Is Dr Solomons spamming Usenet?
Gareth
posts announce the discovery of viruses within binary postings to the group.
This may be helpful but the posts include *heavy* advertising for Dr
Solomons. They're basically adverts. Here's part of the ad section from one
of the posts:
"You can download a free evaluation (yet fully functional) copy of
the latest released version of Dr Solomon's FindVirus/VirusScan from
the following locations:
WWW: http://www.nai.com/download/downloads
FTP: ftp://ftp.nai.com/pub/antivirus
CompuServe: GO DRSOLOMON or GO MCAFEE
AOL: SAFETYONLINE
IMPORTANT! The virus has been detected by the latest IN-HOUSE version of
Dr Solomon's FindVirus/VirusScan. As new viruses and trojans appear at the
rate
of several hundreds a month, the latest RELEASED version of
FindVirus/VirusScan
might be unable to detect this particular virus. If you have downloaded the
above
file and your copy of FindVirus/VirusScan does not detect the virus in it,
contact Dr Solomon's Technical support and ask for the extra driver to
detect
the WScript virus.
--
Dr Solomon's Virus Patrol UK Support: sup...@drsolomon.com
NAI Total Virus Defense US Support: sup...@nai.com
WWW: http://www.nai.com/products/antivirus UK Tel: +44 (0) 1296 318700
CompuServe: GO DRSOLOMON USA Tel: +1 408 988-3832"
=====
Sorry if this is repeating what people already know but I'm just curious
about these posts. Although they may be helping some people it is basically
spam - what if every other AV company (AVP, Norton, Sophos and so on) was to
do the same.
It also isn't a very sensible method of alerting people. Many servers filter
out inappropriately posted binary posts (to non-binary groups) anyway. Many
of these "Virus Patrol" posts have been sent to non-binary groups increasing
marketing coverage for NAI but not really focussing on the extent of the
problem - a quick(ish) Dejanews search shows a large amount of these
postings. If NAI was sensible adding a smallish binary addition to the
"Virus Patrol" warning would make sure that it reached only the relevant
groups.
These NAI posts are just basically spam masquerading as a public service
announcement.
Gareth.
Dmitry Gryaznov
So, where do you see an advertisement? It simply provides *minimal* instructions
on how to get rid of the virus if you were unfortunate (and naive) enough to
run/open that attachment.
> Sorry if this is repeating what people already know but I'm just curious
> about these posts. Although they may be helping some people it is basically
> spam - what if every other AV company (AVP, Norton, Sophos and so on) was to
> do the same.
So, you'd prefer the viruses and trojans in Usenet to propagate unhindered?
I believe the Usenet readers have a right to know what they are dealing with.
> It also isn't a very sensible method of alerting people. Many servers filter
> out inappropriately posted binary posts (to non-binary groups) anyway. Many
> of these "Virus Patrol" posts have been sent to non-binary groups increasing
> marketing coverage for NAI but not really focussing on the extent of the
> problem - a quick(ish) Dejanews search shows a large amount of these
> postings. If NAI was sensible adding a smallish binary addition to the
> "Virus Patrol" warning would make sure that it reached only the relevant
> groups.
It is reaching *only* the relevant groups - namely, exactly the group(s) to which
the infected article was posted. Moreover, a Virus Patrol warning is always
posted as a response to the offending article (References: header) and should
show up below that article in the thread.
> These NAI posts are just basically spam masquerading as a public service
> announcement.
They are definitely not spam. As for the "advertising" - it's simply offering
a solution to the problem. It's not enough just to tell a person "If you ran/opened
that attachment - you're infected", it's much better to tell where s/he can
get help.
--
Sincerely,
Dmitry O. Gryaznov
Catherine Hampton
: I've seen "Virus Patrol" postings from NAI in quite a few newsgroups. These
: posts announce the discovery of viruses within binary postings to the group.
: This may be helpful but the posts include *heavy* advertising for Dr
: Solomons. They're basically adverts. Here's part of the ad section from one
: of the posts:
<snip>
Actually, while NAI has a history of spamming via email (and
lost my business as a result), this is a borderline case. The
reason is that it is generally considered ok to advertise in
your .signature file, as long as you are participating in a
newsgroup.
While NAI's patrol isn't participating per-se, it is responding
to actual copies of viruses it finds on the Usenet, and responding
(as I understand it) only in the newsgroups where it finds those
viruses. That it includes some advertising beneath its
announcements doesn't change the essential character of these
posts -- they aren't bulk postings, but individual postings
responding to individual appearances of viruses.
I think I'd give them a pass on this one. And (as the material
in my .signature should tell you), I'm not exactly one to make
excuses for spamming when I see it. :)
--
Catherine Hampton <ar...@tempest.boxmail.com>
Home Page * <http://www.hrweb.org/ariel/>
The Spam Bouncer * <http://www.hrweb.org/spambouncer/>
(Please use this address for replies -- the address in my header
is a spam trap.)
Andy Ruddock
a great deal of effort on Virus Patrol.
