload_ back.
2) By sending the entire message _including_the_viral_payload_
"back" to me, you _sent_me_a_fresh_copy_ of the worm! Since
it did not originate on one of my machines, it wasn't already
*here* until your MTA "helpfully" mailed it to me in a bounce
message. If you're bouncing a message because it's almost
certainly a worm, strip the payload out. If the sender really
did mean to send a binary (and it's innoccuous) they'll still
have the file handy to resend, and they probably don't need a
new copy coming over their net connection.
3) The instruction to package binaries in a zip file is actually
less helpful than it sounds. The latest worms (such as Beagle)
send their payloads in zip files. With a password no less.
Perhaps forwarding a message to the intended recipient asking
"Were you _expecting_ a binary file from this user?" and
requiring some sort of handshake between both ends will be
safer than merely trusting zipped attachments. OTOH, if your
network is a "work only" environment (that is, if you're not
an ISP), a flat "no executable attachments" policy may make
the most sense (with a mail-sanitizer that knows how to look
inside zip files). Or designate a few users who may actually
have a valid reason to receive executables, and make sure
those users are *educated* regarding proper caution and
avoidance of worms.
In any event, I do not appreciate your system having mailed me a
copy of a worm/virus/trojan, and I find it rather ironic that it
did so _in_the_name_of_ virus _protection_. I get plenty of copies
directly; I do *not* need additional copies from easily-fooled
MTAs. Please fix your configuration accordingly. Thank you.
-- D. Glenn Arthur Jr.
Here is the mostly-complete message, showing all headers and
quoted headers, but minus the PIF attachment (no point in
sending that around _again_):
[etc.]
such bounce messages.]
From dglenn
To: postmaster@[XXXXX].com
Subject: Your MTA is spreading a virus. Please correct this.
I received the following, apparently from the SMTP daemon
at [XXXXX].com:
> This message was created automatically by mail delivery software.
>
> A message that you sent could not be delivered to one or more of its
> recipients. This is a permanent error. The following address(es) failed:
>
> nobody@[XXXXX].com
> This message has been rejected because it has
> a potentially executable attachment "all_document.pif"
> This form of attachment has been used by
> recent viruses or other malware.
> If you meant to send this file then please
> package it up as a zip file and resend it.
>
> ------ This is a copy of the message, including all the headers. ------
Please note (and _correct_) the following problems:
1) The message was *not* sent by me, from one of my computers, or
from my account. Like most modern worms, it forged the From
address. Sometimes very rudimentary checking of the headers
will reveal a forgery (note that the suspicious message was
injected from h134.221.40.162.ip.alltel.net, and not from
radix.net); otherwise assume that if a message is a worm, the
sender will be forged and the _alleged_ sender will not want
a potentially infectious message. I can understand not wanting
to "black hole" any messages, but if a forgery can be detected,
drop it on the floor; and if the forgery is not detectable/uncertain,
at least don't send the _payload_ back.
2) By sending the entire message _including_the_viral_payload_
"back" to me, you _sent_me_a_fresh_copy_ of the worm! Since
it did not originate on one of my machines, it wasn't already
*here* until your MTA "helpfully" mailed it to me in a bounce
message. If you're bouncing a message because it's almost
certainly a worm, strip the payload out. If the sender really
did mean to send a binary (and it's innoccuous) they'll still
have the file handy to resend, and they probably don't need a
new copy coming over their net connection.
3) The instruction to package binaries in a zip file is actually
less helpful than it sounds. The latest worms (such as Beagle)
send their payloads in zip files. With a password no less.
Perhaps forwarding a message to the intended recipient asking
"Were you _expecting_ a binary file from this user?" and
requiring some sort of handshake between both ends will be
safer than merely trusting zipped attachments. OTOH, if your
network is a "work only" environment (that is, if you're not
an ISP), a flat "no executable attachments" policy may make
the most sense (with a mail-sanitizer that knows how to look
inside zip files). Or designate a few users who may actually
have a valid reason to receive executables, and make sure
those users are *educated* regarding proper caution and
avoidance of worms.
In any event, I do not appreciate your system having mailed me a
copy of a worm/virus/trojan, and I find it rather ironic that it
did so _in_the_name_of_ virus _protection_. I get plenty of copies
directly; I do *not* need additional copies from easily-fooled
MTAs. Please fix your configuration accordingly. Thank you.
-- D. Glenn Arthur Jr.
Here is the mostly-complete message, showing all headers and
quoted headers, but minus the PIF attachment (no point in
sending that around _again_):
[etc.]
(no subject)
(no subject)
Worst case, I fell for a forgery but at least didn't send yet another copy of the payload in response. Best case, they change the behaviour of their filter. Expected case: my message gets completely ignored but I blew off a little steam.
(no subject)
(no subject)
Now I'm getting way too many of these things for the percentage of clueless or careless among the folks close to me would account for, so I'm guessing that my email address is in the mailboxes of machines God knows how many degrees from me, having been spread to those machines by previous worms.
Of course, once they've sent me a worm, they're only one degree of contact away.
Malware: bringing the net closer together.
(no subject)
(no subject)