RE: Anti-vrus auto-replies

How about auto-replies as a profiling technique?

Depending upon where the reply is generated (email gateway, mail server, or desktop) it could verify, minimally, a functional email address. It can also return the version of the product which detected the viral threat, the definition or dat level, the name of the system that detected the threat, and the disposition of the message (quarantine, delete, repair, notify). If you've configured content filtering notification, you've also told them what file types you will accept.

Enough auto replies could also tell a would be attacker how frequently you update your definitions, and the users at an organization who will open any attachment they receive.

If no reply is received they have to keep guessing - did the message get filtered? was the message successful in enticing the user into opening the attachment?

Of course some gateway configurations block all .exe's or other file types but when a filter isn't in place, or an extension is malformed (.pi, .zi) the message will reach your users.

Hopefully your end user's will have retained what they have learned from your security awareness training, or have enough common sense, and won't detach your_details.zi, rename it with the .zip extension, extract and execute it.
I know a few people who did just that.

Please don't send them the honor system virus.

Kelly

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----Original Message-----

From: Maenard_martinez@support.trendmicro.com [mailto:Maenard_martinez@support.trendmicro.com] Sent: Friday, June 27, 2003 11:11 AM
To: wjcallahan@lucent.com; focus-virus@securityfocus.com Subject: RE: Anti-vrus auto-replies

Check Interscan Messaging Security Suite, it can detect mass mailers and, by default, will delete mass mailers. For the rest, I believe it is either turn-on/off configuration. Regarding the request, you have a point, better submit a feature request to us. =)

Maenard

-----Original Message-----

From: Callahan, William J (William) [mailto:wjcallahan@lucent.com] Sent: Saturday, June 28, 2003 2:04 AM
To: Maenard Martinez (TS-PH); 'focus-virus@securityfocus.com' Subject: RE: Anti-vrus auto-replies

We use the TrendMicro gateway product and I agree with the request.

TrendMicro should include a "Spoofed Sender" list for known viruses. Viruses which are known to spoof the senders address, shouldn't generate a notification to the sender. We don't want to completely disable sender notifications for all viruses, just the notifications which are generated from viruses which spoof the senders address.

This list should be updated with the virus signature updates. I suggest reviewing the Sybari Worm purge feature which reduces email notification storms during worm outbreaks.

Bill

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----Original Message-----

From: Maenard_martinez@support.trendmicro.com [mailto:Maenard_martinez@support.trendmicro.com] Sent: Friday, June 27, 2003 12:25 PM
To: focus-virus@securityfocus.com

I understand what you mean. But this kind of deployment may not be applicable with the other companies. Thus, AV products have the option to disable email notifications if a virus is detected. So if you think notification is irrelevant, you can just turn it off; but other administrators may not prefer this kind of configuration.

Another workaround is to enable content filtering when you experience an outbreak: block the emails based on attachments or subject (not the From field). Most mail servers have this feature.

-----Original Message-----

From: Jonas Anden [mailto:dajudge@home.se] Sent: Friday, June 27, 2003 1:36 PM
To: focus-virus@securityfocus.com
Subject: Anti-vrus auto-replies

Is there anyone other than me that considers all these antivirus autoreply messages to be more than a nuisance?

When the virus it detects is *known* to fake the sender adress, why send an alert back to the specified sender? During the last day, after the outbreak of Sobig.e, we've received hundreds of these messages to our support mailing lists.

In some ways they are worse than the virus itself; the viruses get stopped at the gateway; these messages do not and we have to manually remove them.

A previous strand used support@microsoft.com as the sender. I wonder how many autoreplies they got...?

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  // J