RE: Anti-virus auto-replies

From: Mason, Samuel <smason(at)state.mt.us>
Date: Mon Jul 07 2003 - 12:21:27 EDT

In your Lovegate case it is still not a proper file, not something you would ever want your user to receive. So it gets purged. Rather than send a message to both the sender and receiver that you purged that file that the sender never meant to send and the receiver was never meant to receive you simply stop processing after the purge. I don't see how sending a message to the receiver and/or sender would help, even in a case where the sender's address was not spoofed.

Also if they were sending a message every 5 minutes and you were simply purging it that should not have created any sort of DoS on your system. Maybe I'm misunderstanding what you are trying to say there in response to my previous message.

As far as the rest of your message I *know* I don't understand what you're trying to say. I don't think any of that was ever part of *my* discussion, anyway.

Samuel Mason
Information Technology Security Office
State of Montana  

-----Original Message-----
From: Dowling, Gabrielle [mailto:dowlingg@sullcrom.com] Sent: Saturday, July 05, 2003 10:54 PM
To: Mason, Samuel; Rob Rosenberger
Cc: focus-virus@securityfocus.com
Subject: RE: Anti-virus auto-replies

I disagree.

Let's look at Lovegate, which clearly had limited prevalence in the us. one external user was infected and sent one infected message every five minutes to one of our partners evey five minutes.

That was a form of DoS, and I had to act on it.

I'm kind of tired of the discussions i've seen here. I found it kind of funky when I went to SANS training that they suggested that you enable viwing extensions in order to deal with the Outlook problem with such. It was more funny when they did their webcast on slammer and suggested that the spider port might also be in play.

G.

 -----Original Message-----

From: 	Mason, Samuel
Sent:	Tue Jul 01 17:55:03 2003
To:	'Rob Rosenberger'
Cc:	'focus-virus@securityfocus.com'
Subject:	RE: Anti-virus auto-replies

Actually we did use Trend for a while but we use Antigen now. I suppose Trend probably has the same sort of functionality, however.

To answer your question, normally you would not want to inform someone of an infected file... unless you happened to be really *trying* to send a Word document infected with a macro or something (more often than not ours are not viruses but blocked file extensions). In that case we like to let the sender and receiver know the reason they did not get the expected message and it wasn't just redirected to the bit-bucket for no reason.

As someone pointed out earlier, the most widespread and recurring malware are those that spoof the "from" address so our notifications have dropped dramatically since the onset of Klez.

Samuel Mason
Information Technology Security Office
State of Montana  

-----Original Message-----
From: Rob Rosenberger [mailto:junkmail@barnowl.com] Sent: Tuesday, July 01, 2003 1:23 PM
To: focus-virus@securityfocus.com
Cc: Mason, Samuel
Subject: RE: Anti-virus auto-replies

>>they made a change in their code on the next revision that they call
>>"worm precedence". If the message is classified as a worm it does not
>>send out a message, it purges it knowing it is not a message sent

Sounds like you guys use Trend Micro. And since we're on the subject of Trend Micro...

I want to clarify an important issue in my previous email. I believe Trend Micro's antivirus products (including PC-Cillin) turn notifications off in both directions by default. The sysadmin must decide to turn on notifications for the recipients and/or the (supposed) senders.

Rob

PS: this leads me to ask an obvious question. Given today's prevalence, why would you want to notify a recipient that a virus tried to send them an infected email? :-|

---

---

---

This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately.

---

---

---

---

---

Received on Tue Jul 8 09:03:29 2003