Message
>From: Daniel Senie [mailto:dts (AT) senie (DOT) com]
>Sent: Friday, December 2, 2005 11:27 AM
>To: nanog (AT) nanog (DOT) org
>Subject: Clueless anti-virus products/vendors (was Re: Sober)
>
>
>At 03:12 PM 12/2/2005, Michael Loftis wrote:
>
>
>
>December 2, 2005 2:02:15 PM -0600 Dennis Dayman
>><dennis (AT) thenose (DOT) netwrote:
>>
Interested, but I see many Sober postings and outages on other lists and
not herehas anyone been having issues? I know the ISP's are fighting
the living out of the virus.
>>
>>I've been seeing a few really large bursts into our mailserver. Not
>>sure if it's a new variant or a reoccurrence of an old strain. I
>>put in a good number of new port 25 inbound blocks for infected
>>systems and attempted to put up a few checks inside of our front end
>>mail servers rather than in the virus and spam filtering (which
>>happens later for us, so for bad surges we put a few custom rules up
>>front early in postfix).
>
stuff we're seeing is a lot of blowback from dumb mail systems
>that accept email, THEN scan for viruses, and ultimately decide to
>send a note back to the From: address in the body of the infected
>email. Since the From: is invariably forged, the uninvolved owner of
>those forged email addresses gets hammered.
>
>Can people building virus scanning devices PLEASE GET A %^&*^ CLUE?
>This means you, Barricuda Networks, more than anyone else, but we
>also see this annoyance from Symantec devices, and from some AL
>systems as well.
>
It's a simple switch in the GUI of Barracuda Networks to turn of this annoyance. More operator error than Barracuda's fault, IMH
-Dee

>Blasting a note back does two things:
>
>1. It allows the worm or virus author an opportunity to implement an
>amplified attack on a third party using your filtering systems.
>
>2. The bounce messages mostly include an advertisement for the
>filtering box's vendor. Get a clue this is a REALLY negative
>advertisement for your spam & virus filtering technology. If you
>can't manage to realize the virus laden email should perhaps be
>dropped, then it makes your box look poorly designed.
>
>, and please delete the infected file rather than sending that along too.
>
>K, off my soapbox.
>
>Dan
>
>

Sun, Dec 04, 2005 at 09:58:20AM -0500, Todd Vierling wrote:
If it is on by default, it is a bug, and not operator error.

(In the case of the Barracuda) there are at least two such switches:
one for spam, one for viruses. Note that when both are set to "off" that
the box still occasionally emits such messages under as-yet-undetermined
circumstances. I attempted to persuade one of Barracuda's engineers,
months ago, that there was absolutely no valid reason for including a
"feature" whose only purpose was abuse redirection. Incredibly, I was
told "the customers want this feature", and that it would not be removed.

And thus we now have blacklist entries such as:

barracuda1.aus.texas.net
barracuda.yale-wrexham.ac.uk
barracuda.morro-bay.ca.us
barracuda.ci.mtnview.ca.us
barracuda.elbert.k12.ga.us
barracuda.fort-dodge.k12.ia.us
barracuda.ci.garner.nc.us
barracuda.ship.k12.pa.us

and many, many more.

Perhaps Barracuda should simply rename those switches as "spam
random individuals" and/or "get yourself blacklisted", as those
are the only two things likely to result from turning them on.

(Virus "warnings" to forged addresses are UBE, plain and simple.)

When sent in bulk (as they inevitably are), absolutely. There's
no exception in the canonical definition of spam (which _is_ "UBE")
for "messages sent by broken anti-virus software", nor should there be.

Sun, Dec 04, 2005 at 03:18:29PM -0800, Steve Sobol wrote:
Blocking based on rDNS simply because it implies that a certain piece of
equipment is at that address is not advisable.

Agreed. Those blocks aren't in place because there's a certain piece
of equipment at those addresses (hostnames); they're in place because
all of them have emitted spam.