Antivirus bounces a curse of their own


I often talk about Challenge Response spam filters because I wrote the first one. One complaint people make is that the filters will challenge even forged mail, causing a challenge to be sent to the forgery victim. While this is not a DOS attack window as some people believe (since you can as easily DOS the target directly as get others to do it for you) it does need more consideration.

However, there are some autoresponders who have no excuse in this, and it is them I am railing on today. With the latest worm program, I am getting "bounces" back from anti-viral mail filters which tell me, "The mail you sent contains a virus and was not delivered."

Of course I didn't send the mail, my address was forged. What bothers me is that the anti-virus program clearly knows there is a virus, and presumably then should know it is the sort of virus which puts in a fake address.

So why it feels the need to send an error to the address it knows is fake, I don't know. The bounces I can tolerate, the bouncing software has no way to know it was a virus, but the anti-virus software has no excuse.

Addon: I'm going to promote a note from the comments because naive me didn't think of it. The virus companies may be happy to send this "your virus was bounced" mail to the wrong address because it's an ad for their anti-virus service.


I like your web page on C/R web filters.

I've been trying to find a way to switch to C/R, however, I have a number of unique issues that makes it difficult.

First off, I use multiple domains, some of which I just have all mail addressed to that domain go to a single mailbox. Sometimes I have all mail from multiple domains go to a single mailbox. I'm regretting this now, but it was useful at the time.

Second, I use IMAP for all of my mail, so I can't use a client-side solution.

Lastly, my IMAP mail is auto-filtered by ProcMail in combination with Spam Assassin. What I want is something that I can easily call from within procmail for multiple specific rules (i.e. addresses to, but not caught in the above rules, send to white; addresses to * but not caught in the above rules, send to white).

I've not yet found anything that quite works for me for all of this. Looking around I've seen services that charge lots of bucks, server appliances, or services that only work with POP, or services where you must use their client software or web interface.

If you know of a good existing solution, let me know.

-- Christopher Allen

Why does the anti-virus software feel the need to send an error message to the fake sender?

Scroll down the message. I am sure that you will find a link to buy the anti-virus software which detected the virus. It's the perfect place for such an ad. You can't accuse the program of spamming and it is scary for the less computer literate to get such a message. Many believe that their computer must be infected, increasing the likelihood of a quick sale.

I am currently under bombardment from an analogous lack of insight by various POP servers. Some &&^%$* spammer decided to insert my address in the From line of his broadcast this weekend. I am already up to a few thousand bounced messages for full mailboxes/unknown users/unknown servers etc. Individual messages I can understand, although a method of authenticating senders would solve that problem, too, but when I get a message indicating that 25 of the 250 addresses in the To list are faulty, I have to think the braindead server could have recognized the SPAM for what it was and binned it without notifying me.

Add new comment