Symantec Spoofing

Freshness Warning
This article is over 16 years old. It's possible that the information you read below isn't current.

Symantec obviously knows that the SoBig email worm uses spoofing to make it look like the virus was sent from someone other than the actual sender. So why does their server-based antivirus tool insist on replying to the sender that their system is sending SoBig emails?

I’m getting several messages a day from mail servers protected by Symantec and others notifying me that I’ve been sending SoBig attachments. I’m not the one that’s infected. It’s a minor irritation to me because I understand what’s going on. But what about people who don’t know? They’re getting alerts from anti-virus companies, but they probably don’t know that it’s a false alarm. I can imagine the average email user being panicked that their system is infected.

Chris
September 4, 2003 10:25 AM

Sad isn't it. - Most of the time this is admins setting up the software to reply (intending it for internal consumption) or the software not being bright enough to have a sence of direction. And thanks to SoBig Etc admin@my-domains goes to /dev/null and I no longer use M$ mail products.

Lummox JR
September 4, 2003 1:07 PM

Augh. I heartily agree that it's stupid of Symantec to do this. In fact, knowing that worms even *could* forge their sending address, it's beyond stupid that a notification feature was ever put in in the first place. Internal consumption doesn't cut it; you'll still be sending the same notification a zillion times, and the forged return address would still ensure that the message never got where it was meant to go. I've been doing battle with these bonehead admins, sending off letters (that sometimes make it and sometimes don't) to fix their virus filters. I also send letters to those who apparently aren't even using a filter, or at least are using one that doesn't stop Sobig. It was only recently that I learned Symantec was a major culprit in the notifications, though. http://www.pyrojection.com/archives/000511.php

Jeroen
September 5, 2003 9:09 AM

You could blame Symantec, but I think that they shipped their products configured like this long before viruses like Sobig found out how to spoof. Therefore, I think that the first blame is on the mail admins of these systems who did not care to change the default configuration of their scanner.

Lummox JR
September 8, 2003 2:35 PM

True, you could give Symantec a pass for that, if not for the fact that anyone designing an e-mail scanner *should* give a thought to these things. Sending out an e-mail with a spoofed header is rather trivial, and it's not as if spoofed spam didn't exist then. So I count this as extreme failure to think ahead to some obvious and inevitable future worm capabilities. I also, however, blame the admins who didn't turn off the notification. In a bizarre twist, Friday I got a notification spam from Virginia Tech of all places, which actually admitted that I might not be the sender. When I contacted their admin, I was told that they had no choice of turning the notification off (obviously not a Symantec filter then), which was an extremely bogus excuse. I was not kind; a technology-oriented university should know better.

Hadley
September 11, 2003 1:40 PM

On the other, perhaps those panicked recipients rush out and buy symantec antivirus?

Your comments:

Text only, no HTML. URLs will automatically be converted to links. Your email address is required, but it will not be displayed on the site.

Name:

Not your company or your SEO link. Comments without a real name will be deleted as spam.

Email: (not displayed)

If you don't feel comfortable giving me your real email address, don't expect me to feel comfortable publishing your comment.

Website (optional):

Follow me on Twitter

Best Of

  • Google on the desktop Google picks up Picasa, giving them an important foothold on people's PCs.
  • Embrace the medium The Web is different than print, television, or any other medium. To be successful, designers must embrace those differences.
  • Simplified Form Errors One of the most frustrating experiences on the Web is filling out forms. When mistakes are made, the user is often left guessing what they need to correct. We've taken an approach that shows the user in no uncertain terms what needs to be fixed.
  • Let it go Netscape 4 is six years old.
  • Lock-in is bad T-Mobile thinks they'll get new Hotspot customers with exclusive content and locked-in devices.
  • More of the best »

Recently Read

Get More

Subscribe | Archives

Recently

Managers and technical ability (Dec 26)
In technical fields, the closer you are to the actual work being done, the closer your skills need to resemble those of the people doing the work.
Dysfunctions of output-oriented software teams (Sep 17)
Whatever you call it, the symptom is that you're measuring your progress by how much you build and deliver instead of measuring success by the amount of customer value you create.
Evaluative and generative product development (Aug 30)
Customers never even talk to the companies that don't fit their needs at all. If the only product ideas you're considering are those that meet the needs of your current customers, then you're only going to find new customers that look exactly like your current customers.
Product Manager Career Ladder (Aug 19)
What are the steps along the product management career path?
Building the Customer-Informed Product (Aug 15)
Strong products aren't composed of a list of features dictated by customers. They are guided by strong visions, and the execution of that vision is the primary focus of product development.
Assumptions and project planning (Feb 18)
When your assumptions change, it's reasonable that your project plans and needs change as well. But too many managers are afraid to go back and re-work a plan that they've already agreed to.
Feature voting is harmful to your product (Feb 7)
There's a lot of problems with using feature voting to drive your product.
Encouraging 1:1s from other managers in your organization (Jan 4)
If you’re managing other managers, encourage them to hold their own 1:1s. It’s such an important tool for managing and leading that everyone needs to be holding them.

Subscribe to this site's feed.

Contact

Adam Kalsey

Mobile: 916.600.2497

Email: adam AT kalsey.com

Twitter, etc: akalsey

Resume

PGP Key

©1999-2020 Adam Kalsey.