Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

Anti-viral autoresponders considered harmful

By kmself in Technology
Mon Dec 04, 2000 at 04:52:14 PM EST
Tags: Internet (all tags)

navidad.exe has struck again on a mail list I subscribe to, and the current spam attack count is: virally-compromised subscriber: 1, antiviral software alert messages: 7. And we're in the wee-hours of the event. How about an improved method of dealing with this problem?

Email viruses have been legion since the first Melissa and Love Bug epidemics spewed forth from what Steven Vaughaun-Nichols has termed that "security hole which is also an email client", Microsoft Outlook. And, while it's helpful to be notified of messages which may have been infected if you are also susceptible, the large-scale list spamming which now follows any posting of infected messages is rapidly getting tedious. Particularly when a single AV alert host posts multiple messages to the same list in short order. And for those of us Superior Lifeforms ™ who aren't succeptible, it's downright annoying.

This is the sort of problem which might be addressed by an IETF RFC, roughly as follows:

  • Infected post is sent to list.
  • AV detection host (AVDH) sees virus. Replies to list with in a standardized alert format. As a nod to the AV vendors, this might even include a vendor string. Optionally (and more usefully) replies to original sender and/or sendor(s) postmaster or ISP address.
  • List management software (LMS) determines whether or not this is an original or duplicate notification on a particular message, determines its own policies for dealing with multiple alerts on the same viral load in different messages in a short time period.
  • LMS sends acknowledgement to AVDH, indicating whether or not this is a first-time alert, a duplicate alert for a message, or a duplicate alert for a payload (same infection, different message), and how this will be dealt with.
  • LMS may or may not elect to send an alert to list recipients. This is also sent to AVDH originally identifying the infestation, and is issued in response to AVDHs subsequently reporting on the same message or payload within a single event window.
  • AVDH may elect to send its own message to list if LMS response doesn't match its own set of triggers, but this message conforms to a standard format which may be filtered either by the LMS or individual recipients.

Advantages are single notification of an instance, centralized management of incident response, and standardization of response formats. Disadvantages are increased complexity of the AV notification process, possible delayed response (due to slow LMS response) of viral loads and attacks, and possibly missing particular instances of viral attacks.

Is this something which would be useful? Is it worth the technical complexity of implementation -- requiring cooperation of AV vendors and LMS authors? Or are AV alerts just another annoyance of the modern Internet we have to deal with? Is the IETF RFC process appropriate to this task? How about newsgroups and/or mailing lists which are multi-peered or peered to newsgroups?


Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


AV alerts should be sent to:
o All message recipients, originator, originator's postmaster. 6%
o Personal recipients and list administrator. 9%
o Administrative accounts only. 3%
o As suggested in this article. 4%
o /dev/null 50%
o Inoshiro 26%

Votes: 64
Results | Other Polls

Related Links
o navidad.ex e
o Also by kmself

Display: Sort:
Anti-viral autoresponders considered harmful | 20 comments (20 topical, editorial, 0 hidden)
At the risk of being trite... (3.25 / 20) (#1)
by Signal 11 on Mon Dec 04, 2000 at 03:29:25 PM EST

Well, although this may seemingly over-simplify the issue, the obvious (and most effective solution) is to educate the users on practicing safe hex, and ban the ones that continually endanger the network.

The fact of the matter is that viruses are not a *technological* problem so much as a *human* problem, and nobody seems to realize this. There is now a multibillion dollar anti-virus industry to combat human stupidity - and it goes without mentioning which side is winning.

In the entire course of my recent computing life(as, in, about the last 11 years), I have been infected with one virus. One. Numero uno. And the only reason that happened was because I forgot to scan the warez software I downloaded before executing it - human error. I used Outlook at work just like everyone else, and it didn't take a genius to figure out when there were fourteen messages from different people with the same subject "ILOVEYOU" that something might be up. I deleted all of the messages, and then hopped online and read the latest virus report while the rest of the department firmly placed their head up their arse and crashed the mailserver by opening the attachment.

There is nobody to blame for a viral infection but yourself in the overwhelming majority of the cases. Loss of data is entirely the sole fault of the user, and anyone who does not do backups and then loses data as a result of a viral infection should be terminated with predjudice and removed from the network (provided they have been instructed on proper procedures for backups and avoiding viruses).

It's inexcusable that people continually suffer billions in monentary losses (and cause their employer to suffer billions as well) when a $300 tape drive and a few tapes could have prevented the problem.

Society needs therapy. It's having
trouble accepting itself.

