Anti-Virus Companies: Tenacious Spammers

Wed Jan 28 04:46:28 EST 2004

Brian Martin [jericho@attrition.org]

No one can argue that the spam problem is getting better. Despite advances in anti-spam technology and legislation against spam, unwanted junk mail is flowing into our inboxes at an increased rate. Stock tips, enhancement drugs, Nigerian scams, DVD copy software and hundreds of other products or services get shoved in our face.

For roughly three years, the Internet has seen worms that spread via e-mail, often taking addresses out of the infected machine's web cache, user addressbook or other sources. Some of these worms will also forge/spoof the "From:" line so the mail appears to be from someone else, in an attempt to make the mail more 'trusted'. To be clear, here is a sample timeline of how these work:

  1. EvilGuy01 writes and releases a new worm.
  2. Fred is a moron and clicks on an attachment from a stranger, infecting his machine.
  3. The worm mails a copy of itself to everyone in Fred's addressbook.
  4. The mail sent out spoofs the headers of the mail so it may be "From: George" or "From: Sally".
  5. Tom gets a copy of the mail "From: Sally" and clicks on the attachment, infecting himself.
  6. Tom sends mail to Sally complaining about her evil shenanigans.
  7. Sally replies to Tom with "d00d WTF?! lol" since she never sent the mail.

The concept is very simple, and extremely effective. Anti-Virus companies are well aware of this trait present in many "mm" (Mass Mailing) worms. Reading through their descriptions, they document each worm that spreads itself in this fashion. Looking at one example on the McAfee site:

W32/Mydoom@MM generates emails with a spoofed From: field, so incoming messages may appear to be from people you know. Furthermore, the subject line and message body are both randomly generated by the worm.

Each of these Anti-Virus or mail gateway companies tend to configure their products to do the same thing. If a piece of mail comes in with a known virus, trojan, worm or taboo attachment, it will stop the mail from reaching the intended recipient, notify the administrator, and either quarantine or delete the hostile content. Simple and effective. However, each of these companies also has their product mail the person who sent in the hostile content saying "You are infected" in so many words. While such intentions are noble, think about the reality of what is happening. For over three years, these worms that forge the "From:" address have been sending out millions of mail attempting to propogate themselves. For each of these mails that reach an Anti-Virus product or gateway, they get blocked and replied to.. based on that forged "From:" line. Result? Millions more e-mails are sent out to innocent people that never sent the mail in the first place.

Spam

Spam is basically defined as "unsolicited junk e-mail". Unsolicited, as in you did not request the person/company to send you mail. Junk, as in it contains no valuable content or information. When an anti-virus program from a remote system mails you out of the blue, tells you that it blocked a virus YOU sent, tells you that you are likely infected with a virus and advertises itself, the remote site is sending you spam. In the case of the latest worm, I and others have received more spam from Anti-Virus products than the worm itself! As you read this, Anti-Virus companies are responsible for products that are sending out more unwanted mail than the worm itself. The most damning mail from these products not only purport to "warn you of infection", but they go so far as to advertise the product to you. This is unsolicited commercial e-mail (UCE, aka "spam") in its purest form.

Justification

Spammers often try to justify their actions and excuse their unsolicited e-mail. Some will say "you can just delete it", or "some of the people we mail may want to read it". Many will go so far as to say you mailed them or you "opted in" to their e-mail lists. I'm sure that if you ask the Anti-Virus companies why their products send this unsolicited mail, you will get this type of answer or something equally asinine. With these worms sending out millions of spoofed mail, the anti-virus products are also sending out millions of mail, most of which never mailed in the first place.

Intent

Some may argue that the Anti-Virus companies don't intend to spam innocent users, but this argument is completely without merit. It's a fact that they know which worms propogate by spoofing mail. It's a fact that when their customers download updates they include an ID or name so the product can identify the incoming hostile code. Add these two facts together and you get Anti-Virus products that intentionally and knowingly respond to mail addresses it knows is forged, that didn't really send the infected message, and has not asked to be mailed. The bottom line, Anti-Virus companies sell products that are designed to spam innocent users, to the tune of millions of mail a year.

