By silicon.com, 28 January 2004 17:45
Whoever came up with the mail delivery failure notification - you are officially persona non grata in thousands of offices worldwide.
Whenever a virus comes along many businesses are ready for it - blocking it, quarantining it or obliterating it as it enters the building. What they aren't ready for - or even able to cope with - are the thousands of email delivery failure notifications which occur as a side-effect of email address spoofing and other people's servers rejecting them.
Every day at the moment, in the wake of the MyDoom outbreak, companies are processing vast quantities of email telling them 'your email could not be delivered because it contained a virus' or similar.
But it didn't. You didn't send a virus but now you're picking up the bill - lost bandwidth, wasted man hours and general 'pain in the arse' factor - for somebody else's woefully unintuitive technology.
Surely this mechanism has had its day. How many do you see that are relevant? Most are the by-product of a virus or similar network problem and in truth the only people to benefit are the virus writers. Even if their malicious creation doesn't get past the first line of defence they can be sure the ensuing delivery failure traffic will be tantamount to a denial of service attack on servers worldwide.
Genuine email gets backed-up for days, employees become frustrated and businesses grind to a frustrating go-slow.
Companies won't filter it or block it - because there's no distinguishing between such notifications and genuine notifications of a failed mail. It won't be swept away with the spam and employees who are forced to trawl through these messages lest an important email has genuinely not been delivered will lose hours each day during a time of heavy 'infection'.
In short, the mail delivery failure notification is becoming one of the biggest network-borne menaces of the modern age. Sounds extreme? If you haven't experienced this then that will sounds a preposterous claim but if you have then you'll know exactly what we are talking about.
It's time this functionality was switched off - at least for several days either side of virus outbreaks such as this week's. Go on - do it, for all our sakes.
Comments
There are 43 comments. Join the discussion
1. Graeme
Well I can understand your comments but where would we be without these little messages flying around? We'd have no idea that our critical business meeting emails were getting to the recipient on time. This function is relativley easy to take off as well and is often down to the anti-virus product sending these out.
I think you're right about the amount of time wasted. But still reckon Spam is far worse than this. Better the devil you know.
I've received every single NDR that our company gets and it is much easier to be able to tell your directors why they have not been able to get in touch rather than just the lazyness of a given client. At least then the IT depts are free from blame. We'd end up like the Post office at Xmas.
2. steve morris
Couldn't agree more with your article, we have blocked more than 29,000 copies of this virus since Monday evening, but still have to put up with a hugely increased traffic load and deal with a huge number of calls from worried users who have been told they have sent a virus.
Turn these things off please! They are of no real benefit. What was the last email-borne virus that did NOT spoof the sender address?
3. Howard Winfield
For many users all that is required is to ask for a receipt verification on important/critical e-mail and just junk all the undelivered mail notifications automatically.
4. Nick Galt
I disagree entirely. Much of the work IT does in keeping systems running smoothly is hidden from users. This is one way they can see the level of effort that goes into protecting the systems and keeping their email clean and virus free.
(Ed note. This is a bit like saying 'it would be good to see criminals running wild in the streets, because it would remind us what an excellent job the police do'. I think we'd all rather see none of the disruption and take it as read that the IT department is doing some sterling work protecting us behind the scenes.)
5. anonymous
Not that it is worse but the spam mailers mailing a solution for spam... I think they are the worst!
6. anonymous
(Embarrassed non-techie at the back of the class puts her hand in the air)
Please bear with me! If most organisations were as ready for a virus attack as you say, how come they would be ‘plagued’ with notifications? I’m an office manager in an SME with no dedicated IT support (but committed to anti-virus protection), and whilst I’m not totally IT-ignorant, this one is beyond me! If my machine has not got a virus, why would the virus writers be able to use my email address (hence the production of non-delivery notifications)?
If anyone can provide me with a nice, simple answer, I would be most grateful.
7. Phil
The recent deluge of NDRs and rejection messages has been very easy to deal with. Anything arriving at the mail gateway using one of the 50 or so spoofed names (Helen, Jimmy etc.) is routed into a "black hole".
We know they're not addresses that originated here, so end of problem.