We know this .... (3.71 / 7) (#2)
by rednecktek on Mon Dec 04, 2000 at 03:50:32 PM EST

Well, although this may seemingly over-simplify the issue, the obvious (and most effective solution) is to educate the users on practicing safe hex, and ban the ones that continually endanger the network
Not as easy as you think. Users (especially C?Os) want it to work now, just the way they heard Micro$oft tell them it would.

You educate the users as necessary. You can't teach someone something they don't want to learn.

Just remember, if the world didn't suck, we'd all fall off.
[ Parent ]

Woah... (2.80 / 5) (#3)
by Jongo on Mon Dec 04, 2000 at 04:04:54 PM EST

**touches Signal11** **shivers** Seriously, though, that is a very well made point. There's no use in trying to stem the tide of virii at its source, that's just not going to succeed. More time should be spent on trying to educate people.

[ Parent ]
It would be nice, but is it possible? (3.80 / 5) (#4)
by theR on Mon Dec 04, 2000 at 04:17:50 PM EST

It would be nice to educate the users so things like this don't happen. The question is, can it really be done? Some users show a surprising amount of understanding and aptitude, while others have no clue. It reasonable to expect them to make an effort, but anything beyond that is probably just a bonus.

Most users are not paid to know anything about computers besides what it takes to do their job, and while not crashing the mail server would help people keep doing their jobs, it is unlikely that enough users could be affected by training to prevent viruses from causing significant damage, in my opinion.

Another problem is that the CEO/CIO/Cwhateverlettersyouwant does not view this as a user problem. I would bet that most CEOs have the attitude that the techies are paid to stop this sort of thing, so that is what they should do. While I agree with you completely, it is not a practical solution, at least not where I work. If we had to ban everybody that endangered the network, we would have virtually no secretaries and a significant reduction in management personnel...

Hey, on second thought, that sounds like a great idea!

[ Parent ]
Re: It would be nice, but is it possible? (4.50 / 2) (#12)
by phliar on Tue Dec 05, 2000 at 06:13:42 PM EST

I would bet that most CEOs have the attitude that the techies are paid to stop this sort of thing, so that is what they should do.
Yeah... first they tell you that the company has to run Microsoft products, no, none of that free crap, and don't listen to your arguments (no matter how well-reasoned and insightful they are); then when the shit hits the fan exactly the way you said it would, it's your fault.

Man, I'm so glad I don't have that sort of job any more!

Faster, faster, until the thrill of...
[ Parent ]

Errr.... (4.00 / 4) (#5)
by Parity on Mon Dec 04, 2000 at 05:34:35 PM EST

If it's a human problem and not a technological problem, then why did you need technology (a virus scanner) to protect yourself?

And if there is -some- technological component to computer virii, then why should the 'good' technology not be made as robust, non-intrusive, and effective as possible?

More importantly, since -other- people believe a technological solution should be implemented, how does decrying it as a 'human problem' do anything about the e-mail scanners spamming the mailing lists? Shall we just ask all those corporations to stop scanning incoming e-mail for virii because it's a 'human problem'? Do you think they'd listen?

Parity None

[ Parent ]
Technological responses to human problems (4.00 / 1) (#9)
by Nick Ives on Tue Dec 05, 2000 at 12:57:54 PM EST

In some ways a virus scanner is a bit like a bullet proof vest. If someone gets you with a virus you'll walk away with either minor damage or unscathed, or if your unlucky they used a new strain of virus that your AV doesnt protect against and your dead. People shooting bullets at each other is a human problem, in an ideal world we'd put down our guns and there would be peace love and happiness for all, but a bullet proof vest helps lessen the damage from all the people shooting at each other.

In other ways a AV is nothing like a bullet proof vest. Imagine if the world was actually like The Matrix and the best way to about being shot was to dodge bullets and that by just teaching everyone how to be smart enough to dodge bullets, it wouldnt matter that everyone shoots at each other because you'd be able to just jump out of the way. That way noone would ever get shot and die from a bullet wound. Similarly, if everyone just took sensible precautions about where they got their software then they would considerably lesson the risk of viruses. I think I've had two viruses in the 10+yrs I've been around pooters, one of which was completely not my fault because it was on an ST Format cover disk, the other was the infamous Win95.CIH which I had for three months before I found out. It didnt bomb my system because on the day of the month the payload was due to detonate I wasnt in 'doze.

Sure, from my examples its obvious that viruses will still exist and spread even if everyone took sensible precautions, I mean, one of the only viruses I got was from a cover disk. The Win95.CIH virus made it into a few commercial game demo's IIRC. But even if you can dodge bullets, your screwed if someone points one at your head at point blank range and pulls the trigger.

