* Anti-virus programs’ responses only add to worm chatter As everyone probably knows firsthand by now, we’ve all been suffering through a particularly bad period of worm infestation on the ‘Net lately. Variants of the Sobig and Blaster (a.k.a. LovSan) worms (often called “viruses” in press reports) caused major hang-ups worldwide.I want to focus today on the Sobig worm and other electronic thugs that use a victim’s e-mail address book to send out lots of e-mail messages. Many of the worms use their own SMTP interface, bypassing the victim’s e-mail client program and thus leaving no obvious trace (e.g., “sent” messages) that the user can spot early on in the infection.Worse still, modern worms often use the victim’s address book not only for targets (destination addresses) but also to forge SMTP headers using spoofed origination addresses. That is, the worms are written to make it appear that their infected traffic comes from someone whose address has been picked up from another victim’s address book.Some anti-virus programs respond to infected e-mail messages by sending a notice to the originator of the infected message. For example, you may have received message like these: >postmster@somwhere.commkabay@norwich.eduFrom: Sent: Thursday, September 04, 2003 22:30To: Subject: Virus Detected by Network Associates, Inc. Webshield SMTP V4.5 MR1aNetwork Associates WebShield SMTP V4.5 MR1a on mimesweeper detected virus W32/Sobig.f@MM in attachment document_all.pif from mkabay@norwich.edu> and it was Cleaned and Quarantined.At one time, such messages were helpful to the victims of worm and virus infections because: (a) many victims lacked anti-virus products(b) the infected e-mail actually came from the indicated senderUnfortunately, although (a) may be true, (b) is almost certainly false. The chances that an infected message is coming from the indicated FROM address are small – they are 1/N where N is the total number of addresses in the e-mail address book of the actual victim (assuming that the victim’s own e-mail address is included in their list). So the chance that the automatic notification will go to a wrong address in a single infection is (N-1)/N.If a victim has 1,000 addresses in his or her address book then the probability that replying to an infected message will reach the wrong person is 99.9% for a single incident. What was once a courteous and helpful practice has now become an annoying contribution to the wasteful traffic generated by the worm, potentially doubling the number of spurious messages (for every one from the worm there’s one from the anti-virus software). I recommend that system administrators now disable the automatic notification to the supposed origin of infected messages. It’s just not working anymore.It’s time to cut the worm chatter. Related content news EU approves $1.3B in aid for cloud, edge computing New projects focus on areas including open source software to help connect edge services, and application interoperability. By Sascha Brodsky Dec 05, 2023 3 mins Technology Industry Technology Industry Technology Industry brandpost Sponsored by HPE Aruba Networking Bringing the data processing unit (DPU) revolution to your data center By Mark Berly, CTO Data Center Networking, HPE Aruba Networking Dec 04, 2023 4 mins Data Center feature 5 ways to boost server efficiency Right-sizing workloads, upgrading to newer servers, and managing power consumption can help enterprises reach their data center sustainability goals. By Maria Korolov Dec 04, 2023 9 mins Green IT Servers Data Center news Omdia: AI boosts server spending but unit sales still plunge A rush to build AI capacity using expensive coprocessors is jacking up the prices of servers, says research firm Omdia. By Andy Patrizio Dec 04, 2023 4 mins CPUs and Processors Generative AI Data Center Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe