E-mail worm alert: Mydoom/Novarg.A

[Vixen]

I am with Bladesnitz, I don't open ANYTHING that is not a jpeg or gif. That's it. And those are only from people I actually know. If it's a zip or anything else (whether it is sent from someone I know), it hits the trash *if* Norton's hasn't deleted it first.

In all honesty, everyone who is online NEEDS to have virus protection. Norton's and McAfee are inexpensive and easy to use. If anyone that doesn't have virus software wants to complain about the issue, they need to figure that they are probably part of the cause of the problem, as they are probably already infected and have potentially infected everyone in their address book.

[nickp]

So can we look at this problem in a positive way? Is there anything we can do to help slow it down?

My customers are not upset because they are getting a virus. They are upset because spoofed mail is being bounced back to them at an alarming rate.

I'm not asking for server sided virus scanning. I'm asking if there is a way to stop some of the bounced emails from coming through. Maybe drop all emails that have a subject of "delivery", a body containing "virus" and an attachment? Just a suggestion. I'm sure there is a better way to do it.

[logic404]

I'm confused? I'm reasonably sure I'm NOT infected, yet I'm getting all these NDR's for email this virus tried to send, supposedly using my domain name, but the IP addresses are not from my ISP, they're from someone elses. So is this virus just spoofing the headers, and it LOOKS like I sent them? In the sample header below, I'm assuming the line:
Received: from logic404.com (dapp-p-144-139-93-164.prem.tmns.net.au [144.139.93.164])

Means that it thinks the originating person was 144.139.93.164? Which is a Telstra address, and I don't use Telstra? Do I need to do anything further? Am I going to be blamed for this?

--366143.329859.1075.t
Content-type: text/plain; charset=us-ascii

----- The following addresses had permanent fatal errors -----
<stan@tninet.se>

----- Transcript of session follows -----
... while talking to: [213.150.135.49]
>> RCPT TO: <stan@tninet.se>
<< 550 <stan@tninet.se>: User unknown in local recipient table

--366143.329859.1075.t
Content-type: message/delivery-status


Final-Recipient: rfc822; <stan@tninet.se>
Action: failed
Status: 5.0.0
Remote-MTA: dns; [213.150.135.49]
Diagnostic-Code: smtp; 550 <stan@tninet.se>: User unknown in local recipient table

--366143.329859.1075.t
Content-type: message/rfc822
Content-Transfer-Encoding: 7bit

Received: from logic404.com (dapp-p-144-139-93-164.prem.tmns.net.au [144.139.93.164])
by zack.telenor.se (BMR ErlangTM/OTP 3.1) with ESMTP
id 651816.329821.1075.0s32701539zack for <stan@tninet.se>
; Wed, 28 Jan 2004 23:43:41 +0100
From: jim@logic404.com
To: stan@tninet.se
Subject: Mail Transaction Failed
Date: Thu, 29 Jan 2004 09:41:36 +1100

[jmbeach]

Matt (Bladesnitz) already says above that they block executables, and any virus scanning would heavily load the servers - not something I want to go through, expecially with the trouble some months back with the mail servers.

I don't see anything positive about this problem, thus why look at it that way. Is it really that hard to educate your customers? I called one client yesterday because everytime a new virus came out, he would get it. He must have some medical condition that forces him to click every attachment he gets. Anyhow, I told him to be careful, and he assured me that he's finally learned his lesson - several hundred dollars worth of support from me must have kicked him in the behind to stop opening attachments from every Tom, Dick and Harry.

All this said, remember that this virus is not bouncing as the same identical message for everyone. That's why it's spoofed, so that network admins cannot easily patch their system to boot this mail.

You can help your clients by telling them how to set up their own filters to delete this junk. That would be a quick fix, but not a fix-all

[Brangwyn]

Quote:

Means that it thinks the originating person was 144.139.93.164? Which is a Telstra address, and I don't use Telstra? Do I need to do anything further? Am I going to be blamed for this?

Theres not much you can do, your correct your being spoofed and there won't be any blame for that as it's beyond your control.

[logic404]

Well, as long as it's not my fault, I can continue to sit here and feel smug as I hit the delete key without opening attachments, can't I?