8. anonymous
I disagree. If I send an email to a person or organisation I NEED to know if it did not reach the intended recipient. I similarily would expect Royal Mail to return post if it did not reach the sender. I can tell the difference between a genuine notification of email failure from a spoof one, maybe you should look harder at the subject line!
9. Richard Westlake
I would agree with not automatically notifying the apparent sender of a virus
This is now the default with the wonderful (and free) MailScanner packages hopefully other packages will also do this.
I wouldn’t want all email delivery failure notifications to be banned, we need a way of discovering that a genuine email could not be delivered. It’s all too easy to make typo when entering a email address.
Features such as notification of receipt or reading are not supported by all systems and if widely used could cause just as much trouble. Just imagine the effect of a worm like MyDoom or Sobig requesting notification. These features could also leak information.
As a side note Thomas Zehetbaue recently post to the BugTraq list some suggestions for handling this problem. Including the idea that if notifications are sent then a standard format should be used so they can be filtered.
http://securityfocus.com/archive/1/351540/2004-01-26/2004-02-01/0
10. Ian Savell
I've had more "you've sent a virus" or "your virus laden email could not be deivered" messages than actual virus-laden emails this week, and earned a goodly sum reassuring worried clients that they are not infected. Certainly stop virus checking companies from replying to the apparent sender of the virus. Suppressing non-delivery messages might be a bit much.
11. Mike Doyle
Yes they can be annoying, I have personally waded through over two hundred undelivered messages this morning, for the second time in six months someone has sent emails claiming to be from us. We are a small business ISP and have anti-virus and anti-spam filtering built into our mail servers but these recent messages have had an adverse effect on server performance. Unfortunately requesting an email confirmation doesn't work to confirm delivery of a message as we have found most people refuse to send them back (including us!)
12. Kev
Your comments mis lead. I have blocked the virus by not allowing .zip files into the company unless released by the IT Dept. I have also found that 2 notebook users have this because of the notice, they were quick to inform me when they had the delivery message.
13. Doric T. Jemison-Ball
Get a life! Sort your mail by subject and batch delete the messages. If this takes your employee two hours a day, you should fire them for either stupidity or ineptness.
(Ed note. The time taken is by those individuals charged with actually reading - not deleting - each delivery failure notification, to ensure genuine emails are all getting through. Some businesses cannot risk not knowing if emails aren't delivered and for those it is a thankless and time-consuming task.)
14. Steve Casey
A reply to the embarrassed non-techie
Dear Lady from Manchester,
You only need to know two things to understand the situation...
(1) It is very easy to make it appear that an email from you comes from somebody else
(2) These viruses read details from the victim's address book
Lets call the victim Bob and suppose that when the virus reads Bob's address book it finds the details for Alice and Charles. The virus then chooses to send a malicious email to Alice which looks as if it was sent by Charles. If Alice has an up-to-date defensive system then this email will be rejected and a notification will be sent to the (apparent) sender, the totally innocent and completely uninfected Charles.
So, the nett result is that innocent and well-defended Charles may well be inundated with notifications.
15. Steve Casey
A reply to the embarrassed non-techie
Dear Lady from Manchester,
You only need to know two things to understand the situation...
(1) It is very easy to make it appear that an email from you comes from somebody else
(2) These viruses read details from the victim's address book
Lets call the victim Bob and suppose that when the virus reads Bob's address book it finds the details for Alice and Charles. The virus then chooses to send a malicious email to Alice which looks as if it was sent by Charles. If Alice has an up-to-date defensive system then this email will be rejected and a notification will be sent to the (apparent) sender, the totally innocent and completely uninfected Charles.
So, the nett result is that innocent and well-defended Charles may well be inundated with notifications.
16. TJ
Don't shoot the messenger - you might need him one day!
Filtering out obviously false messages (preferably by not sending them in the first place) sounds like a better and more logical plan to me.
IT is supposed to make life easier, isn't it? It's none the less our responsibility to make it smart enough to do just that. Software is only as good as the thought that's put into making it and using it.
If someone leaves the water running in your house you don't phone the water company asking them to cut you off to prevent something like that happening in the future, do you? You educate/inform whoever left it running that water is an expensive commodity and should only be used when needed.
