ISP virus filtering

  • Thread starter Thread starter Tim Downie
  • Start date Start date
T

Tim Downie

Nearly every day, my wife receives a message purporting to be from Paypal
with the subject "IMPORTANT" and within the email there is the message:

"A message filter removed the following attachment(s) from this message:
www.paypal.com.pif"

Now if Onetel can provide virus filtering, why can't more ISPs? What are
the arguments against ISPs filtering viruses?

Tim
 
Tim Downie said:
Nearly every day, my wife receives a message purporting to be from Paypal
with the subject "IMPORTANT" and within the email there is the message:

"A message filter removed the following attachment(s) from this message:
www.paypal.com.pif"

Now if Onetel can provide virus filtering, why can't more ISPs? What are
the arguments against ISPs filtering viruses?
Click to expand...

I have Cox Cable Internet here in San Diego, and they started to provide
virus filtering a few months ago. It works great! I get an e-mail report
from Cox Communications stating what they found, who it was from, and that
it was deleted and the sender and their ISP notified. I know the
notification to the sender is happening, as I got a call from my cousin 3
days ago saying they received a notice that his e-mail to me had been
rejected stating that it contained the MyDoom virus. Sure enough, he did.

Cox just recently added Spam blocking, with a choice of either deleting it
from the server, or specified as such when downloaded. I have it downloaded
and it is marked --Spam--, and I have it sent to a Junk folder via my OE6
Rules for me to double check before deleting. I get a spam now and then in
my Inbox that the Cox blocker did not catch. But, it is usually only the
once. They add new ones all the time. And, they also provide a popup
blocker called CheckIt.

They all work really great! It truly helps when your ISP is on your team
too.

Jan :)
 
Nearly every day, my wife receives a message purporting to be from Paypal
with the subject "IMPORTANT" and within the email there is the message:

"A message filter removed the following attachment(s) from this message:
www.paypal.com.pif"

Now if Onetel can provide virus filtering, why can't more ISPs? What are
the arguments against ISPs filtering viruses?
Click to expand...

Well, those of us who were concerned that ISPs and antivirus vendors
would bungle the job were right. However, I never anticipated the
various creative ways they would come up with to botch it.

We now often hear the sad tales of users having their internet service
dropped by their providers because their PCs are allegedly infested
with some worm ... when they're not! That's due to the way worms often
fake the actual sender. To add insult to injury, users are being sent
proud announcements by stupid antivirus companies who have the policy
of notifying alleged senders of malware infested emails ... whether
they are the actual sender or not ... thus further cluttering up email
with useless junk emails ... which are nothing but spam by the av
companies.

Another problem I've noticed ever since antivirus companies got
"cutesy" and decided to zap zipped attachments containing files with
certain file extensions, including password protected zips, is that
you often can't submit suspect files to av vendors for analysis
without taking draconian measures. One way I found that works for the
time being with my submissions to KAV in Russia is to password protect
a zip and then RAR that. How ridiculous! And I wasn't even notified by
whatever bot along the way zapped my submssions ... I would hear about
it from a KAV virus analyst. In some cases, it was a competing av
product that was doing the zapping but in one case it was a KAV
scanner :) It's becoming insane.

Now, ever since my email server limit of 10 meg was once threatened by
floods of large Sircam infested attackments, I became a proponent of
ISPs doing a simple zap of such very obvious and current malwares. But
_only_ that! Nothing more! That's the responsible thing for ISPs to
do. There's no way users can prevent their ISP's servers from being
flooded with the latest and current malwares. Only the ISPs can do
that. But IMO, tha't _all_ they should do.

ISP virus filtering is now faily prevelant. My ISP offers such a
service as an option. I had tried their combo spam/virus filtering
service and found that it was goofing up more than I liked, so I
dropped it. I much prefer doing my own filtering of both malware and
spam.


Art
http://www.epix.net/~artnpeg
 
Well, those of us who were concerned that ISPs and antivirus vendors
would bungle the job were right. However, I never anticipated the
various creative ways they would come up with to botch it.
Click to expand...