Solution

The solution is simple: when infected mail comes into a network, the message should be quarantined, the administrator notified, and nothing else. No mail should be sent back to the spoofed "From:" address. If Anti-Virus companies think this is a bad choice, at the very least they could configure the products not to mail back on worms that they know to spoof headers during propogation. Any of the "@MM" named worms should be responded to differently.


This ends the nice section.


It isn't enough that these products send out millions of spam a year. Anti-Virus programs are guilty of several other crimes against the Internet and they need to be stopped. The following section will look at some of these products, their spam and observations about their behavior.

The Name Game

What virus did I supposedly send to Joe User on your network? In the wake of the latest worm outbreak (aka W32.Novarg.A@mm), many people were reminded of the horrid state of the Anti-Virus industry when it comes to naming worms and viruses. Based on the spam I received from these companies, we have at least eight different names for the same worm, probably a lot more.

Novarg? MyDoom? Worm Mimail? Worm SCO? Which is it? If the Anti-Virus industry truly had the Internet's interest in mind, they would designate a board to apply a standard name to all viruses. Failing this, maintaining some channel of communication during the initial discovery phase, they could at least agree on a common overall name (Novarg vs MyDoom) before applying their own designations (A@m, @MM, .A, etc). While some people argue that giving worms media attention only encourages such behavior, there is a positive side. The worms that garnered a high amount of media attention received a very standard name since each Anti-Virus company wanted to be able to say they too scanned for it.

I am grounded in reality though, and I understand this can't happen for every worm or virus lest they sacrifice a little bit and lose their "edge" in the business. Their notions of customer interest are second to their bottom line and perceived dominance of the industry.

Technical Wonders

Some of the mail these products send out are nothing short of pathetic. In some cases, the remote site doesn't include any details as to the original mail, who supposedly sent it, who the intended recipient was, or include the headers so you have an idea where it was really sent from.

Other warnings tell you that your machine is infected, suggest you scan for viruses and contact your administrator. If hundreds of employees in a company receive these, they may be diligent and report the mail to their administrator. This will cause an increaesd work load on your IT staff, all over events that never occured.

Examples and Offenders

In case you have disabled e-mail or deleted your entire inbox before viewing the contents, here are some examples of the offending spam being sent out by Anti-Virus companies.

AMaViS (http://amavis.org/) sends a very dramatic "V I R U S A L E R T" warning that they found a VIRUS and stopped delivery of your email! THANKS GUYS, YOU ARE SAVING THE INTERNET ONE COMPUTER AT A TIME.

                   V I R U S  A L E R T

  Our viruschecker found a VIRUS in your email to "pingcat01@yahoo.com".
           We stopped delivery of this email!

    Please check your system for viruses. For more details contact
    your local System Administrator or MIS staff.

While I am contacting my MIS staff (oh wait..), Norton words their mail so definitively. Norton is sure that I sent the mail to poor Tony. If we assume the administrator of the remote system received a copy of this, as well as Tony and myself, at what point does this cross into the bounds of libel? Norton is accusing me of a crime that I did not commit. Thanks guys.

Norton AntiVirus found a virus in an attachment you 
(jericho@attrition.org) sent to Tony LaScola.

To ensure the recipient(s) are able to use the files you 
sent, perform a virus scan on your computer, clean any 
infected files, then resend this attachment.

Attachment:  readme.pif
Virus name: W32.Novarg.A@mm
Action taken:  Clean failed : Quarantine succeeded : 
File status:  Infected

RAV AntiVirus (http://www.ravantivirus.com) is nice enough to tell me details of the remote system that are often classified as an "information disclosure" vulnerability. Not only do I learn the remote system's architecture, they blatantly advertise their product to me. This is pure commercial spam.

