Filters causing rash of false positives

WELLINGTON (09/26/2003) - TelstraClear says it's traced the source of the annoying virus-warning messages that amounted to another stream of spam for its users earlier this week.

The infections, sent either in spam e-mails to the user or e-mails purporting to come from the user (resulting in a "bounce" warning"), have been sheeted home to the Swen worm, says TelstraClear Web marketing man Michael White. The company has been in discussion with its filter supplier Brightmail. "We have a fix" and the messages should be gone by the weekend, he says.

The Swen attack came, unfortunately, soon after TelstraClear implemented its filter, and various species of the declining SoBig worm also seem to be implicated.

Initially, White defended the use of the warnings, on the grounds that people would want to know if they got an identifiable infected e-mail, so they could request a repeat of the clean mail, and would be sure they hadn't missed important messages.

However, after viewing a sample of the warnings, most of which had no body text from any originally infected e-mail, and came from addresses unknown to the recipient, he said it was obviously pointless to send on such empty e-mails and they would be stopped.

From: and To: addresses in the allegedly infected mails would have been picked up from address books, possibly several steps away in the worm's propagation chain, he says.

Meanwhile, the spam side of TelstraClear's filter does not seem to have yet accumulated enough "vocabulary" to stop some obvious spams, including the classic spurious Microsoft "patches". A typical morning's mail for one user last week consisted of five genuine e-mails, seven spams and 42 empty virus warnings.

Some Xtra users also complained of similar floods of warnings. Xtra's spam-and-virus-cleaning service has been in the market for some months.

Join the newsletter!

Error: Please check your email address.

More about BrightmailMicrosoftTelstraClearXtra

Show Comments
[]