On Thu, 25 Apr 2002 16:04:35 +0200 (MEST), postmaster@xxxxxxxxxxxx wrote:
> V I R U S A L E R T
>
> Our viruschecker found the
>
> W32/Klez.h@MM
>
> virus(es) in your email to the following recipient(s):
>
> -> <e9227474@xxxxxxxxxxxxxxxxxxxx>
>
> Delivery of the email was stopped!
>
> Please check your system for viruses, or ask your system administrator
> to do so.
>
> For your reference, here are the headers from your email:
>
> ------------------------- BEGIN HEADERS -----------------------------
> Received: from Mcagx ([200.54.204.187]) by mta1.bs.dion.ne.jp
> (InterMail v4.01.01 201-232-113-102) with SMTP
> id <20020425140133.JAKD1477.mta1@Mcagx>
> for <e9227474@xxxxxxxxxxxxxxxxxxxx>;
> Thu, 25 Apr 2002 23:01:33 +0900
> From: gimp-developer <gimp-developer@xxxxxxxxxxxxxxxxxxxxx>
> To: e9227474@xxxxxxxxxxxxxxxxxxxx
> Subject: In future releases.
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary=Xk5BtvSPri16M7b5oJx
> Message-Id: <20020425140133.JAKD1477.mta1@Mcagx>
> Date: Thu, 25 Apr 2002 23:02:20 +0900
> -------------------------- END HEADERS ------------------------------
>
>
> --===========================_ _= 3907775(1477)1019743365--
>
It is really annoying to have some virus checkers that are not doing their
job properly. The W32/Klez worm is well known for faking the address of
the sender. In fact, it collects a list of addresses from various files
and address books on the victim's machine and then sends copies of itself
to the addresses that is has found, using also some of these addresses as
the alledged sender of the message. This is documented on the virus/worm
description page of all major anti-virus companies.
Knowing this, it makes no sense for a virus/worm checker to reply to the
(innocent) "sender" of the message, because this only wastes some
bandwidth and maybe scare someone who was not involved at all (unless the
goal of the misguided warning message is to promote the virus checker
itself, but that would be a questionable practice, comparable to spamming).
Even worse, replying to a mailing list that has many subscribers will waste
even more bandwidth.
This can be easily confirmed by looking at the headers that were included
in the warning message: the virus checker received the message from someone
who is in japan, so it is obviously not coming from the GIMP developers'
mailing list, hosted in Berkeley.
So this is a request for postmaster@xxxxxxxxxxxx: PLEASE change the
configuration of your virus checker so that it does not send a warning
message to the alledged sender of the message if the address of the sender
(or an address that is similar enough) does not appear in any of the
"Received" fields. Alternatively, you may want to avoid sending any reply
if the worm that was detected is W32/Klez, because it always fakes the
sender's address.
If your current virus checker does not allow you to do that, please put
some pressure on your vendor until this feature is added to their software.
Sending unsollicited warning messages to innocent third-parties is a waste
of bandwidth comparable to spamming or having an open mail relay. As such,
it should be punishable.
-Raphaël
P.S. to the gimp developers who also get a CC of this message: sorry for
the additional waste of bandwidth, but I encourage you to send similar
messages when you receive a misguided virus warning, because some
vendors of virus/worm checkers are acting in an irresponsible way and
may soon generate as much trouble as the virus/worms that they are
trying to stop.
