29a-7.011

从29A上收集的病毒源码

(sandra@redoakdesigns.com)
    (reason: 550 5.1.1 (sandra@redoakdesigns.com)... User unknown)


Symantec is short and to the point, leaving out when I sent the message, and to 
what e-mail address. Thanks for the details!
From: AVAdmin@ecs.com
Subject: Symantec AVF detected an unrepairable virus in a message you sent

Subject of the message: test
Recipient of the message: Jon Baratta


In some cases, Symantec doesn't even want to tell you who you supposedly mailed. 
Great.
From: Administrator@polyformus.com
To: jericho@attrition.org
Date: Tue, 27 Jan 2004 20:16:40 -0800
Subject: Symantec AVF detected an unrepairable virus in a message you sent

Subject of the message: Error
Recipient of the message: Unknown Recipient(s)


GroupShield for Exchange wins the award for the largest spam. I've also removed 
some extra space to make this mail bearable. They also let me know the easy to 
remember trouble ticket number, just in case I need to reference it in the 
future when dealing with their company. On top of all this, they warn me that 
this mail is confidential. If that were the case, spammers would be in heaven as 
they sent out millions of spam protected by a CONFIDENTIALITY NOTICE that 
prevented people from sharing the contents with anti-spam organizations or law 
enforcement. Nice try GroupShield!
From: "GroupShield for Exchange (FBOWEXC001)" (NAICENTRALFBOWEXC001@bowne.com)
To: "'jericho@attrition.org'" (jericho@attrition.org)
Date: Tue, 27 Jan 2004 09:20:32 -0500
Subject: ALERT -  GroupShield ticket number OA14_1075213232_FBOWEXC001_1 w as generated

Action Taken:
The attachment was quarantined from the message and replaced with a text
file informing the recipient of the action taken.

To: gary.willis@bowne.com (gary.willis@bowne.com)

From: jericho@attrition.org (jericho@attrition.org)

Sent: 1329686912,29615328

Subject: test

Attachment Details:-

Attachment Name: text.zip
File: text.zip
Infected? Yes
Repaired? No
Blocked? No
Deleted? No
Virus Name: W32/Mydoom@MM

CONFIDENTIALITY NOTICE:

The information in this Internet email is confidential and may be legally
privileged.  It is intended solely for the addressee.  Access to this email
by anyone else is unauthorized.



MailMarshal gives me the option of contacting them and asking them to let the 
mail through. If I was feeling a little saucy I might mail them asking just 
that. Wonder if I could infect them via a polite request.
MailMarshal (an automated content monitoring gateway) has 
not delivered the following message:

   Message: B000035b6e.00000000.mml
   From:    bmartin@attrition.org
   To:      SMcCullough@ORMILA.com
   Subject: TEST

This is due to automatic rules that have determined that the 
intended recipient is not authorized to receive messages with
Executable file(s) attached.

If you believe the message was business related please send a 
message to exchad@ORMILA.com and request that the message be 
released to its intended recipient.  If no contact is
made within 5 days the message will automatically be deleted.

MailMarshal Rule: Inbound : Block EXECUTABLE Files

Email security by MailMarshal from Marshal Software.


BorderWare MXtreme Mail Firewall has a really clever name using "MXtreme" (tech 
geeks are rolling i bet), and provide me the valuable information such as the 
Queue ID number. Very helpful.
This is an automated message from baxter.com

A mail from you (bmartin@attrition.org) to (adalberto_maldonado@baxter.com) 
was stopped and Rejected because it contains one or more viruses.

Summary of email contents:

Queue ID: E0A7E6CF67
Attachment: file.zip 
  Found virus I-Worm.Novarg /file.txt          


InterScan's nice summary makes it easy for me to figure out what I did. On 
Tuesday I used "Mail" to send a virus to Peter and InterScan deleted it. That's 
how it went down, yep.
Sender, InterScan has detected virus(es) in your e-mail attachment.

Date:   Tue, 27 Jan 2004 22:45:20 +0100
Method: Mail
From:   (jericho@attrition.org)
To:     peter.metrowich@au.bosch.com
File:   message.zip
Action: deleted
Virus:  WORM_MIMAIL.R 


Antigen gets the award for the most convoluted warning.
Antigen for Exchange found readme.zip->readme.txt
.exe infected with VIRUS= MyDoom.A@m (Norman) worm.
The message is currently Purged.  The message, "Server Report", was
sent from jericho@attrition.org and was discovered in IMC Queues\Inbound
located at DoubleClick/Thornton/THN-EX10.


McAfee, aka Captain Obvious warns me that a HARMFUL virus was sent, not one of 
those nice huggly viruses. They are also sincere in their warning to me as they 
advertise their product and web site.
McAfee Security has detected that the e-mail message you have sent below 
contains a harmful virus. The message has been quarantined.