In the same manner those systems sending false notifications need to be "taught" not to.
Which brings us to the next problem, which is the fact that too many of those systems are not properly administered, if at all. A little bit like leaving the bath running while you go out for a pint (or two) and then find your house flooded on your return... ;-)
17. Keith Hague
Just attach a biggish file, or one with a '.exe' file extension and watch it come back. Or just as annoying; delivered with the attachment stripped out.
18. Dave
(Re: embarrassed non techie)
Many recent viruses use a method called spoofing to hide the address of the machine it has spread itself from. Often it uses an email address that it finds on the infected computer, in email address books for instance, and uses that for the 'From:' field when spreading itself via an infected message.
Hence when the infected message is received then any notifications such as for non delivery, or incorrect username, or a warning from Antivirus software, is sent to the spoofed 'From:' address. This could be an innocent bystander who just happens to be in the address book of the culprit who has the infected Windows PC.
Hope that helps!
19. Colin
Agreed. Don't send unless COD/COR set. (Confirmation of Delivery and/or Confirmation of Reciept flag). If COD/COR IS set send a non-delivery. The recipient's mail router should keep a record of ALL OUTGOING CODs set, and a) Inform sender after X days if NOTHING comes back (and then delete the flag) b) Match all incoming COD/COR & Non Delivery Reports with all outstanding COD/CORs previously requested. If it matches, send to user, if no match discard at Mail Gateway. This is 80's SMTP RFC technology, not rocket science!
20. Richard Westlake
I would agree with not automatically notifying the apparent sender of a virus.
This is now the default with the wonderful (and free) MailScanner packages hopefully other packages will also do this.
I wouldn’t want all email delivery failure notifications to be banned, we need a way of discovering that a genuine email could not be delivered. It’s all too easy to make typo when entering a email address.
Features such as notification of receipt or reading are not supported by all systems and if widely used could cause just as much trouble. Just imagine the effect of a worm like MyDoom or Sobig requesting notification. These features could also leak information.
As a side note Thomas Zehetbaue recently post to the BugTraq list some suggestions for handling this problem. Including the idea that if notifications are sent then a standard format should be used so they can be filtered.
21. anonymous
"It's time this functionality was switched off - at least for several days either side of virus outbreaks..."
Well if you can tell when the outbreak is due to occur then I'm sure people will only too gladly switch the feature off before the event happens. In the same way that if you could tell us a few days before terrorism bombings and plane crashes people people would do something about them too.
(Ed note. OK clever clogs! We meant switched off as soon as a virus breaks, during its peak time of activity and then for several days afterwards. We realise your point is a good one - and we doff our caps.)
22. Linda
Thanks for your help, Steve and Dave, I found both explanations very helpful!
23. Richard Ash
It it's peak, I was receiving more mail undelivered messages than viruses by a factor of 2 or more. I have to filter these, with the result that all mail system messages are now blocked. Which kind of defeats the objective of the messages. Why can mail servers not standardly differentate (in the headers maybe) between virus-related warings, full mail boxes, and unknown addresses. The at least we could sort out what we needed and what not.
24. Phil Richards
From my reading of the article, the MDFN being referred to were clearly for virus notifications.
And I agree completely.
What is even *more* annoying is that I susbscribed to mailing lists - and these are also candidates for From-spoofing. A single MDFN turns into thousands - and the format is not sufficiently predictable that it can always be automatically filtered.
25. VirusBuster
This is a non issue. A savvy admin can run some rules (or code them in pl) which will kill all of the return mail notifications. End of story.
26. anonymous
I disagree with your proposal, but completely agree with the sentiment.
I have been an innocent victim of a recent attack. Someone with my email address in their address book became infected. The virus chose my address to spoof and I received all of the vitriolic reply messages (usually automated). My ISP is very understanding and has confirmed that my email address has not been black-listed by majority of servers. End of the embarrassment.
I however disagree with your proposal because sometimes I have been given an email address to contact. The address sometimes includes an underscore between names instaed of a full-stop. In these circumstances, a failure message is a very quick and efficient information message. The correction can be in place within minutes.
