Ever received e-mail from your company's antivirus filter, telling you that someone you've never heard of has sent...
you a virus? I'm betting you have. If not ... well, consider yourself lucky.
These AV warning messages have become nearly as frequent and as burdensome as run-of-the-mill spam. They're certainly not doing the job they were intended to do. In fact, it's reached a point where AV vendors must do something about it.
Now that we've stopped using the "sneakernet" method of walking floppy disks around the office, the No. 1 way for viruses to spread is our old friend, e-mail. These days, an indecent chunk of unwanted e-mail traffic is viruses, worms, and other malware trying to propagate themselves.
Many AV products or services will warn customers if a virus is detected in an incoming message. Some sort of "virus alert" notification lands in an end-user's inbox. It'll either include the original message with the attachment stripped out, or consist of a simple notification that "so-and-so sent you a virus, and click here to read the message in the quarantine." The intention is that you can notify the sender that there's a virus on their PC.
Here's the problem: these days, most virus-infected e-mail isn't sent by unknowing individuals. It's sent by other viruses. It's effectively spam, except the motivation is to take over your computer, not to sell you herbal enhancements, fake watches, or the latest small cap. In fact, the viruses will often use the same lists of recipients as spammers do. And there's no point in contacting the "sender" of the message -- it's probably forged.
Yes, these virus-alert messages are now just as bad as spam. People quickly learn that these warning messages are just a waste of space, often tuning them out. Savvier mail recipients will set up rules to delete them. Unfortunately, the AV filter will occasionally tell you about a virus in a legitimate message -- one that you actually wanted to know about. Shame you're now ignoring those warnings, isn't it?
Not only that, but it could be your e-mail address being used to forge the message sender. If that happens, you'll probably start getting non-delivery replies from people you've never heard of, telling you that you've sent a virus or that their mailbox no longer exists. Still, only a tiny proportion of these messages are of any use. Let's not mention any names, but some AV solutions should be more selective in which messages they warn about.
The interpretation of these messages could and should be handled by e-mail authentication technologies. Technologies like Sender Policy Framework (SPF), its proprietary Microsoft buddy Sender ID, and DomainKeys Identified Mail (DKIM), created by Yahoo and Cisco Systems Inc. If the supposed sender of the infected message used one of these technologies, the AV filter would have a better idea of whether the e-mail address were forged or not.
Similarly, AV filters could get smarter about looking at the reputation of the message's source. I don't just mean whether the sending IP address is on a blacklist (or "blocklist" if you insist), but also the fuzzier criteria. For instance, does the sending IP belong to a block of consumer DSL connections? You wouldn't expect legitimate e-mail to be sent directly from one of those; it would normally go via a mail server.
So, AV vendors: Is your house in order? Or are you a spammer?