[ Parent ]

Re:At the risk of being trite... (5.00 / 3) (#7)
by CrazyJub on Tue Dec 05, 2000 at 09:42:45 AM EST

Let's use a real world example. I work in a sales office, we sell things. We are paid to sell things. Part of our job is to communicate with clients, via phone or email. We also use the usual corporate software packages; Office, IE, and a Windows desktop.
Most of the people that sell were not brought up with computers, they see them only as a tool to do a job...like a phone or a car. Most people who drive, can drive..but they have no idea what the heck is going on under the hood. Same thing with a phone...most people who use it, know how to dial....but have no idea of how it works.

Now, back to the office where people sell...

They are paid to sell, not to use the computer...so the amount of time that is spent educating them on computer use is significantly less that how to sell more.

The problem is, these very powerful machines are put EVERYWHERE and people are expected to know everything about them...including viruses. Most people really...I mean really, DON'T CARE.

Is this frustrating for IS? YES! Is it frustrating for the handfull of people outside MIS who know what they are doing when it comes to computers? YES! (Include myself in that category). This comment:

There is nobody to blame for a viral infection but yourself in the overwhelming majority of the cases. Loss of data is entirely the sole fault of the user, and anyone who does not do backups and then loses data as a result of a viral infection should be terminated with predjudice and removed from the network (provided they have been instructed on proper procedures for backups and avoiding viruses).

WHAT???? Are you telling me you expect to train EVERYONE how to use computers on this level??? Can you expect the receptionist to know about backups and trojans? It's like expecting one of the tests to get a drivers licence is "how to take apart the engine".

Besides, backups are the responsibility of the MIS department in any org.....plain and simple. While this attitude might work in a small orginization, there is NO WAY IN HELL corporations will see eye to eye with you.

[ Parent ]
Virii as a social problem... (3.00 / 1) (#8)
by CubeDweller on Tue Dec 05, 2000 at 11:42:10 AM EST

I agree with you that viruses currently live and die by social stupidity, but to tell you the truth, I'm glad it's that way. The day everyone wises up and stops opening those vbs emails, I think we techies have a lot to worry about.

My reasoning follows evolutionary patterns. If social viruses stopped being effective, I don't think we'd see the end of viruses. Simple email viruses would wither out, and something new would replace them. Most likely the replacement would be more technological than social, and harder to defend against.

Right now I don't even run a virus scanner. I have no need to. I don't download warez or other untrusted executables, I don't open any email with attachments, and I get along just fine by being an intelligent user. I haven't had a virus in close to 5 years. Does that mean I'm immune? Certainly not. I'm sure I would be very suceptible to a well-written technological virus that required no user intervention to spread. If viruses like that become prevalent then I'll have to hop on down to the local software store and buy a virus scanner.

I prefer that viruses depend on the social aspect. As long as they continue to depend on interaction from stupid users to spread, I myself am protected because I know better. Others may get burned, and I suppose I should feel bad for them, but I really don't.

I treat computer viruses like I do common bacteria. I don't run around using anti-bacterial soap and sterilizing everything in sight because I know that if I do, only the strong will survive, and those strong will grow faster and become more prevalent. I'd rather keep on dealing with the weak, even if it causes a relatively minor hassle now and then.


[ Parent ]
Hope your luck holds up... (none / 0) (#14)
by ameoba on Wed Dec 06, 2000 at 07:35:51 AM EST

Reminds me of this guy I know... On a regular basis (on the average, about once per week) has unprotected sex with strangers, and has been doing this for the year or so that I've known him. He regularly gets tested for STDs, and has yet to come up with anything.

He claims that he can tell, just by looking at a girl if they're clean or not...

OTOH, there's a girl I know who managed to catch herpes when she lost her virginity. I'm sure he would have thought her clean, had he run into her...

For those that don't get it... You've got your trusted sources, and they have their's, etc. If somewhere along this chain of trust, somebody's slipped up and let a virus (or in the case of Linux users, it's more likely that a security hole's sliped in along the way...)

[ Parent ]
Re: Hope your luck holds up... (none / 0) (#19)
by CubeDweller on Wed Dec 06, 2000 at 11:33:53 AM EST

I fully expect to get burned one of these days when a more superior vein of virus comes around. I have the uncommon luxury of being in no real danger. Even if I'm forced to wipe out both of my windows boxes and re-install from scratch, the worst I'll lose is the saved games from whatever I'm currently playing. With most STD's you've got problems for life, but I could 'cure' myself only a short while after detection, so I don't put them in the same category.

Anything of real value I keep on a separate non-windows box. I've got an OpenBSD box that manages my network and stores my address book, email and such, and a Linux box that stores my source code and other development work.

If I were to lose the windows boxes, I would lose the 2 hours or so it would take to rebuild them, but I'm sure I would have spent more than 2 hours over the course of 5 years keeping a virus scanner up to date with the latest trendy virus definitions.

