This is the blog of Adam Kalsey. Unusual depth and complexity. Rich, full body with a hint of nutty earthiness.
Freshness Warning
This blog post is over 20 years old. It's possible that the information you read below isn't current and the links no longer work.
3 Sep 2003
Symantec obviously knows that the SoBig email worm uses spoofing to make it look like the virus was sent from someone other than the actual sender. So why does their server-based antivirus tool insist on replying to the sender that their system is sending SoBig emails?
I’m getting several messages a day from mail servers protected by Symantec and others notifying me that I’ve been sending SoBig attachments. I’m not the one that’s infected. It’s a minor irritation to me because I understand what’s going on. But what about people who don’t know? They’re getting alerts from anti-virus companies, but they probably don’t know that it’s a false alarm. I can imagine the average email user being panicked that their system is infected.
Augh. I heartily agree that it's stupid of Symantec to do this. In fact, knowing that worms even *could* forge their sending address, it's beyond stupid that a notification feature was ever put in in the first place. Internal consumption doesn't cut it; you'll still be sending the same notification a zillion times, and the forged return address would still ensure that the message never got where it was meant to go. I've been doing battle with these bonehead admins, sending off letters (that sometimes make it and sometimes don't) to fix their virus filters. I also send letters to those who apparently aren't even using a filter, or at least are using one that doesn't stop Sobig. It was only recently that I learned Symantec was a major culprit in the notifications, though. http://www.pyrojection.com/archives/000511.php
You could blame Symantec, but I think that they shipped their products configured like this long before viruses like Sobig found out how to spoof. Therefore, I think that the first blame is on the mail admins of these systems who did not care to change the default configuration of their scanner.
True, you could give Symantec a pass for that, if not for the fact that anyone designing an e-mail scanner *should* give a thought to these things. Sending out an e-mail with a spoofed header is rather trivial, and it's not as if spoofed spam didn't exist then. So I count this as extreme failure to think ahead to some obvious and inevitable future worm capabilities. I also, however, blame the admins who didn't turn off the notification. In a bizarre twist, Friday I got a notification spam from Virginia Tech of all places, which actually admitted that I might not be the sender. When I contacted their admin, I was told that they had no choice of turning the notification off (obviously not a Symantec filter then), which was an extremely bogus excuse. I was not kind; a technology-oriented university should know better.
On the other, perhaps those panicked recipients rush out and buy symantec antivirus?
This discussion has been closed.
Chris
September 4, 2003 10:25 AM
Sad isn't it. - Most of the time this is admins setting up the software to reply (intending it for internal consumption) or the software not being bright enough to have a sence of direction. And thanks to SoBig Etc admin@my-domains goes to /dev/null and I no longer use M$ mail products.