Well given that they do forward the body of the message how is this botching
it? (Or are you talking generally rather than refer to this specific
instance?)
We now often hear the sad tales of users having their internet service
dropped by their providers because their PCs are allegedly infested
with some worm ... when they're not! That's due to the way worms often
fake the actual sender.
Click to expand...

Well that clearly is stupid.
To add insult to injury, users are being sent
proud announcements by stupid antivirus companies who have the policy
of notifying alleged senders of malware infested emails ... whether
they are the actual sender or not ... thus further cluttering up email
with useless junk emails ... which are nothing but spam by the av
companies.

Another problem I've noticed ever since antivirus companies got
"cutesy" and decided to zap zipped attachments containing files with
certain file extensions, including password protected zips, is that
you often can't submit suspect files to av vendors for analysis
without taking draconian measures.
Click to expand...

It seems hard to believe that they haven't made provisions for folk to
forward suspect files. I would guess that one would simply have to ask them
first.

Tim
 
If your wife is receiving _valid_ notifications that she's sending
malware infested files, then ok. Too often, the notifications are
invalid, as I pointed out.
Click to expand...

You misunderstand. We're not being accused of anything. It's just that she
keeps *receiving* bogus e-mails infected with a virus. Onetel strip off the
infected attachment and add a note to tell you that they've done it.

Here's a typical example:

Return-Path: <[email protected]>
Received: from msgdirector2.onetel.net.uk (msgdirector2.onetel.net.uk
[212.67.96.149])
by mail06.onetel.net.uk (MOS 3.4.5-GR)
with ESMTP id CLR22295;
Fri, 23 Apr 2004 11:20:03 +0100 (BST)
Received: from localhost (spc1-brmb1-5-0-cust30.manc.broadband.ntl.com
[213.106.161.30])
by msgdirector2.onetel.net.uk (Mirapoint Messaging Server MOS 3.3.6-GR)
with SMTP id BFW52428;
Fri, 23 Apr 2004 11:19:14 +0100 (BST)
Date: Fri, 23 Apr 2004 11:19:07 +0100 (BST)
Message-Id: <[email protected]>
From: "PayPal.com" <[email protected]>
To: Mywife <[email protected]>
Reply-To: (e-mail address removed)
X-Priority: 1 (High)
Subject: IMPORTANT zeapabot
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------AF53D74F00496F6"

------------AF53D74F00496F6
Content-Type: text/plain;charset="us-ascii"

A message filter removed the following attachment(s) from this message:
www.paypal.com.pif

------------AF53D74F00496F6
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


Dear PayPal member,

We regret to inform you that your account is about to be expired in next
five business days. To avoid suspension of your account you have to
reactivate it by providing us with your personal information.

To update your personal profile and continue using PayPal services you have
to run the attached application to this email. Just run it and follow the
instructions.

IMPORTANT! If you ignore this alert, your account will be suspended in next
five business days and you will not be able to use PayPal anymore.

Thank you for using PayPal.


zeazaboa

------------AF53D74F00496F6--

Tim
 
You misunderstand. We're not being accused of anything. It's just that she
keeps *receiving* bogus e-mails infected with a virus. Onetel strip off the
infected attachment and add a note to tell you that they've done it.

Here's a typical example:
Click to expand...

<snip>

In my book, bogus emails = invalid notification = botching :) It's
implied that she's sending the malware isn't it? That's an accusation
isn't it? Simply because you know it's bogus doesn't nullify the
implied accusation.

The point is, that this sort of garbage has gotten out of hand now.


Art
http://www.epix.net/~artnpeg
 
In my book, bogus emails = invalid notification = botching :) It's
implied that she's sending the malware isn't it?
Click to expand...

<FX bangs head on desk /FX>

Where on earth are you getting that from????

She's *RECEIVING* bogus emails from a bogus sender. At no point is there
any suggestion that *we're* the senders of these messages. Onetel is kindly
stripping out the infected attachments and letting us know that they're
doing that. PLEASE read before you post.

