Virus warnings a new kind of spam

Spurious "virus detected" messages are threatening to become a serious new spam concern. In the wake of every major new worm a flood of messages results from attacks being bounced by the recipient's anti-virus software to the alleged sender.

Spurious “virus detected” messages are threatening to become a serious new spam concern.

In the wake of every major new worm (the latest being Mydoom) a flood of messages results from attacks being bounced by the recipient’s anti-virus software to the alleged sender. Messages typically say: “The mail you sent to Joe_Bloggs@… was infected with Mydoom.”

Complicating matters, virtually all mass-mailer malware uses spoofed sender addresses, so the recipient of the message is almost certainly not the actual sender of the virus.

This could send “newbie” home users and even some businesses into panic mode, scouring their systems for the alleged virus and wasting far more time than is expended on examining and deleting ordinary spam, say local spam and virus specialists.

Besides this, such messages further help to flood mailboxes, leading, one local commentator notes, to a third level of nuisance, for the home user — repeated “mailbox full” messages from their ISP.

The problem has led to a suggestion from security specialists TruSecure’s Sydney-based senior consultant Leanne Fleming that “it is way past time for administrators to turn off the bounce-back feature”.

The obvious shortcoming to this is that it may prevent genuine virus warnings from getting to businesses and individuals whose systems really are infected.

Solutions being discussed among the local internet fraternity were originally designed to act against ordinary spam but, it is suggested, would act as well or better against the spurious virus warning.

The Sender Permitted From scheme has been suggested as one possible approach. This relies on organisations “publishing” into the domain name structure a list of approved servers through which mail can be sent from their domain. Receivers of email allegedly from an SPF-participating server can detect spoofs by checking back with the master server at the alleged sender whether the TCP/IP client in an SMTP transaction is a permitted host.

More than 6000 organisations have published an SPF list. This is, however, still only a tiny fraction of the many hosts connected to the internet.

A number of other schemes have been proposed to detect faked addresses, such as the ePrivacy Group’s Trusted Email Open Standard and Yahoo’s DomainKeys, both of which rely on verifiable signatures in email headers.

There are too many such proposed solutions in the air at the moment, says Pegasus Mail author and InternetNZ councillor David Harris, who wrote the InternetNZ white paper on spam. All suggestions have their negative aspects and it is hard to see at this stage which will come out on top, he says. It is advisable not to “jump on bandwagons” too soon.

“The internet’s strength has always been its openness. Every time a modification like this is suggested, we risk losing a little more openness. With [some of the suggested solutions], we’re talking major infrastructural changes; and anything based on public key cryptography has to be based on trust.” It also risks creating a bureaucracy to administer it.

User education “is the solution that no-one talks about”, Harris says. “I’d like to see every organisation start the year with a half-hour session for staff on internet safety. But no one’s pushing education; it’s not sexy enough.”

Join the newsletter!

Error: Please check your email address.

Tags spam

More about PegasusTruSecureYahoo

Show Comments
[]