RAV AntiVirus for Linux i686 version: 8.3.1 (snapshot-20011106)
Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved.
12 more days to evaluate.
Running on host: RMnet.it

The file (part0002:body.zip)->body.scr attached to mail (with subject: 
Server Report) sent by jericho@attrition.org to tna@rmnet.it, 
is infected with virus: Win32/Mydoom.A@mm.
Cannot clean this file.
Cannot delete this file (most probably it's in an archive).
The mail was not delivered because it contained dangerous code.

Scan engine 8.11 for i386.
Last update: Tue Jan 27 04:03:51 2004
Scanning for 89279 malwares (viruses, trojans and worms).

To get a free 60-days evaluation version of RAV AntiVirus v8
(yet fully functional) please visit:

   http://www.ravantivirus.com

MailScanner (http://www.mailscanner.info) warns me that I sent Sandra a virus! Oh gnoez! After blatantly advertising their product to me, the real ignorance comes in the subsequent mail.

Our virus detector has just been triggered by a message you sent:-
  To: sandra@redoakdesigns.com
  Subject: TEST
  Date: Tue Jan 27 10:45:38 2004
Any infected parts of the message (message.pif)
have not been delivered.

This message is simply to warn you that your computer system may have a
virus present and should be checked.

The virus detector said this about the message:
Report: message.pif contains Worm.SCO.A 
Shortcuts to MS-Dos programs are very dangerous in email (message.pif)
No programs allowed (message.pif)

-- 
MailScanner
Email Virus Scanner
www.mailscanner.info
Mailscanner thanks transtec Computers for their support


This is where I learn that I mailed a user that doesn't exist on the remote system. They are also kind enough to actually attach a copy of the virus to this mail. If an average user received this and was curious what was supposedly sent in their name, they might open it and infect themselves. Good going MailScanner, you block the mail from reaching the person (that doesn't exist), but you don't delete or quarantine the harmful content. Stellar.

From: Mail Delivery Subsystem (MAILER-DAEMON@host.countystart.org)
To: jericho@attrition.org
Date: Tue, 27 Jan 2004 10:45:44 -0500
Subject: Returned mail: see transcript for details
Parts/Attachments:
   1   Shown     12 lines  Text
   2   Shown    302 bytes  Message, "Delivery Status"
   3   Shown    2.3 KB     Message, "{Virus?} TEST"
   3.1 Shown      6 lines  Text (charset: Windows-1252)
   3.2 Shown    ~21 lines  Text
----------------------------------------

The original message was received at Tue, 27 Jan 2004 10:12:30 -0500
from ool-43533db7.dyn.optonline.net [67.83.61.183]

   ----- The following addresses had permanent fatal errors -----
(sandra@redoakdesigns.com)
    (reason: 550 5.1.1 (sandra@redoakdesigns.com)... User unknown)

Symantec is short and to the point, leaving out when I sent the message, and to what e-mail address. Thanks for the details!

From: AVAdmin@ecs.com
Subject: Symantec AVF detected an unrepairable virus in a message you sent

Subject of the message: test
Recipient of the message: Jon Baratta

In some cases, Symantec doesn't even want to tell you who you supposedly mailed. Great.

From: Administrator@polyformus.com
To: jericho@attrition.org
Date: Tue, 27 Jan 2004 20:16:40 -0800
Subject: Symantec AVF detected an unrepairable virus in a message you sent

Subject of the message: Error
Recipient of the message: Unknown Recipient(s)

GroupShield for Exchange wins the award for the largest spam. I've also removed some extra space to make this mail bearable. They also let me know the easy to remember trouble ticket number, just in case I need to reference it in the future when dealing with their company. On top of all this, they warn me that this mail is confidential. If that were the case, spammers would be in heaven as they sent out millions of spam protected by a CONFIDENTIALITY NOTICE that prevented people from sharing the contents with anti-spam organizations or law enforcement. Nice try GroupShield!

From: "GroupShield for Exchange (FBOWEXC001)" (NAICENTRALFBOWEXC001@bowne.com)
To: "'jericho@attrition.org'" (jericho@attrition.org)
Date: Tue, 27 Jan 2004 09:20:32 -0500
Subject: ALERT -  GroupShield ticket number OA14_1075213232_FBOWEXC001_1 w as generated

Action Taken:
The attachment was quarantined from the message and replaced with a text
file informing the recipient of the action taken.