Dmitry Gryaznov wrote:
>
> Gareth wrote:
> >
> > I've seen "Virus Patrol" postings from NAI in quite a few newsgroups. These
> > posts announce the discovery of viruses within binary postings to the group.
> > This may be helpful but the posts include *heavy* advertising for Dr
> > Solomons. They're basically adverts. Here's part of the ad section from one
> > of the posts:
[Snip]
> > Sorry if this is repeating what people already know but I'm just curious
> > about these posts. Although they may be helping some people it is basically
> > spam - what if every other AV company (AVP, Norton, Sophos and so on) was to
> > do the same.
Maybe there'd be fewer viruses in the wild? As hard as it tries I don't
believe Virus Patrol is capable of scanning *all* newsgroups.
> So, you'd prefer the viruses and trojans in Usenet to propagate unhindered?
> I believe the Usenet readers have a right to know what they are dealing with.
> > It also isn't a very sensible method of alerting people. Many servers filter
> > out inappropriately posted binary posts (to non-binary groups) anyway. Many
> > of these "Virus Patrol" posts have been sent to non-binary groups increasing
> > marketing coverage for NAI but not really focussing on the extent of the
> > problem - a quick(ish) Dejanews search shows a large amount of these
> > postings. If NAI was sensible adding a smallish binary addition to the
> > "Virus Patrol" warning would make sure that it reached only the relevant
> > groups.
>
> It is reaching *only* the relevant groups - namely, exactly the group(s) to which
> the infected article was posted. Moreover, a Virus Patrol warning is always
> posted as a response to the offending article (References: header) and should
> show up below that article in the thread.
What would the binary contain? It would have to be a fairly small binary
to occupy less space & bandwidth than the virus patrol message.
Suppose the virus was in an html posting to a newsgroup that a
particular ISP filtered binaries from? You'd have the virus but the
binary to remove it would have been filtered out.
> > These NAI posts are just basically spam masquerading as a public service
> > announcement.
>
> They are definitely not spam. As for the "advertising" - it's simply offering
> a solution to the problem. It's not enough just to tell a person "If you ran/opened
> that attachment - you're infected", it's much better to tell where s/he can
> get help.
Sure it's an advert. NAI have detected a virus, they've informed users
of the problem. If you're infected they'd much rather you used their
product. It's a very useful service.
You can always filter out messages from Virus Patrol via your
newsreader.
--
AndyR
-----
Senior Software Developer
Norman Data Defense Systems ASA - http://www.norman.com
PGP Keys : RSA-id=0x87A2EE71 DH/DSS-id=0x47ADFD4D
Gareth
"Catherine Hampton" <x...@hrweb.org> wrote in message
news:sekvec...@corp.supernews.com...
> While NAI's patrol isn't participating per-se, it is responding
> to actual copies of viruses it finds on the Usenet, and responding
> (as I understand it) only in the newsgroups where it finds those
> viruses. That it includes some advertising beneath its
> announcements doesn't change the essential character of these
> posts -- they aren't bulk postings, but individual postings
> responding to individual appearances of viruses.
I've done a quick Deja search and this has been discussed in nanau where, it
seems, (knowledgeable) people have said that these posts contravene the BI
for spam. The issue seems to be not that these posts may be helpful but that
a) they're targetted to reach all servers - even ones which filter
inappropriately posted binary posts b) they advertise a single product - if
other AV companies did this (say AVP and NAV) then there would be a pretty
big problem. Why not provide a link to a general virus information site
which in turn provides links to a range of AV products - including products
which don't require the end user to cut and paste a text file driver?
I guess on balance they probably are still very helpful.
Gareth.
Andy Ruddock
a) AFAIK it's not possible to 'target' servers. Usenet works by each
server passing postings to another. It would not be possible for Virus
Patrol to avoid the posting going to a server which had already filtered
the binary out.
b) Of course they advertise a single product. Virus Patrol is a program
written by NAI which downloads and 'reads' messages (and binaries) on
newsgroups, if it detects a virus in any of these messages it posts a
reply with the appropriate information. You couldn't expect NAI to have
a product which advertised competitors products.
A search of Deja revealed 2432 unique messages by Virus Patrol, that's
not really an overwhelming number considering how busy usenet is.
Arthur Kopp
<nospam_so...@gjd398.com> wrote:
> Why not provide a link to a general virus information site
>which in turn provides links to a range of AV products - including products
>which don't require the end user to cut and paste a text file driver?
Excellent idea but I doubt if NAI will do that.
Art
Gareth
"Andy Ruddock" <andy.r...@bigfoot.com> wrote in message
news:38EB1C56...@bigfoot.com...
> a) AFAIK it's not possible to 'target' servers. Usenet works by each
> server passing postings to another. It would not be possible for Virus
> Patrol to avoid the posting going to a server which had already filtered
> the binary out.
Yes it is - attach a small binary to the post (maybe even the extra driver
file) so that the message doesn't propagate to irrelevant servers.
Gareth.
sid
>I guess on balance they probably are still very helpful.
