rcooper at crstexas.com rcooper at crstexas.com
Mon Apr 16 20:55:32 PDT 2001

Quoting Brett Glass <brett at lariat.org>:

> At 08:25 AM 4/16/2001, rcooper wrote:
>>When enabling SECURITY_NOTIFY_RECIPIENT the recipient does indeed get a
>>message notifying them of the filtered email.  Unfortunately this does
>> not include a transcript of the email headers etc of whom or where the
>> message came from.  Thus the recipient is left confused as to who generated
>>the message.  Is there a way to enable this feature to send more
>> information?
> Unfortunately, the recipient may not KNOW the sender. This is
> especially true in the case of the ubiquitous Hybris worm, which scans every
> packet that passes through the Windows Sockets DLL for e-mail addresses and
> mails itself to those addresses. The addresses can come from Web pages, from
> NetNews, from the cc: lists of other e-mails.... Almost anywhere.

Yes of course this is certainly true and in those cases of course the user
has no alternative but to ignore said message.  My problem is more subtle
in that users tend to blame the email system for not delivering their mail.
We do have a rather draconian policy and the majority of the users accept and
appreciate it.

> What's more, Hybris has its own mailer which does not reveal the sender's
> identity. Under most conditions, the only information that's present
> in the message is the sender's IP address and the time the worm was
> sent.... Not enough to track down the infected computer without the
> help of the sender's ISP.
> It's good PR to let the intended recipient know that you've blocked
> malware. But don't expect the recipient to be able to glean much from
> those headers.

This has certainly been my experience, however, in many cases perhaps a customer
or  a vendor may send one of my users an email with a poisoned attachment.  In
this case they may follow up with another email a day or so later asking how
they liked the lastest stupid screen gizmo or demo etc etc and of course my user
has no idea what they are talking about.  At least having the ability to
redirect the security bulletin I get to the recipient would be a lot more
helpful to me as an administrator who has the task of having to answer why they
did not receive it.  I have almost 2500 users on our email system.  The volume
of mail related issues can be staggering at times.  It is not unusual to see my
inbox filled with 50 or 60 security alerts per day.

Naturally automating things as much as possible would cut down on the signal to
noise ratio I must deal with on a daily basis.  Perhaps this is good job
security, but I'd much rather be poking around in some C or perl code than
attempting to track down these so called missing emails that were filtered to
/dev/null :)  So yeah, it wouldn't a perfect solution, but then again we do not
live in a perfect world either :)  Thanks for your comments, they are greatly

More information about the esd-l mailing list