From: Robert J. Bradbury (bradbury@aeiveos.com)
Date: Fri Sep 05 2003 - 07:58:11 MDT
On Fri, 5 Sep 2003, Damien Broderick wrote:
> At 02:57 PM 9/5/03 +0930, Emlyn wrote:
>
> >http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
>
> Me too. It's infuriating.
I believe what is going on is that there are certain SPAMers
out there that are sending out virus infected emails with forged
but none-the-less valid email addresses. There are various SPAM
filters that detect the email is infected, purge the infection,
then send a note to the forged email address that they are sending
out virus infected emails as a "service".
I believe these filters are not correctly determing whether or not
the email originated from a system which the forged email address
would "probably" have come from. This is difficult now, because
there may be millions of virus infected computers that may be
infected and corrupted into being what is known as an "open relay".
So sometimes the response that the email was infected is helpful
and sometimes it means absolutely nothing.
This may be in response to the fact that I think the "free" email
providers (e.g. yahoo, hotmail, etc.) have become somewhat more
clever about requirements that one must use to open a new "free"
account, making it very difficult for an automated program to
open a valid email account so it has a valid Email "return"
address. Said providers seem to have also become very aggressive
about detecting and deleting these Email "return" addresses as soon
as it becomes clear that they are being used for spamming purposes.
So the old "free" email accounts with valid return addresses
have increasingly shorter lifetimes.
I've noticed in my system debug logs a significant increase in
tests for random addresses, e.g. xyzzy@aeiveos.com -- suggesting
to me that the SPAMers are simply making up names within valid
domains to either test for valid return addresses or trying to
get through email delivery systems that don't follow the requirement
to test and make sure the return address is valid.
But it makes sense -- if the SPAMers have 40 million addresses,
and many delivery programs require that the return address be
valid, and they have devised a system of open relays, then one
is going to get cases of the random generation of emails from
any one of those addresses to another of those addresses.
Also, if you think its going to get worse -- believe it.
http://slashdot.org/article.pl?sid=03/09/04/2135209&mode=thread&tid=126&tid=146&tid=172&tid=99
based on:
http://www.washingtonpost.com/wp-dyn/articles/A25845-2003Sep4.html
Universities are having to take their entire local networks off
the internet as students start coming to school with infected machines
to make an attempt to purge their systems of the viruses.
Spambouncer has worked reasonably well for me thus far but I'm
soon going to have to upgrade to put a Bayesian filter on top
of that.
If you want an idea of how bad it is -- I seem to have ~31+ MEGABYTES(!)
of filtered SPAM/BULK email over the last 9 days (~3.5 MEGABYTES/day).
There is no way anyone can wade through all of that to determine how
many false positives there might be.
Robert
This archive was generated by hypermail 2.1.5 : Fri Sep 05 2003 - 08:07:50 MDT