Symantec Spoofing

Freshness Warning
This blog post is over 18 years old. It's possible that the information you read below isn't current and the links no longer work.

Symantec obviously knows that the SoBig email worm uses spoofing to make it look like the virus was sent from someone other than the actual sender. So why does their server-based antivirus tool insist on replying to the sender that their system is sending SoBig emails?

I’m getting several messages a day from mail servers protected by Symantec and others notifying me that I’ve been sending SoBig attachments. I’m not the one that’s infected. It’s a minor irritation to me because I understand what’s going on. But what about people who don’t know? They’re getting alerts from anti-virus companies, but they probably don’t know that it’s a false alarm. I can imagine the average email user being panicked that their system is infected.

Chris
September 4, 2003 10:25 AM

Sad isn't it. - Most of the time this is admins setting up the software to reply (intending it for internal consumption) or the software not being bright enough to have a sence of direction. And thanks to SoBig Etc admin@my-domains goes to /dev/null and I no longer use M$ mail products.

Lummox JR
September 4, 2003 1:07 PM

Augh. I heartily agree that it's stupid of Symantec to do this. In fact, knowing that worms even *could* forge their sending address, it's beyond stupid that a notification feature was ever put in in the first place. Internal consumption doesn't cut it; you'll still be sending the same notification a zillion times, and the forged return address would still ensure that the message never got where it was meant to go. I've been doing battle with these bonehead admins, sending off letters (that sometimes make it and sometimes don't) to fix their virus filters. I also send letters to those who apparently aren't even using a filter, or at least are using one that doesn't stop Sobig. It was only recently that I learned Symantec was a major culprit in the notifications, though. http://www.pyrojection.com/archives/000511.php

Jeroen
September 5, 2003 9:09 AM

You could blame Symantec, but I think that they shipped their products configured like this long before viruses like Sobig found out how to spoof. Therefore, I think that the first blame is on the mail admins of these systems who did not care to change the default configuration of their scanner.

Lummox JR
September 8, 2003 2:35 PM

True, you could give Symantec a pass for that, if not for the fact that anyone designing an e-mail scanner *should* give a thought to these things. Sending out an e-mail with a spoofed header is rather trivial, and it's not as if spoofed spam didn't exist then. So I count this as extreme failure to think ahead to some obvious and inevitable future worm capabilities. I also, however, blame the admins who didn't turn off the notification. In a bizarre twist, Friday I got a notification spam from Virginia Tech of all places, which actually admitted that I might not be the sender. When I contacted their admin, I was told that they had no choice of turning the notification off (obviously not a Symantec filter then), which was an extremely bogus excuse. I was not kind; a technology-oriented university should know better.

Hadley
September 11, 2003 1:40 PM

On the other, perhaps those panicked recipients rush out and buy symantec antivirus?

This discussion has been closed.

Recently Written

The Trap of The Sales-Led Product (Dec 10)
It’s not a winning way to build a product company.
The Hidden Cost of Custom Customer Features (Dec 7)
One-off features will cost you more than you think and make your customers unhappy.
Domain expertise in Product Management (Nov 16)
When you're hiring software product managers, hire for product management skills. Looking for domain experts will reduce the pool of people you can hire and might just be worse for your product.
Strategy Means Saying No (Oct 27)
An oft-overlooked aspect of strategy is to define what you are not doing. There are lots of adjacent problems you can attack. Strategy means defining which ones you will ignore.
Understanding vision, strategy, and execution (Oct 24)
Vision is what you're trying to do. Strategy is broad strokes on how you'll get there. Execution is the tasks you complete to complete the strategy.
How to advance your Product Market Fit KPI (Oct 21)
Finding the gaps in your product that will unlock the next round of growth.
Developer Relations as Developer Success (Oct 19)
Outreach, marketing, and developer evangelism are a part of Developer Relations. But the companies that are most successful with developers spend most of their time on something else.
Developer Experience Principle 6: Easy to Maintain (Oct 17)
Keeping your product Easy to Maintain will improve the lives of your team and your customers. It will help keep your docs up to date. Your SDKs and APIs will be released in sync. Your tooling and overall experience will shine.

Older...

What I'm Reading

Contact

Adam Kalsey

+1 916 600 2497

Resume

Public Key

© 1999-2021 Adam Kalsey.