Notification emails cause virus-like chaos

Notification emails cause virus-like chaos

Summary: Security experts are urging administrators to turn off a feature on antivirus applications that causes almost as much chaos as a virus

TOPICS: Security

A common antivirus feature that automatically replies to emails infected with a virus to inform the sender that they are infected is obsolete and should be disabled because it creates almost as much trouble as the virus itself, according to security experts.

When an antivirus application detects malware in an email, such as the recent MyDoom worm, it can automatically reply to the sender of that message to inform them that they have been infected. However, virtually all modern email viruses disguise the original sender's address by spoofing the "from" field with a stolen, but valid, email address. This means users receive emails telling them they are infected when they are not, resulting in significant quantities of unnecessary traffic.

This additional traffic is a further burden on administrators because it occurs when companies are trying to clean their systems from the virus attack. Jack Clark, technology consultant at antivirus firm McAfee estimates that "bounce-back" emails play a significant part in slowing down corporate networks and the feature should be disabled immediately.

"There is no real point in trying to tell somebody that they are infected when 99 percent of the viruses that are being produced today will spoof the address. On Tuesday and today, people have noticed that the Internet is a percentage slower. The bounce-back emails could account for up to 25 percent of this slow-down," Clark told ZDNet UK.

Jay Heiser, chief analyst at IT risk management company TruSecure, agreed. He told ZDNet UK that the automatic notification was a good idea a few years ago but now the function was obsolete.

"This technique was useful back in the days before people spoofed email addresses but it is not something that I would encourage right now. The lines are being clogged up with emails flying around, not only from the virus, but also from end users that are concerned they have got the virus when they don't," Heiser said.

Email systems still produce these notifications because administrators are either too busy or see it as a low priority issue, according to Clark: "It is the last thing on people's minds. Administrators are too busy dealing with viruses that get into their systems and they don't see these bounce-back emails -- it is not a high priority," he said.

Heiser believes that the auto-notification feature may have worked as an incentive for virus writers to use email spoofing to give their viruses more time to infect users: "[Spoofing] is a preventive mechanism that the virus writers put in partly because users were being notified that they had been infected too early. This buys the virus more time to spread," he said.

Both Heiser and Clark urge administrators to disable the feature immediately.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I'm getting more of these return notifications than actual virus emails at the moment by a factor of about 2-1, my email address has been spoofed off my (required) website contact address so I know where they got it from.

    I think I might have to add a "nospam" bit to my address to stop the robots harvesting it.
  • When I started to get these from the recent attacks, I started sending my own response:
    "Please update your scanner not to send these responses to addresses on emails sent as a result of viruses which are known to spoof the FROM field - you are merely adding to the problem, congesting the internet, and filling my inbox with even more junk than I have already due to the viruses."

    I consider these to be akin to spam and are a royal pain!
  • How to turn a virus into SPAM! Add one good intention and leave to stand with MYDOOM!

    I have raised this question before. On receipt of e-mail, no longer can these e-mail filters identify the actual point of origin! Viruses like today's are able to spoof the e-mail FROM and TO address but the filters cannot and do not notify who has actually sent it. Instead they become scaremongers that panic users! While this remains everyone should turn this facility off!

    Those that leave this facility on, do so to the virus writers
  • On the one hand side, yes, the vast majority of virus emails have a spoofed sender address, hence, the notification will be send to an innocent third person, which will probably rather consider the email as spam than as a helpful hint.
    On the other hand, by providing email relay and delivery to customers, the service provider is in charge for email handling. Senders must be informed if - for any reason -an email is not delivered to the recipient, which for security resons is usually the case if a virus was detected. In other words, if I send an email to a person with an attachment containing a virus and this particular email is deleted by an automatic virus scanner, I expect to be informed about the non-delivery of my email, don't I?