You Sent Me A Virus! Have A Nice Day!

 
 
By Larry Seltzer  |  Posted 2003-07-09
 
 
 


Have you ever received an e-mail from someone, or maybe from an automated agent or mail administrator of a site informing you that you had sent them an infected message? Theres a good chance you didnt actually send the infected message.

Gateway anti-virus software often has the capability, when it detects an infected message coming in, to send a notification message to the purported sender of the infected message, telling them that an infected e-mail was sent from them and that they should take appropriate actions.

People complain about these notification messages almost as much as they complain about the viruses themselves. Theres a legitimate point to it, although exaggeration abounds all over the arguments. The main problem is that we all tend to take viruses personally; we howl when we receive an infected message as well as when were accused of spreading them. I think many users still dont appreciate that virus/worm spreading these days is an entirely unintentional affair.

Some e-mail virus/worms, send their message not from the user of the infected computer, but from an address made up by the worm itself, called a "spoofed" address. Sometimes these addresses come from a simple list hard-coded into the worm, and sometimes from your address book, but the current preferred method is to search key files, such as the users browser cache, for addresses.

For example, Klez, undoubtedly the Virus Of The Year for the 2002-2003 season, uses such address spoofing. In these cases, if the gateway anti-virus software sends a message to the sender of the infected message, they are sending it to an uninvolved third party.

This is partly why I think that the overall scale of the problem is exaggerated. I have a large number of e-mail addresses and because of web pages linking to them, like this one, those addresses are posted all over the web. This is why I get a lot of infected e-mail, because my address is in a lot of browser caches. But I dont get a lot of notifications that I have sent people viruses.

The more intelligent anti-virus gateways, like Trends InterScan Messaging Security Suite, decide based on the capabilities of the worm whether its worth sending a notification to the sender of the message. This is actually a simple decision, since the scanner needs to have a database of worms and their characteristics anyway. Why not make "spoofs sender address" one of those characteristics?

Notification messages can even be worse than useless. If you were able to receive enough notification messages you could determine their senders and create a profile of who runs what anti-virus software, valuable information for an attacker to have. The downside to this is that you might call too much attention to yourself by receiving all those notifications.

This all raises the issue of what to do with a message when anti-virus software detects an infection, and here all too often anti-virus software acts illogically. In the early days of e-mail viruses (1999, 2000) there was a chance that an infected message had actual content in it that one might want to save. But all of the recent attacks send their own completely synthetic messages. Perhaps the message body contains text pulled pseudo-randomly from files on the disk, but its not a real message and nothing worth saving. My own anti-virus software tries to send me a cleaned version of infected files. I wish it would stop trying.

And I would argue that most notifications are useless to most people and counter-productive. Unless you know from the virus characteristics that the sender address is the actual sender theres no point in looking at the message. Why would the recipient ever need to know that the anti-virus software blocked an infected message? Theres almost no chance that it contains actual data.

So if someone tells you that they blocked a virus, congratulate them. If its an automated message, write a rule to trash the messages. And if youre writing anti-virus software, think critically about how you notify people.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Rocket Fuel