We don't bounce back viruses, specifically because most of the sources
are forged. I have received bounced forged messages myself and I agree
that configuring your antivirus software to do this now days just
contributes to the garbage traffic problem. It just so happens that in
this case these messages were from a source that was listed in an open
relay database and are therefore identified as SPAM before the antivirus
software got to it. I was mistaken in that we no longer bounce back
messages caught in our SPAM filter. We were doing this at one time
because we wanted to notify senders that their message was rejected just
in case it was erroneously identified as spam. We now deliver messages
identified as spam to the intended user, in a segregated mail box that
they themselves must check for false positives. (FALSE POSITIVES: These
are important business e-mail messages that are caught by spam filtering
software for a number of different reason. Unless you are sending your
e-mail off to India to be pre-read by an army of human SPAM filters,
SPAM filtering software is inherently prone to false positives.) Anyway
after a more careful review, the reason for the Snort alerts on this
rule is due to bounced messages that were created by a virus using
randomly generated user names. These user names do not exist on our
mail server so they are bounced back to the sender. I believe this
would be an RFC compliance issue.
-----Original Message-----
From: Matt Jonkman [mailto:matt@infotex.com]
Sent: Tuesday, November 02, 2004 11:07 AM
To: Kalbfleisch, Gary
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] False Positive for Probable Zafi Vrus outbound
via SMTP rul
<my 2 cents>
Bouncing spam and viruses only compounds the problem. You'll be much
better off discarding them, since the sender of most of them is spoofed,
you'll be filling the inbox of unknowing random users.
Bouncing a virus is just the same. Plus you're wasting more of your own
bandwidth, as well as that of others.
Don't mean to lecture, that's just a pet peeve of mine. If there's no
possible reason the sender (even if the real sender were identified)
would want the message back, then why waste bandwidth? You mention false
positive sources, I'm curious what you mean there. In the case of
viruses it's pretty clear cut, do you see falses on your AV scanner?
</my 2 cents>
But to the rule, it's intended to catch the virus on the way out of your
net to help identify an infected machine inside. If you want to continue
to bounce viruses I'd recommend putting in a local version of the same
rule but make the source your mail server and make it a pass rather than
alert. That would get rid of the undesired alerts.
But I'd really recommend discarding spam and viruses. Better for
everyone. :)
We do appreciate you bringing up a discussion on a rule though. Keep
them coming.
Matt
Kalbfleisch, Gary wrote:
This rule triggers an alert when the anti spam software on my mail
servers bounces the messages back to the source. We have chosen to
bounce back spam messages so "false positive" sources will get a
message
back rather than thinking that their message was delivered.
alert tcp $HOME_NET any -> any 25 (msg:"BLEEDING-EDGE Probable Zafi
Virus Outbound via SMTP"; content:"TVqQAAMAAAAEAAAAUEUAAEwBAgBG";
content:"AAAAAAAADgAA8BCwEAAAAuAAAAOgAAAAAAAPu+"; distance:6;
classtype:misc-activity; sid:2000310; rev:1;)
Subject: [SPAM] Check this out kid!!! - Sending mail server found on
relays.ordb.org
-- Gary Kalbfleisch
-- Director of Systems and Information Assurance
-- Technology Support Services
-- Shoreline Community College
-- (206) 546-5813
-- (206) 546-6943 Fax
-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88&alloc_id�065&opÌk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