27. Norman Sansom
Here we go again throwing the Baby out with the Bath Water or afraid to empty the bath because we are too blind to see the baby! The Mail system has detected a virus and in most cases identified it as one that use a false reply address. It then sends a failed delivery message back to the known FALSE address. My point is empty the bath stopping sending failed message when you know it a virus but keep the baby and send failed delivery notices only for genuine messages.
28. Angus Doyle
Didn't I mention that a few days ago in the earlier Virus Report?
In any event notification should be switched off, not so much the delivery failures but the darn Anti-Virus notifications, Anti-Virus companies of the world take note, its a pain and a strain on our resources So sort it out.
29. Dirk Bruere
To f*****g true!
I have at one time been deluged with more than 7000 such notices per day. At the moment it only runs to about 300 per day.
The only answer is to use Mailwasher to hide, delete and blacklist anything with keywords associated with such failure notices.
30. ddoo
How can you "switch off" the reject mail system altogether? Better just refrain from sending the "contained virus" notice. Some ISPs simply delete the virus attachment and let the mail through.
31. ddoo
How can you "switch off" the reject mail system altogether? Better just refrain from sending the "contained virus" notice. Some ISPs simply delete the virus attachment and let the mail through.
32. anonymous
Virus-infected spoof MDFNs?
I often get spoof MDFN's which actually contain a virus payload. Because I don't send many emails and remember who I've sent them to, it's fairly easy for me to isolate these.
Anybody else get them?
Perhaps we need a good catchy acronym for them!
33. James
I think you're missing the point here. It is the AV software that is at fault - if it has cleaned/rejected a message that had been infected by a virus that is known to spoof sender addresses - then it shouldn't be generating DSNs.
34. anonymous
At least don't send attachments back if reason for non-delivery is large size of attachments
35. Joe
A) Make sure to send delivery failures no more then 15 minutes after messages were sent.
B) Keep a 'ring buffer' of the last 15 minutes of mails, and if a notice didn't come from one of the addresses in the list...
C) Automaticly rename any .VBS/.EXE/.COM/.BAT/.SCR/.... to something like *.attachment, and make the person manually rename it (this eliminates almost all automaticly infecting scripts).
PS Has anyone ever come up with a way to make a signature for a file, that makes two simular files match up in 80% of the bits in the hash? Regardless of spacing, or alphalock(capslock)/extended(european) charactors?
If not, then if it's possible, someone could make a _lot_ of money doing it, especially if they provided source code, but made people pay for support of it. (;
36. Jeremy Chatfield
You'll get this message or an equivalent in any messaging that offers a robust delivery mechanism, but doesn't offer a secure end to end delivery mechanism. With authentication of sender and relay to the final destination, you can't have message injection and the non-delivery message becomes a crucial item in non-repudiation.
I think it's short sighted to call for the removal of the message, without replacement by a better mechanism. FWIW, I don't work for a secure mail service, so I'm not plugging my product.
37. Ross Brown
NDRs are not the problem, spoofed senders are. If it was possible to verify each email's sender address then you wouldn't get this problem. See the 'you're either with us or against us' article for more info on how Yahoo!, Brightmail, AOL and MS are tackling this.
Also the AV 'you sent me a virus' messages are no longer useful and should be turned off by everyone.
38. Lara Vangelis
What if we pooled our resources, tracked a few of these guys down, and hired some dockworkers to kick their way in, smash the spammers gear and beat the crap out of them. I'd throw in a few dollars.
39. anonymous
As another non techie, many thanks for a great explanation
40. anonymous
I am sure it can't be this simple, but could someone not simply write a little application for the SMTP server that stored all the sender/recipient domain relationships for 7 days and if an NDR was received that was not listed in the database it is simply deleted?
41. Neil
James has the answer(see 'I think you're missing the point').
Virus notification is only useful when it gives correct information. The AV vendors are best placed to tell if a virus spoofs the sender and should amend their software to stop notifications in these cases.
The long term solution lies with the email authentication that Microsoft, Yahoo and others are working on.
42. David Molecey
Agree. We should all campaign for drastic action--with the "Message returned..." *and* with the viruses and their authors. The Net is just too important for all of us...
43. Ed
I have built the most secured network at home, it runs on a virtual private network both running on black-ice firewall. "nothing gets through"