Sorry, If I could do something about anything, it would be the virus itself. Let alone stopping bounces... Do you know how many different MTAs there are? And even the same MTA may respond 5 million different ways (depending on the server config). If I blocked all MAILER-DAEMON, postmaster, and bounce mail, I would block.... a lot of stuff. I know this would definitly upset people becuase people like to know when their mail doesn't go through so they can resend it. Sorry, I'm more likely to put virus scanning than dropping messages.

[nickp]

jmbeach - I'm just looking out for my clients. That's what I do.

Bladesnitz - Thank you for addressing the problem. If it can't be fixed, that is fine. All I ask is that it's looked into.

[somereseller]

Yes, Vixen, antiviruses are effective, but I just don't like to get 300 virus messages a day. It's just unnecessary garbage imo.

Antivirus on the server is a must, that has been available for some time on your competitors' servers. It's a big plus when selling hosting services these days.

"He must have some medical condition that forces him to click every attachment he gets." -jmbeach
You 'kill' me Beach...common sense with a dash of humor


This is not really that difficult people. My Niece called me from college the other day, very little computer experience and definitely an "AOL-level" user. She said that she had contracted a virus via AOL IM. In 20 minutes (with her help) I had McAfee, Windows Firewall, and SpyBot downloaded, installed, and running on here PC (a 17 year old).....problem solved.

It's just not a reasonable, or feasable option to have Anti-Virus running on the Mail servers. Mcafee is a $34.95 annual subscription that requires very little to no configuration or maintenance. No offense intended, but my fuzzy little 'lap-dog' could handle that with a credit card and a mouse.

http://johnkornhiser.com/Personal/Le...Pretty_JPG.htm

[Vixen]

Quote:

Originally Posted by somereseller

Antivirus on the server is a must, that has been available for some time on your competitors' servers. It's a big plus when selling hosting services these days.

I don't see why it is a must when it's just as simple for you to purchase anti-virus software yourself, place it on your computer and set it up the way you like.

Do you have any idea how many emails would be scanned a day if we were doing the scanning?? Geeeeeeeez My Norton's pops up everytime it picks up something in my incoming mail and I only have 3 domains I am checking mail for. There are 8,000 domains on just ONE mail server. Now, think about how many email accounts each of those domains have. The anti-virus software would be bogging down the server within 15 mins from scanning all the mail that comes through. And god forbid it actually delete a file you wanted. You would be pitching a fit and you know it.

Let's not forget that even if we did somehow implement this on our servers, I am sure some of the resellers (and their customers) have other email accounts (i.e. Hotmail, Yahoo, MSN, AOL, Juno, etc.) Therefore, they could stil get this virus or any virus from any of these other email accounts IF they don't have anti-virus software on their computer.

Like I said before, ANYONE that is online at all NEEDS to have anti-virus software for the protection of their own computer.

[jmbeach]

I too don't see any reason to have virus protection at the server level, especially when the servers aren't really likely to contract anything - plus the added resources would negatively affect us all. I don't think any of us want to add to the stress put on these servers.

And I apologize, nickp, if I sound a little frustrated, but I'm tired of customers (because I have customers like this too) who want a quick fix to these problems. Some of them continue to keep their heads in the sand regarding the complexity of these type of viruses. I get some that call me thinking I control the internet or something - when all I do is host their website and email. I have no control over what their friends do with their email that causes their address book to be raided, and I certainly cannot stop spoofing. End users just need to take some responsibility for being on the internet, plain and simple.

Again, this is just my opinion - it's not even worth two pennies, but it's still my opinion.

[Infinitation]

Just a sidenote, I found that most of my customers have a catch all account that they do not use but are hooked up to. And that is why they are getting so many copies of the virus. Just by turning it off they are much happier. I'm very satisfied with how little spam and crap I get in my mailbox, and this might be a quick temporary fix to some that are getting more than their share of attachments.

Ive drastically lowered the size of bounce messages. There were thousands of big bounce messages making mail1's queue inflate. This also means that the virus won't get spread through bounces on our servers

[somereseller]

Thank you for that measure.