Date: Mon, 3 May 2004 22:56:41 +0200 (CEST) From: Erik Norgaard <none@norgaard--locolomo.org.lh.bsd-dk.dk> To: bsd-dk@bsd-dk.dk Subject: Re: virus scanning og From: adresser
On Mon, 3 May 2004, Lennart Sorth wrote:
> Jeg formoder det også er en orm/trojan ting, og at maskinern
> have inficeret hinanden.
Sasser?
> - Jeg sendte en sorteret IP liste
> til abuse@<ISP> , men har kun fået autoresponder svar, og hvis
> det går som det plejer, når det aldrig videre. :-(
>
> Ergo: denne stribe maskinen forbliver inficerede, og vil stå
> og angribe alt og alle vilkårligt, indtil ejerne selv løser
> problemet, eller reinstallerer.
>
> ISP'ere burde have en (web) anmeldelses formular, som man kunne
> udfylde, - så kunne kunderne evt selv ved lejlighed aflæse om
> deres maskine opfører sig grimt.
Jep, problemet med abuse@ er nok at den drukner i spam. Og det der
er tilbage bliver ikke læst. Jeg tvivler på at ISP'erne afsætter
mange resoucer til at tage sig af ikke-kunders problemer. Jeg
forsøgte at skrive til salg@, det har ikke ændret sagen.
Jeg tvivler på at folk vil checke om deres maskine opføres sig
grimt, det er folk desværre nok for ignorante til. Jeg har admi-
nistretet et mindre netværk, der var politiken at hvis man fik
virus så blev man smidt af, og så var det jo ærgeligt at man også
mistede adgangen til patches, service packs og virus opdateringer.
Det skulle man jo have tænkt på før man fik virus. Og det var op
til brugeren at dokumentere at nu var virusen fjernet. Det var
rimelig effektivt.
> > Jeg forsøger en gang imellem at skrive pænt og forklare sagen, jeg
> > har ikke fået svar.
Siden jeg nu har skrevet min standard meddelelse, kan jeg jo
ligeså godt dele den, klip og klistre som I lyster, hvis I synes
jeg mangler noget hører jeg gerne:
Dear Sir,
It is generally unaccepted behaviour to configure virus filters to send
automatic alerts to the sender, you may search the bugtraq archive for a
discussion,
http://www.securityfocus.com/archive/1/351540/2004-02-03/2004-02-09/2
Most viruses nowadays spoofs the header such that the mail appears to co-
me from another source. This prevents failure messages flodding the in-
fected machine and hence the user remains unaware of the problem. This
also means that sending virus notifications is most likely to be sent to
the wrong address.
Further, if the automated responses includes the mail body, virus may be
sent to uninfected or recently cleaned hosts. If so, your systems are re-
sponsible for spreading malicious code.
Spreading malicious code is illegal in most countries including all EU
member states, and sending automated e-mails to arbitrary recipients is
usually considered spam.
Only the users ISP has access to the information needed in order to iden-
tify the user and hence only the ISP should notify users about virus in-
fections. and the ISP should only notify local users.
For anyone else, the only indication of the true source is located in the
Received field of the header which contains the source ip. This may not
be sufficient to identify the infected host as the ISP may dynamically
asign addresses or the address may be NAT'ed, but it is sufficient to
identify the ISP.
You can normally idenfity the ISP by looking up the ip in the whois data-
base. If the problem continues you should contact the ISP, an address for
reporting network abuse is normally available.
When sending error messages, failure notices or when reporting problems
or network abuse, the full header of the mail MUST be included, otherwise
the reciepient has absolutely no chance of identifying the problem. This
is also the case when sending virus notifications.
Please reconfigure your systems to comply with best current practices in
this field. Failure to follow the above recomendations only wastes every-
ones time.
Regards, Erik Norgaard
GnuPG Key: http://www.locolomo.org/home/norgaard/norgaard.gpg.asc
pub 1024D/B02CC311 2004-04-05 Erik Norgaard <none@norgaard--locolomo.org.lh.bsd-dk.dk>
Key fingerprint = 6C11 B9B1 52BD F16D 34AD 9893 D3EC E6DB B02C C311
This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:40 CET