[clug] Interesting MyDoom bounce

Matthew Hawkins matt at mh.dropbear.id.au
Fri Jan 30 07:33:46 GMT 2004

Martijn van Oosterhout said:
> The real solution is to just install a real virus scanner and keep it up to
> date. That should keep the problems to a minimum.

The problem is that even real virus scanners like to tell people they may be
virus infected.  So when Novarg comes along and says "hi, I'm Martijn van
Oosterhout" guess who gets all the messages from the virus scanners?  A
message telling me I may be infected with yet another Windows-only virus is
just as useless/problematic as a message actually infected with the virus.  To
me it's all spam.

I think in cases like this it is okay to drop the message on the floor, simply
because the functionality of a virus scanner to email possible infectees is
not really all that useful.  People dumb enough to run Microsoft Windows and
associated virus creation/propagation tools like Microsoft LookOut! aren't in
the position to disinfect themselves anyway, and telling some stranger they
may be virus infected, while perhaps a noble act, really doesn't do anything
for the security of your own site.

Now, that being said, what about the lag time between a virus becoming known
and your particular AV software being updated?  The smallest I've heard of is
about 6 hours with Novarg, that's 6 hours that that site was susceptible to
This is when you also need to implement some kind of site policy such as
automatically excluding all known MS-Windows executable content (this is now a
Microsoft recommendation anyway).  And if you still let in .zip files, you'll
need to do something with them also, such as bounce the message if the zip
file contained executable content (because there'll be at least one user dumb
enough to run the damn thing anyway - look how quickly Novarg spread!)

We can apply techniques like this till the cows come home but the truth is
we're never going to be rid of viruses until we attack the real problem. 
We've tried attacking viruses with anti-virus software and with end-user
education and have failed.  Like fire won't exist without the things that give
it life (fuel, heat, oxygen), viruses won't exist without the things that give
it life (Windows, LookOut!, Microsoft).  As an industry we have to stop
ignoring the facts, and do something constructive about the problem.


More information about the linux mailing list