Full Disclosure mailing list archives
RE: Re: Why are postmasters distributing the MyDoom virus?
From: "Bill Royds" <full-disclosure () royds net>
Date: Sat, 7 Feb 2004 20:07:27 -0500
The problem is not just AV systems sending out warnings which is unnecessary. It is the fact that many viruses also forge the to addresses as well as the from addresses. The normal MTA response to a non-existent address is to send a Non-delivery reply back to the from address containing the original message as an attachment. These go to the spoofed from address of original message, adding another transmission vector for the virus, with even better "social engineering" to persuade someone to open it. Since some AV systems scan direct attachments, but not attachments within attachments, it even provides a greater possibility of passing though an anti-virus gateway than the original message. P.S. The correct plural of virus is viruses. The original Latin word virus had no plural. The word virii is the plural of the word vir which means man. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of gadgeteer () elegantinnovations org Sent: February 7, 2004 4:34 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Re: Why are postmasters distributing the MyDoom virus? On Sat, Feb 07, 2004 at 02:15:43PM -0500, Richard M. Smith (rms () computerbytesman com) wrote:
Perhaps these postmasters need to review their bounce message policies and remove all attached files from messages being bounced.
Since it is well known that virii forge From headers the better policy adjustment would be to NOT bounce virii messages at all. The Anti-Virus companies are certainly well aware of it as it is a characteristic described in their alerts. Many of these bounces triggered by virii are nothing less then a spam opprotunity for the A-V software company. There is no "opt-out" from these spam messages. This would seem to be a clear violation of CAN-SPAM. Some sites have implemented various schemes to reject virii at the smtp level. See nanog mail archives for recent threads dealing with this and related topics. -- Chief Gadgeteer Elegant Innovations _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Why are postmasters distributing the MyDoom virus? Richard M. Smith (Feb 07)
- RE: Why are postmasters distributing the MyDoom virus? Edward W. Ray (Feb 07)
- Re: Why are postmasters distributing the MyDoom virus? gadgeteer (Feb 07)
- RE: Re: Why are postmasters distributing the MyDoom virus? Bill Royds (Feb 07)
- Re: Why are postmasters distributing the MyDoom virus? Paul Schmehl (Feb 07)