Tim
 
Tim said:
Nearly every day, my wife receives a message purporting to be from Paypal
with the subject "IMPORTANT" and within the email there is the message:

"A message filter removed the following attachment(s) from this message:
www.paypal.com.pif"

Now if Onetel can provide virus filtering, why can't more ISPs? What are
the arguments against ISPs filtering viruses?
Click to expand...

false positives, legitimate virus trading for research, etc...
 
<FX bangs head on desk /FX>

Where on earth are you getting that from????

She's *RECEIVING* bogus emails from a bogus sender. At no point is there
any suggestion that *we're* the senders of these messages. Onetel is kindly
stripping out the infected attachments and letting us know that they're
doing that.
Click to expand...

Ok. I can see why some customers might like that aspect of ISP
blocking. However, I can also see where some customers might get
confused, what with all the confusion of actual senders that's going
on nowdays.

Anyway, I wasn't addressing your particular issue when I first
responded. You asked for arguments against ISP blocking and I gave you
several against the insane stuff that's going on.


Art
http://www.epix.net/~artnpeg
 
Nearly every day, my wife receives a message purporting to be from Paypal
with the subject "IMPORTANT" and within the email there is the message:

"A message filter removed the following attachment(s) from this message:
www.paypal.com.pif"

Now if Onetel can provide virus filtering, why can't more ISPs? What are
the arguments against ISPs filtering viruses?

Tim
Click to expand...
***************** REPLY SEPARATER *****************
Any good ISP will provide Spam/Virus filtering without asking for a premium.
And simply flagging an email as Spam or Virus doesn't do anyone any good, as it
simply chews up time, bandwidth, and disk space. A good ISP will quarantine
these messages in a separate location for you to look at if you so choose. We
have been providing that for the past several years.

The problem with the large volume ISP's is that filtering is expensive in terms
of manpower. It is cheaper for them to simply add equipment and bandwidth to
handle the extra volume of Spam and Virus, and let you worry about the
consequences.

J.A. Coutts
 
from the said:
Nearly every day, my wife receives a message purporting to be from Paypal
with the subject "IMPORTANT" and within the email there is the message:

"A message filter removed the following attachment(s) from this message:
www.paypal.com.pif"

Now if Onetel can provide virus filtering, why can't more ISPs?
Click to expand...

They can. Many of them do. I use two in the UK, both kill all known
viruses (and a lot of spam too). Only viruses that get here are 'brand
spanking new' ones which the filters have not been updated for yet.
What are
the arguments against ISPs filtering viruses?
Click to expand...

False positives.
False sense of security for the end user (there are still 'new' viruses
and various other bits of malware that can/will get through).

On the plus side, if they are set up right they can actually bounce
virus notifications back to the SMTP server they came through, instead
of screwing up by relying on the 'from' or 'reply to' addresses in the
headers.

I think, overall, it's a good thing. During the height of SWEN, 99.8% of
my inbox, by byte-count, was virus cr&p. I think that's the point at
which many ISPs decided virus filtering was cheaper than extra POP3
mailbox storage (to say nothing of the transmission bandwidth).
 
false positives, legitimate virus trading for research, etc...
Click to expand...

Arguments against in this "classical" type of objection, (before ISPs
actually started blocking) also often included the concern that most
users would be lulled into complacency. There will always be some
"known" malware missed by the particular av used, and new or "unknown"
malware is very likely to be missed.


Art
http://www.epix.net/~artnpeg
 
false positives, legitimate virus trading for research, etc...
Click to expand...

Yup.

FWIW (laughs?), I tried a very simple email test...

I emailed myself a simple text file with the following text:
"this_is_not_a_virus_or_malware_-_just_a_test_harmless_file"

I named the simple text file:
this_is_not_a_virus_or_malware_-_just_a_test_harmless_file.txt.exe.scr.pif.bat.txt

Result: no email delivery, bounce message or anything
(somewhere along the way - blackhole?)

