Stop Anti-Virus Gateway Responses

Turn off that alert-sender feature in your anti-virus gateway-now, urges eWEEK's Jim Rapoza.

Im very, very sorry. it appears that I, Jim Rapoza, am one of the worst virus spreaders in the world, and you can lay a large portion of the recent virus outbreak at my feet. Youre thinking, "Jim, how could you? Arent you the one who called people idiots for opening obvious virus attachments and thereby spreading viruses? Arent you the one who listed all the common-sense steps users should take to stop viruses?"

Indeed, I havent opened any questionable attachments, and the anti-virus software on my systems is up-to-date and showing my systems as virus free. Im also pretty sure my Linux and Mac OS systems arent spreading these viruses.

But I must be a horrible virus spreader. After all, every day I receive lots and lots of responses from anti-virus gateway systems at companies and ISPs informing me that a virus-laden message has been sent from my e-mail address. I must be guilty; the messages say I am.

Oh, wait—thats it! Pretty much every virus in the wild today spoofs the "from" addresses in the e-mail messages they use to spread themselves, meaning that 99.9 percent of the time, the e-mail address in the "from" field isnt that of the virus sender. I know this; the other eWEEK Labs analysts know this; pretty much everyone knows this. Everyone knows this, it seems, except for the companies that make anti-virus gateways and the administrators who deploy them with the respond-to-sender features turned on.

Hey, just got another one! Thanks for the heads up Norton_AntiVirus_Gateways@Iwontsaythecompany! Ill make sure I get rid of the virus-laden attachment in my e-mail with the subject "Hi" that I sent to you.

Because my e-mail address is publicly posted and linked in blogs, newsgroups and so on, it gets spoofed a lot. Sure, the reply-to-sender feature of anti-virus gateways might have made sense a few years ago when most viruses didnt aggressively spread themselves through e-mail using spoofed addresses. But that hasnt been the case for a while.

Shouldnt admins know better than to leave this feature on—or worse, turn it on? Do they figure its worth needlessly sending annoying and incorrect replies to thousands of people just so they can correctly notify

Do they know theyre putting unnecessary stress on their own company mail servers to send out virus alerts to people who never sent them an e-mail? And do they know that by leaving some of these reply systems on, they can actually contribute to spreading the viruses?

One reader recently recounted how the MyDoom virus bypassed the readers companys gateways when a gateway response from another company helpfully returned the spoofed virus message that someone from the readers company had "sent" along with the virus-loaded attachment. Nice.

What to do? Vendors of anti-virus software must turn this feature off by default and put some intelligence into it. It should be able to scan the source of the mail message to see if the address has been spoofed. If the address isnt valid, then it should not respond. And the anti-virus gateway feature should never make it possible to blindly respond to all virus-laden messages. If vendors cant implement the feature in this way, they should get rid of it.

In the meantime, administrators who are dealing with the current generation of these anti-virus gateways: Turn that %@)!&)#!!&@# alert-sender feature off! By leaving it on, you become part of the problem. You are adding to the damage that viruses cause by putting unnecessary stress on networks, servers and relays that are already stressed by the viruses themselves.

So, as it turns out, Im not a horrible spreader of nasty viruses after all. And I dont appreciate being tagged as one over and over again. If you dont want me to start taking drastic action, like listing the names of company gateways that respond to spoofed virus messages, please turn off that alert-sender feature in your anti-virus gateway—now!

eWEEK Labs Director Jim Rapozas e-mail address is