Proof of percieved protection - Denieability

hi,
I run TDS3,NOD32,Adaware,addwatch,spywareguard,wormguard,filechecker,spybot-search and destroy,processguard(trial),thunderbird(with spam filtering),Myie2(with popup,ad killers). are there any of these that are redundant and also are there any that cover what these don't...


Scanning of out going mail.. and a note attached to the end of the email stating that it was scanned by nod32 ..

in the past and most recent rtimes i've been accused of spreading viruses and trojans and worms through my emails.. and in the process being blacklisted on several mailservers..

At least if I have a msg attached at the end of my msgs then any that appear to have infected files without the extra clearence from nod32 can then be said as not comming from my system.. ie: someone else is sending them those msgs not me...

As many ppl havn't heard of Nod32 they don't believe me that my system is clean..

My system is heavily protected and I know that its not comming from my system.. I even send myself test msgs to test my system every so often so that I can see that my system is clean..

I just need a way to convince ppl that their msgs arn't comming from my system.. at the moment i'm talking till i'm blue in the face and not getting anywhere..

these mailservers that are catching emails supposidly by me are emailing me back and stating that my email's are being blocked as they are infected... and I didn't even send them... whats worse is that they also seem to be adding me to their blacklists so that I can't send any mail telling them that they weren't from me.. and stopping me from contacting ppl on their servers that I need to talk to

please help if you can.. I'm doing everything io can to keep my reputation cleran..

The recent outcome of this is that i've even changed my email addy.. and the said systems are still stating that i'm still sending infected emails through my old account..

I need a way to state that they arn't from me .. and with an automated outgoing scan signature I think it'll make things easier to deny when they reciece the bogus msgs

 

There're many worms that "spoof" the sender.

 

In last at least two years I did not see a single worm using real sender addy. All of them spoofed it in some way....

 

Well, if the infected emails did come from you they should have your actual IP in the headers. Inspection of the headers by someone who know what their doing should be able to determine whether the email was actually sent from your IP or not. Just because one sees an email address doesn't mean that was the source, as most often is now the case with both spam and infected emails...the addresses are spoofed. For example, here's some info on that from Symantec's web site: http://service1.symantec.com/SUPPOR...88256c5c0080549f?OpenDocument&src=bar_sch_nam

NOD currently doesn't scan outgoing mail and therefore there isn't a blurb about scanned email in outgoing mail. ESET at one time said it might include outgoing mail scanning since people seem to think they should have it since some other AV's do. Frankly, I've always regarded outgoing announcements of AV scans in an email as not worth much (although some people seem to find some comfort in them) since 1. one can simply create such an announcement as a sig and most people wouldn't know the difference; 2. I've seen cases in the past where people have received infected emails directly (not spoofed) from some one with an infected PC that still included the "this email scanned by Brand X AV and is virus free" statement.

The best you could do I suppose is ensure that your PC is clean and point them to online sources that might educate them to know how the most current viruses/worms spoof email addresses so that they can't/don't simply assume the sender address is the actual source of the email. Perhaps the Symantec write up I linked to might assist with that.

 

Suggested email signature:

"This email was composed on a virus-free PC protected by NOD32 Antivirus System, all latest OS patches, ____ firewall, and ____ anti-trojan software. Any email that does not feature this notice did not originate from my PC, regardless of the return address."

This idea just occured to me, and at the moment I like it because:

(1) It's not a lie.
(2) It sets the reader's mind at ease.
(3) It educates others on ways to protect their PC.
(4) Suggests to the lay person the concept of spoofing.
(5) Implies how silly it is to scan an outgoing email (or, for that matter, how silly those messages are).

 

Interesting thought, I can't see a downside at this stage...

Cheers

 

Make that "Any email that does not feature..."

Not to mention - this is free advertising.

Blue

 

Corrected - thanks Blue. Yeah, it's free advertising too (I'm convinced that's the main reason the other AV's added email-out scans anyway).

 

Uh, Cameron, you say that you use MyIE 2? If that's what I think it is (an IE shell), than it's probably not that secure...

 

Now I see a downside.

Words of wisdom Paul, and I agree.

Cheers

 

I too agree that giving out information about my defenses is a bad idea. I have never wanted NOD32 to add this tag to outgoing email. When I did the public beta of NAV 2003, the first thing I did was turn off that message. I think most AV vendors added that partly as a means of advertising and partly, as they add so many things, because ignorant users clamored for it.

NOD32 has a high percentage of educated users so I don't think Eset will be adding something like this because I don't think the users are clamoring for it.

 

Hi, Paul Wilders

That is a very bright brain you have Paul.

Take Care,
TheQuest

 

I can completely understand Paul's position here, but I'm not sure I agree.
Assuming I automatically place a signature on every message stating that I am using NOD32,

1. I do not believe the chances are that great that someone who receives an e-mail from me is likely to attempt to attack my PC. I trust my friends/family.
2. Even if a friend happened to forward an email to someone else, again I feel the chances are small the receiver would be the type with the inclination to attack my PC (not to mention smart enough to know how or want to try to get around NOD32 defences, the best AV around).
3. The chances are, however, great that I will send an email message to a friend/family member that contains an attachement. I would surely like to put that person at ease that my message to them is virus-free.

That's my personal opinion.

 

I agree completely. Anyone that I send an email that is not business related (support, etc)knows that it is clean.


I have converted well over half of my friends(not met online)that use a pc to switch to NOD32 BTW. All of them constantly thank me when IMON saves them

 

Well I'm glad to hear about that.

Paul's position ("the less said, the better") is generally wise, but I agree with D&C in this case, in that I can't see a significant danger. Mind you, I did call tagging emails silly in my first post, but for some reason a lot of people appreciate it and a few very popular AV's are more than happy to oblige with advertising & spam. If tagging is someone's preference, it seems to make more sense to tag the emails yourself rather than have your AV scan your outgoing email & tag. Here too, this is just a personal opinion.

 

Tagging vs. not tagging....

I can see it on incoming email - if you want immediate and direct feedback that email has passed through you AV. I appreciated it when I had NOD32 scanning my e-mail. There were a couple of times when the scanning was disabled, and this was immediate and visible feedback that had happened.

On outgoing - why would one believe it any more than a possibly spoofed e-mail address? It's not really needed, and shouldn't necessarily be trusted since the recipient doesn't have complete knowledge where an e-mail may have originated. In many cases these days, by the time a recipient could even see a tag, all the damage is already done. I'd skip this if it was offered and could be disabled.

On letting information out - I draw a distinction between myself - a largely anonymous sort, and Paul who has a somewhat public persona. A public persona can attract unfortunate elements and there's no sense letting any part of your guard down. I'm neutral on whether it really matters that much to an anonymous sort like myself. I view it as analogous to rating firewalls on whether or not they provide stealth to all ports on a machine. To me, having a closed port is fine. If I had a static IP and a website with content, it could possibly be a stationary target for any number of reasons. I might be a little more strident on the issue of stealthing in that situation - but I don't think so. Just my opinion.

On deniability - it's generally in the headers...

Blue