To: gary.willis@bowne.com (gary.willis@bowne.com)

From: jericho@attrition.org (jericho@attrition.org)

Sent: 1329686912,29615328

Subject: test

Attachment Details:-

Attachment Name: text.zip
File: text.zip
Infected? Yes
Repaired? No
Blocked? No
Deleted? No
Virus Name: W32/Mydoom@MM

CONFIDENTIALITY NOTICE:

The information in this Internet email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to this email
by anyone else is unauthorized.


MailMarshal gives me the option of contacting them and asking them to let the mail through. If I was feeling a little saucy I might mail them asking just that. Wonder if I could infect them via a polite request.

MailMarshal (an automated content monitoring gateway) has 
not delivered the following message:

   Message: B000035b6e.00000000.mml
   From:    bmartin@attrition.org
   To:      SMcCullough@ORMILA.com
   Subject: TEST

This is due to automatic rules that have determined that the 
intended recipient is not authorized to receive messages with
Executable file(s) attached.

If you believe the message was business related please send a 
message to exchad@ORMILA.com and request that the message be 
released to its intended recipient.  If no contact is
made within 5 days the message will automatically be deleted.

MailMarshal Rule: Inbound : Block EXECUTABLE Files

Email security by MailMarshal from Marshal Software.

BorderWare MXtreme Mail Firewall has a really clever name using "MXtreme" (tech geeks are rolling i bet), and provide me the valuable information such as the Queue ID number. Very helpful.

This is an automated message from baxter.com

A mail from you (bmartin@attrition.org) to (adalberto_maldonado@baxter.com) 
was stopped and Rejected because it contains one or more viruses.

Summary of email contents:

Queue ID: E0A7E6CF67
Attachment: file.zip 
  Found virus I-Worm.Novarg /file.txt          

InterScan's nice summary makes it easy for me to figure out what I did. On Tuesday I used "Mail" to send a virus to Peter and InterScan deleted it. That's how it went down, yep.

Sender, InterScan has detected virus(es) in your e-mail attachment.

Date:   Tue, 27 Jan 2004 22:45:20 +0100
Method: Mail
From:   (jericho@attrition.org)
To:     peter.metrowich@au.bosch.com
File:   message.zip
Action: deleted
Virus:  WORM_MIMAIL.R 

Antigen gets the award for the most convoluted warning.

Antigen for Exchange found readme.zip->readme.txt
.exe infected with VIRUS= MyDoom.A@m (Norman) worm.
The message is currently Purged.  The message, "Server Report", was
sent from jericho@attrition.org and was discovered in IMC Queues\Inbound
located at DoubleClick/Thornton/THN-EX10.

McAfee, aka Captain Obvious warns me that a HARMFUL virus was sent, not one of those nice huggly viruses. They are also sincere in their warning to me as they advertise their product and web site.

McAfee Security has detected that the e-mail message you have sent below 
contains a harmful virus. The message has been quarantined.

The infected message's properties are:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sender: jericho@forced.attrition.org
Receiver: sfromm@energy.state.ca.us
Virus Name: W32/Mydoom@MM (ED)
Original Attachment Name: test.zip
Transmission Date Time: 01/27/2004 17:27:47 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The intended recipient's System Administrator(s) has been notified.  They may 
choose to delete this message or request receipt at their own risk.

Sincerely,
McAfee Security Customer Care

-----------------------------------------------
McAfee Security
http://www.McAfeeASaP.com
-----------------------------------------------

No clue who to blame for this one! Some anti-virus product out there sends this type of gem. Due to the way they send their warning, it appears in my inbox as such, appearing as if I BCC'd myself on the e-mail or something. Mail should not arrive in my inbox addressed from me. Spoofing mail headers like this is the same thing the worms are doing!

