I was inundated with copies of the MyDoom virus after the latest outbreak. Within the first 24 hours of the epidemic, more than 300 copies of the virus were sent to me. A situation like this isn't unusual for me: I have many email addresses, and they reside in a huge number of address books. However, this time I noticed an interesting mix of spoofed email addresses as the reply-to address in the virus-loaded messages. What caught my attention was that a large percentage of the spoofed addresses were those of employees in high-tech companies. That fact makes me think that some of the earliest vectors of infection were people in the industry, which is unusual.
I've been known to launch into diatribes about users who spread email virus infections, but those users aren't my target in this commentary. Regarding MyDoom, I feel obligated to take email antivirus scanner vendors to task. These vendors make the software that sits on your email gateway and detects and blocks infected email. I'm not aggravated with them for their uncharacteristically slow response to MyDoom (although the industry is usually very quick to respond to new major infections, I received announcements about protection from MyDoom finally being available as long as 72 hours after the first reports of the virus), but rather with the fact that these vendors haven't updated the intelligence in their scanner-product notification systems. The following rant doesn't apply to every antivirus gateway vendor; however, it applies to far too many of them.
After a large percentage of antivirus gateway vendors had pushed MyDoom definition files out to their clients, I started receiving almost as many bounce notification messages as I did copies of the actual virus. My favorites were the messages that not only sent me a bounce notification but thoughtfully expanded the attack parameters of the virus writer by including a copy of the virus.
I don't understand this behavior. The gateway recognizes that an email message has a virus attached. It identifies the virus in question (and in some cases adds that identity information to the bounce notification), then bounces the message back to the address specified in the reply-to field of the message header. That last action is what mystifies me: If you can identify a virus, you know whether the virus is inserting a random address from the infected system's email address book into the reply-to field. So the antivirus software sends a message to an address that it knows, at some level, has been spoofed. Doing so, and also attaching a copy of the original message, merely repeats the attack. Not to mention that bounce notification messages suck up network bandwidth and can easily clog your corporate connection to the Internet while they're filling innocent users' Inboxes with a series of unintentional virus attacks.
I wrote about this problem in the August 7, 2003, Windows Client UPDATE. I solved it by creating a series of spam filters on my systems that deep-six most bounce notification messages. Unfortunately, with MyDoom, so many of the messages (more than 100) slipped past my existing filters that I had to deal with them. Neither I nor any other end user should have to wrestle with this artifact of the days when massive virus outbreaks were rare and you felt you were helping out by letting correspondents know that they'd sent you an infected message. This bounce notification "feature," and I use the term loosely, should always default to disabled in any antivirus gateway and should require multiple obscure steps to enable. If such a configuration were the norm, the email world would be a better place.