Update: This letter was written on 10 September 2003 in response to the events surrounding the Sobig.F worm. Also read the updated letter, written when Mydoom.A hit in January 2004.

Why (some) anti-virus companies are to blame for the recent
e-mail flood

As everyone should now know, Sobig.F has generated a tremendous amount of e-mail traffic world-wide. However, part of the blame for this traffic should be placed on some of the anti-virus companies.

What I am referring to is the large number of incorrectly configured mail filters that respond by sending a "virus alert" to the “From:” address. As Sobig.F falsifies the “From:” address, these e-mails just clutter up the mailboxes of innocent, non-infected people. These messages cause unnecessary annoyance and worry, as they typically (and incorrectly) claim that people have sent out a virus.

When you get an e-mail, warning you of a Sobig.F infection, with a subject line similar to these:

it usually means that someone, somewhere has made a bad decision on how to react to infected mail, either by selecting a substandard product or by configuring it incorrectly.

Worse yet, if mail filters send out one message for every copy of Sobig.F received, they are in effect doubling the amount of traffic. This makes them a part of the problem, not a part of the solution.

The problem is that some commercial mail filters have this behaviour set as the default. At least one filter gives only two options: Always send a "virus alert" to the "From" address of every infected e-mail received or "pass the message through to the recipient". Clearly neither of these options are acceptable.

I have only one word for this: Stupid!

Acceptable behaviour would be one of the following:

  1. Have the mail filter properly distinguish between worms that falsify the “From:” address and ones that do not and only send a warning message when the “From:” address is likely to be genuine.


  2. Do not send the alerts at all.

In fact, sending an alert automatically to the From: address for every virus or worm received by e-mail should not even be a selectable option.

With Sobig.F scheduled to die out today, 10 September, the problem might go away for a while - until the next similar worm appears. And this is the scary part. Sobig.F didn't really infect that many machines world-wide, maybe only 200.000 or so. This is only a fraction of the number of machines infected by Msblast (Blaster / Lovsan). Now imagine a worm combining the distribution method of Msblast with the mass-mailing feature of Sobig.F. The flood of traffic might practically render the Internet unusable.

Eventually, some virus author will create a virus like this, maybe this month, maybe in a few years, but it will happen. And when it does we do not need the anti-virus companies making a bad situation worse.

I hope the "guilty" anti-virus producers will be updating their products in the near future, but this is not going to happen unless their customers request it.

Fridrik Skulason        ( frisk@f-prot.com )
Founder of FRISK Software International

Update: This letter was written on 10 September 2003 in response to the events surrounding the Sobig.F worm. Also read the updated letter, written when Mydoom.A hit in January 2004.

2014 © CYREN · Privacy Statement