From: jericho@attrition.org
To: ldainc@coqui.net
Date: Tue, 27 Jan 2004 11:23:25 -0600
Subject: Returned due to virus; was:

Mail transaction failed. Partial message is available.

Network Associates, Inc. Webshield SMTP "Cleans and Quarantines" (is that some trademark? Why the caps?) the mail I supposedly sent.

Varian Inc. virus shield detected virus W32/Mydoom@MM (ED) in an e-mail sent from
 to   with the subject test. This e-mail
was Cleaned and Quarantined. If you have any questions please call 650-424-5151.

The Real Solution

Since I have little hope for the Anti-Virus industry and really doubt they will take the logical course of action and reconfigure their inferior products, it's probably best if I recommend another course of action. Every time you receive a piece of mail from an Anti-Virus company product, treat it like any other spam. Forward it to the appropriate abuse/postmaster contacts of the remote system. Make sure you also send a copy to their upstream provider and any law enforcement that is appropriate. Be sure to send a copy to the offending spammer/Anti-Virus company so they are aware you don't like their practice.

Finally, since this spam doesn't give you a method for opting out of future mail, this violates the "CAN-SPAM Act of 2003" and should be reported accordingly. If our government is serious about spam, they will be aggressive in their pursuit of these million dollar companies that send out millions of spam a year.



Update 1/29/04 - It has been brought to my attention that MailScanner is a) freeware, b) receives its virus naming from other software and c) defaults to not sending such warnings. Kudos to the MailScanner devs for recognizing the problem and reconfiguring long before this article appeared.

Update 1/30/04 - Reader feedback has alerted me that MIMEDefange, ClamAV, Exiscan and Amavis default to not sending such warnings in general, or for a specific list of worms known to spoof. Admins, ditch the high priced junkware and learn to love these products that put quality and common sense before bottom line. I have also received several links to others that wrote about this topic, but the best one has to be this Open Letter from Fridrik Skulason of FRISK Software (F-Prot AV).

I have received almost 100 replies to this article and I appreciate the feedback. A few comments related to the feedback. * I realize that admins can configure the products in many cases, but the AV products ship with this feature on by default. I personally don't think we can hold every beleagured admin responsible for knowing hundreds of products any more than we expect users to quit double clicking every .exe that crosses their inbox. * Tim Jackson has sent in an excellent SpamAssassin filter to handle these bogus virus warnings. Many people suggested I write one, but Tim is way ahead of us! * If anyone has SpamAssassin or other mail filters that can help reduce the load of the "infected warning" mail, send it over and i'll add it to this page.

Update 1/30/04 - The ultimate in irony. I received blatant spam from McAfee advertising their product as a solution to this worm. This is not the first mail I have received from McAfee during a worm outbreak. Full spam with headers.

Update 1/30/04 - Anecdote from a reader: "I just had a nice little chat session with someone from McAfee. I received an email with the virus attached that claimed to be returned by Webshield e500. I was trying to figure out whether the virus was doing this or Webshield e500. The guy from McAfee said that none of their products send autoresponders. So I sent a link to your article, at which time guy experienced technical difficulties and was disconnected."

Another reader sent in the auto-bounce from Declude (not the default) which gets a little snippy with you as they spam you with virus warnings: "If your mail server had better virus protection, it would have caused less work for our server and could have prevented one of your users from getting a virus."

The folks over at NOD32 (nod32.com.au) have a good page up regarding spamvertising.

Update 2/5/04 - Niels Callesoe has sent in a link for a postfix header_checks regexp file to look for AV product spam/warnings.

Update 2/16/04 - Someone from Sybari Software (producers of Antigen) have mailed saying this issue is being addressed by their developers.

Update 5/12/04 - No More Warning Spam in Symantec Antivirus reports CBR Online! From the article: "Even if you have notifications turned on, the software will not notify with a mass- mailer," said Symantec group product manager Chris Miller. The software will still send notifications, if the administrator lets it, for non-mass-mailer viruses. Score one for Symantec.



Copyright 2004 by Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, and appropriate credit is given.


main page ATTRITION feedback