The infected message's properties are:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sender: jericho@forced.attrition.org
Receiver: sfromm@energy.state.ca.us
Virus Name: W32/Mydoom@MM (ED)
Original Attachment Name: test.zip
Transmission Date Time: 01/27/2004 17:27:47 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The intended recipient's System Administrator(s) has been notified.  They may 
choose to delete this message or request receipt at their own risk.

Sincerely,
McAfee Security Customer Care

-----------------------------------------------
McAfee Security
http://www.McAfeeASaP.com
-----------------------------------------------


No clue who to blame for this one! Some anti-virus product out there sends this 
type of gem. Due to the way they send their warning, it appears in my inbox as 
such, appearing as if I BCC'd myself on the e-mail or something. Mail should not 
arrive in my inbox addressed from me. Spoofing mail headers like this is the 
same thing the worms are doing!
From: jericho@attrition.org
To: ldainc@coqui.net
Date: Tue, 27 Jan 2004 11:23:25 -0600
Subject: Returned due to virus; was:

Mail transaction failed. Partial message is available.


Network Associates, Inc. Webshield SMTP "Cleans and Quarantines" (is that some 
trademark? Why the caps?) the mail I supposedly sent.
Varian Inc. virus shield detected virus W32/Mydoom@MM (ED) in an e-mail sent from
 to   with the subject test. This e-mail
was Cleaned and Quarantined. If you have any questions please call 650-424-5151.


The Real Solution
Since I have little hope for the Anti-Virus industry and really doubt they will 
take the logical course of action and reconfigure their inferior products, it's 
probably best if I recommend another course of action. Every time you receive a 
piece of mail from an Anti-Virus company product, treat it like any other spam. 
Forward it to the appropriate abuse/postmaster contacts of the remote system. 
Make sure you also send a copy to their upstream provider and any law 
enforcement that is appropriate. Be sure to send a copy to the offending 
spammer/Anti-Virus company so they are aware you don't like their practice.
Finally, since this spam doesn't give you a method for opting out of future 
mail, this violates the "CAN-SPAM Act of 2003" and should be reported 
accordingly. If our government is serious about spam, they will be aggressive in 
their pursuit of these million dollar companies that send out millions of spam a 
year.



Update 1/29/04 - It has been brought to my attention that MailScanner is a) 
freeware, b) receives its virus naming from other software and c) defaults to 
not sending such warnings. Kudos to the MailScanner devs for recognizing the 
problem and reconfiguring long before this article appeared.
Update 1/30/04 - Reader feedback has alerted me that MIMEDefange, ClamAV, 
Exiscan and Amavis default to not sending such warnings in general, or for a 
specific list of worms known to spoof. Admins, ditch the high priced junkware 
and learn to love these products that put quality and common sense before bottom 
line. I have also received several links to others that wrote about this topic, 
but the best one has to be this Open Letter from Fridrik Skulason of FRISK 
Software (F-Prot AV).
I have received almost 100 replies to this article and I appreciate the 
feedback. A few comments related to the feedback. * I realize that admins can 
configure the products in many cases, but the AV products ship with this feature 
on by default. I personally don't think we can hold every beleagured admin 
responsible for knowing hundreds of products any more than we expect users to 
quit double clicking every .exe that crosses their inbox. * Tim Jackson has sent 
in an excellent SpamAssassin filter to handle these bogus virus warnings. Many 
people suggested I write one, but Tim is way ahead of us! * If anyone has 
SpamAssassin or other mail filters that can help reduce the load of the 
"infected warning" mail, send it over and i'll add it to this page.
Update 1/30/04 - The ultimate in irony. I received blatant spam from McAfee 
advertising their product as a solution to this worm. This is not the first mail 
I have received from McAfee during a worm outbreak. Full spam with headers.
Update 1/30/04 - Anecdote from a reader: "I just had a nice little chat session 
with someone from McAfee. I received an email with the virus attached that 
claimed to be returned by Webshield e500. I was trying to figure out whether the 
virus was doing this or Webshield e500. The guy from McAfee said that none of 
their products send autoresponders. So I sent a link to your article, at which 
time guy experienced technical difficulties and was disconnected."
Another reader sent in the auto-bounce from Declude (not the default) which gets 
a little snippy with you as they spam you with virus warnings: "If your mail 
server had better virus protection, it would have caused less work for our 
server and could have prevented one of your users from getting a virus."


Copyright 2004 by Brian Martin. Permission is granted to quote, reprint or 
redistribute provided the text is not altered, and appropriate credit is given.

--- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x --- x ---

Yes, (some) antivirus companies are spammers.
A response to Brian Martin. 
In an article titled 揂nti-Virus Companies: Tenacious 
Spammers