Why (some) anti-virus companies are to blame for the recent
As everyone should now know, Sobig.F has generated a tremendous amount of e-mail traffic world-wide. However, part
of the blame for this traffic should be placed on some of the anti-virus companies.
What I am referring to is the large number of incorrectly configured mail filters that respond by sending a "virus alert"
to the “From:” address. As Sobig.F falsifies the “From:” address, these e-mails just clutter up the mailboxes of innocent,
non-infected people. These messages cause unnecessary annoyance and worry, as they typically (and incorrectly) claim that people
have sent out a virus.
When you get an e-mail, warning you of a Sobig.F infection, with a subject line similar to these:
- *** detected and quarantined a virus in a message you sent.
- Warning: E-mail viruses detected
- Virus Detected by ***
- This is an alert from ***
it usually means that someone, somewhere has made a bad decision on how to react to infected mail, either by
selecting a substandard product or by configuring it incorrectly.
Worse yet, if mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the
amount of traffic. This makes them a part of the problem, not a part of the solution.
The problem is that some commercial mail filters have this behaviour set as the default. At least one filter gives only two
options: Always send a "virus alert" to the "From" address of every infected e-mail received or "pass the message through to the recipient".
Clearly neither of these options are acceptable.
I have only one word for this: Stupid!
Acceptable behaviour would be one of the following:
- Have the mail filter properly distinguish between worms that falsify the “From:” address and ones that do not and
only send a warning message when the “From:” address is likely to be genuine.
- Do not send the alerts at all.
In fact, sending an alert automatically to the From: address for every virus or worm received by e-mail should not even be
a selectable option.
With Sobig.F scheduled to die out today, Sept. 10th, the problem might go away for a while - until the next similar worm appears.
And this is the scary part. Sobig.F didn't really infect that many machines world-wide, maybe only 200.000 or so.
This is only a fraction of the number of machines infected by Msblast (Blaster / Lovsan). Now imagine a worm combining the distribution
method of Msblast with the mass-mailing feature of Sobig.F. The flood of traffic might practically render the Internet unusable.
Eventually, some virus author will create a virus like this, maybe this month, maybe in a few years, but it will happen.
And when it does we do not need the anti-virus companies making a bad situation worse.
I hope the "guilty" anti-virus producers will be updating their products in the near future, but this is not going to happen
unless their customers request it.
Fridrik Skulason ( email@example.com )
Founder of FRISK Software International