Wonderful. :(
 
Tim said:
Nearly every day, my wife receives a message purporting to be from Paypal
with the subject "IMPORTANT" and within the email there is the message:

"A message filter removed the following attachment(s) from this message:
www.paypal.com.pif"

Now if Onetel can provide virus filtering, why can't more ISPs? What are
the arguments against ISPs filtering viruses?
Click to expand...

I have read the replies to this thread so far, and I agree that AV
notifications have become nothing more than spam.

I also agree that ISP's should make sure their tubes and users are safe
- to a level. but the problem is deeper than painted.

Such services cost money, and as the ISP's are not bound by law to
provide such services, most of them don't.

Those who do, would usually ask you for an additional fee per each service.

The problem with ISP's not doing anything about user security goes
beyond just viruses and spam. Most ISP's won't give abuse email the time
of day. So viruses? Spam?

Gadi Evron.
 
Arguments against in this "classical" type of objection, (before ISPs
actually started blocking) also often included the concern that most
users would be lulled into complacency. There will always be some
"known" malware missed by the particular av used, and new or "unknown"
malware is very likely to be missed.

Art
http://www.epix.net/~artnpeg
Click to expand...

Yup, example from my ISP's support group, last week:
user: Are you using (bigName AV) to scan for viruses?
support: Yes, we are
user: "now I know I have nothing to worry about."

J
 
Tim Downie said:
Nearly every day, my wife receives a message purporting to be from Paypal
with the subject "IMPORTANT" and within the email there is the message:

"A message filter removed the following attachment(s) from this message:
www.paypal.com.pif"

Now if Onetel can provide virus filtering, why can't more ISPs? What are
the arguments against ISPs filtering viruses?
Click to expand...

The above filter may have just taken exception to the attachment's
filename. While I don't see any real legitimate need to have a file
with a name like that, I don't like the idea of such a simple filter
being used to censor e-mail.

Obviously, the filename was an attempt to trick users into clicking
on what might appear to be a "PayPal" URL (with hidden .pif).
This in and of itself may be considered a trojan horse program.

Personally, I would rather have suspect e-mails flagged by enroute
AV or other filters, that way no censorship problems arise. I could
then take measures to deal with any worms that are causing volume
problems.
 
well i'm with onetel and they aint blocking the umpteen netsky_p emails im
getting daily from someone at btopenworld, despite complaining to them AND
btopenworld... just wish everybody would have av installed, cause it would
save a lot of ****ing about and hassle !!
rob
 
Tim Downie said:
Nearly every day, my wife receives a message purporting to be from Paypal
with the subject "IMPORTANT" and within the email there is the message:

"A message filter removed the following attachment(s) from this message:
www.paypal.com.pif"

Now if Onetel can provide virus filtering, why can't more ISPs? What are
the arguments against ISPs filtering viruses?
Click to expand...

After reading all the other messages, with the pros and cons of wanting
control and such....I must tell you Cox Communications does not offer this
as a matter of choice. They simply do it. If you don't like it, then you
can change your ISP. For San Diego area, there's not to many others to
choose from. But, there is of course, dialup...and the MS Broadband now.
That is most likely why Cox does not charge for it, because it is /not/ an
option. The Spam blocker, which offers a choice of how you want to handle
it, and the Popup blocker are, although, they don't charge for them either.
Cox knows that if they were to make it an option, and charge for it, most
people would not take it. But, then, they may not even have an AV on their
machine, or keep it updated and run it regularly to keep their machine virus
free either.

Cox tells you straight out that you should also have a personal firewall and
active AV on your system as well, and use it regularly, as it is possible
that some viruses can get onto your machine from sources other than e-mails
as well. And, that their anti-virus prevention programming does not address
parasites or mal/spyware.

While there are a handful of computer guru's in the world of users who know
how to do all sorts of tweaks and such to avoid having to use anything at
all to avoid viruses and/or spy/malware, the majority of users do not, and
this is the group that is spreading the garbage around the world. So, while
those guru's prefer to do their own thing, they too, may not have a choice,
or any control over what their ISP does. Of course....they can always just
not use the Internet. <g>

Jan :)
 
Back
Top