On Thu, 25 Apr 2002 16:04:35 +0200 (MEST), postmaster@tuwien.ac.at wrote:

V I R U S A L E R T

Our viruschecker found the

W32/Klez.h@MM

virus(es) in your email to the following recipient(s):

->

Delivery of the email was stopped!

Please check your system for viruses, or ask your system administrator to do so.

For your reference, here are the headers from your email:

------------------------- BEGIN HEADERS ----------------------------- Received: from Mcagx ([200.54.204.187]) by mta1.bs.dion.ne.jp (InterMail v4.01.01 201-232-113-102) with SMTP id
for ;
Thu, 25 Apr 2002 23:01:33 +0900 From: gimp-developer
To: e9227474@student.tuwien.ac.at
Subject: In future releases.
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=Xk5BtvSPri16M7b5oJx
Message-Id:
Date: Thu, 25 Apr 2002 23:02:20 +0900 -------------------------- END HEADERS ------------------------------

--===========================_ _= 3907775(1477)1019743365--

It is really annoying to have some virus checkers that are not doing their job properly. The W32/Klez worm is well known for faking the address of the sender. In fact, it collects a list of addresses from various files and address books on the victim's machine and then sends copies of itself to the addresses that is has found, using also some of these addresses as the alledged sender of the message. This is documented on the virus/worm description page of all major anti-virus companies.

Knowing this, it makes no sense for a virus/worm checker to reply to the (innocent) "sender" of the message, because this only wastes some bandwidth and maybe scare someone who was not involved at all (unless the goal of the misguided warning message is to promote the virus checker itself, but that would be a questionable practice, comparable to spamming). Even worse, replying to a mailing list that has many subscribers will waste even more bandwidth.

This can be easily confirmed by looking at the headers that were included in the warning message: the virus checker received the message from someone who is in japan, so it is obviously not coming from the GIMP developers' mailing list, hosted in Berkeley.

So this is a request for postmaster@tuwien.ac.at: PLEASE change the configuration of your virus checker so that it does not send a warning message to the alledged sender of the message if the address of the sender (or an address that is similar enough) does not appear in any of the "Received" fields. Alternatively, you may want to avoid sending any reply if the worm that was detected is W32/Klez, because it always fakes the sender's address.

If your current virus checker does not allow you to do that, please put some pressure on your vendor until this feature is added to their software. Sending unsollicited warning messages to innocent third-parties is a waste of bandwidth comparable to spamming or having an open mail relay. As such, it should be punishable.

-Raphaël

P.S. to the gimp developers who also get a CC of this message: sorry for the additional waste of bandwidth, but I encourage you to send similar messages when you receive a misguided virus warning, because some vendors of virus/worm checkers are acting in an irresponsible way and may soon generate as much trouble as the virus/worms that they are trying to stop.