So when it comes right down to it, I suppose I am spending a good bit of time protecting myself. I just choose to use non-windows boxes as my tool instead of a virus scanner. I can justify that, though, with the fact that I have a stable network and a solid development platform as side-benefits of my effort. If I would have spent my effort on maintaining a virus scanner I would have neither of those benefits.

My methods do assume that I'll never get a virus that affects OpenBSD or Linux in a serious way. I'll admit that I don't know much about *nix viruses, but the last time I checked, there wasn't that much to know... yet.

I have my trusted sources, and my own windows boxes are not among them. That's my protection.


[ Parent ]
at the risk of being completely petty... (1.50 / 2) (#10)
by AtomZombie on Tue Dec 05, 2000 at 03:08:35 PM EST

the plural of 'virus' is 'viri' not 'virii'.

--from a latin dork :)


"why did they have to call it UNIX. that's kind of... ewww." -mom.
[ Parent ]
better, but still not right (2.33 / 3) (#15)
by streetlawyer on Wed Dec 06, 2000 at 08:58:10 AM EST

"viri" would be the plural of "vir". Better than "virii", which posits the non-existent "virius", but still best to stick with viruses, as there is no very compelling Latin plural. I occasionally argue for "virus" (with a long "u"), after "prospectus", but less and less these days.

Just because things have been nonergodic so far, doesn't mean that they'll be nonergodic forever
[ Parent ]
i remembered that after (2.00 / 1) (#16)
by AtomZombie on Wed Dec 06, 2000 at 11:10:01 AM EST

i was going to post a little ammendment after that when i remembered 'vir'... it's been a while since high school! but i never got around to it. is there even a Latin word 'virus'? if so, it must have a pretty funky declention.

anyway, if virus is a word logically the plural would be viri. at least if you are trying to remember high school latin. :)

i've been had by the man again. get it? ha ha. shoot me now before i continue...


"why did they have to call it UNIX. that's kind of... ewww." -mom.
[ Parent ]
Possible solution (2.50 / 4) (#6)
by Global-Lightning on Mon Dec 04, 2000 at 05:56:03 PM EST

Place the auto-responder behind an anti-virus program.
Thus any infected email is intercepted before it's sent to list recipients, and your auto-responder doesn't become an accomplice in spreading the virus.

As always, your AV is only as good as your maintenance.

Other problems resulting from this (4.00 / 2) (#11)
by theboz on Tue Dec 05, 2000 at 03:31:06 PM EST

Where I work we use Exchange Server and Outlook, blah blah blah. I don't like using it and prefer various pop clients. Anyways, my team sometimes needs to send files to each other. Often these are .exe files, whether self extracting or not (I know it's best to have compressed files) it turns out we are not allowed to send .exe file attachments via email.


No Need For New RFC - Just Well Behaved Remailers (4.00 / 2) (#13)
by PackRat on Wed Dec 06, 2000 at 12:08:52 AM EST

Why go to all the trouble of setting up another RFC and getting everyone to adhere to a new standard, when all you need to do is get everyone to adhere to the existing standards?

Just get the mailing list exploder to not munge the Reply-To: address. Then the virus scanner can reply to (and only to) the Reply-To: address. If the Reply-To: address doesn't exist, use the From: address. I don't know why so many list exploders insist on setting the mailing list address as the Reply-To: address, when they're already included in the CC: field anyway.

Mailman is a well-behaved mailing list exploder.

AMaViS is a well-behaved mail virus scanner.

Notifying list members useful. Spamming not. (none / 0) (#20)
by kmself on Wed Dec 06, 2000 at 04:44:16 PM EST

Proper setting and use of Reply-to: would be very much appreciated, but this only addresses part of the problem. There is a value in informing list recipients that a virus was posted. However, the current trend is for multiple receiving mailhosts to respond to each detected virus. On a sufficiently large list, this could result in hundreds or thousands of responses.

The only clear solution I can see is to delegate the list notification task to some authority, and the list management server itself would appear to be the proper home.

Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.
[ Parent ]

another thing about latin plurals (1.00 / 1) (#17)
by AtomZombie on Wed Dec 06, 2000 at 11:12:25 AM EST

i heard someone attempt to Latin pluralise the word 'modem'. i don't think they realised what the word modem is derived from!


"why did they have to call it UNIX. that's kind of... ewww." -mom.
oops wrong thread (1.00 / 1) (#18)
by AtomZombie on Wed Dec 06, 2000 at 11:13:46 AM EST



"why did they have to call it UNIX. that's kind of... ewww." -mom.
[ Parent ]
Anti-viral autoresponders considered harmful | 20 comments (20 topical, 0 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!