>
trawl through Deja.
Raid Slam
<s...@grot.com> wrote:
>They're probably also very helpful for wannabee virus collectors
>who can trawl through Deja.
And they are classed as SPAM, they are mostly advertising, and at
the same time, they display a good image for mcafee to alot of
potential customers. The IN HOUSE version detects the viruses,
not the one you can download off their website, so what exactly
is useful in the huge message that it posts? (buy mcafee buy
mcafee) is the extint of the msg.
Regards,
Raid [SLAM]
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
sop...@cix.compulink.co.uk
soho20N...@hotmail.com.invalid (Raid Slam) wrote:
> In article <gfJG4.38$1b7....@newreader.ukcore.bt.net>, "sid"
> <s...@grot.com> wrote:
>
> >They're probably also very helpful for wannabee virus collectors
> >who can trawl through Deja.
>
> And they are classed as SPAM, they are mostly advertising,
Mostly advertising? Don't think so. Mostly they're informative. I think
it's a good service provided by Dmitry, and if it advertises via the sig
the company he works for - so what?
--
Graham Cluley, Head of Corporate Communications, Sophos Anti-Virus
email: gcl...@sophos.com http://www.sophos.com
US Support: +1 888 SOPHOS 9 UK Support: +44 1235 559933
Raid Slam
>They're probably also very helpful for wannabee virus collectors
>who can trawl through Deja.
Irc chat (with an antivirus person who works for datafellows in
the uk)
<FSAV> Virus Patrol is a blatant advert......but it is of some
use
<FSAV> as far as I know it patrols all groups
<Raid> what for?
<Raid> to protect users? I don't think so.
<FSAV> It's automated, it proves a marketing point that it does
detect viruses
<FSAV> whilst giving Dr Sols a nice fluffy helpful image to the
public
I'd say the advertising dr solly is doing is spam. But I don't
anyones going to complain too much. :)
Arthur Kopp
>>I guess on balance they probably are still very helpful.
>>
>They're probably also very helpful for wannabee virus collectors who can
>trawl through Deja.
Sure. So are the reports on acv of infected software at some internet
site. Before the site can be reported and shut down, you can betcha
that many collectors went and got a specimen. Some of my "best" ones
were obtained this way :)
Paradoxically, I also participate in getting such sites shut down. I'm
a collector who would prefer that the damn things could not be found
anywhere on the internet.
Art
Raid Slam
sop...@cix.compulink.co.uk wrote:
>Mostly advertising? Don't think so. Mostly they're
>informative. I think it's a good service provided by Dmitry,
>and if it advertises via the sig the company he works for - so
>what?
You don't? The IN HOUSE version (not the one available for
download) is the one that detects the viruses, and announces this
with a huge advertisement for Dr Solomons (NAI). It does this
regardless if the group is even a binaries group or not. At the
very least, you could say the posts from it are off topic and
against netique. It might be different if it was the version
people had access too, but it's the special in house version. And
you have to obtain an extra.dat file from mcafee in order to
detect the "virus" it's alerting you to in the first
place. The post goes to great length to tell you who wrote it and
where you need to go. It is indeed an advertising bot, under the
guise of doing something useful.
kurt wismer
[snip]
> I've done a quick Deja search and this has been discussed in nanau where, it
> seems, (knowledgeable) people have said that these posts contravene the BI
> for spam. The issue seems to be not that these posts may be helpful but that
> a) they're targetted to reach all servers - even ones which filter
> inappropriately posted binary posts
given the number of servers there are, and assuming you can add
information that says "don't go to this server" what exactly do you think
the bandwidth overhead of such selectivity would be?
> b) they advertise a single product - if
> other AV companies did this (say AVP and NAV) then there would be a pretty
> big problem.
they aren't advertizing per se... they're telling you which product they
*know* can detect the virus... they can't point people to other products
because it's computationally infeasible to run all the various products
out there on the gigabytes of articles it goes through, nor can they wait
for responses from the other developers as to whether or not those
products detect that instance of that virus/worm/trojan...
> Why not provide a link to a general virus information site
> which in turn provides links to a range of AV products - including products
> which don't require the end user to cut and paste a text file driver?
simple... there's no way to know *other* products can detect the
particular virus that virus patrol is detecting... it would be singularly
unhelpful to point someone in the *wrong* direction like that...
--
". . . and i was looking so good, shamoo took a shining to me. and they're
so smart those things, you know, they got all these human emotions. love,
lust, green hundred year old eyed jealousy. barthalamoo - was *livid*.
unbeknownst to me, i can't hear a god damned thing underwater."
Evelyn
(which is actually a very useful one) seems a fair exchange. The alarms may
sometimes be 'false' when the product has been filtered out by the newsgroup
(phew!) but I'd still prefer that to catching a virus. It will also
encourage people to take the sensible precaution of installing an Anti Virus
Program.
--
Love
Evelyn
http://www.woolston.greatxscape.net/
Reply via Newsgroup only
"Gareth" <nospam_so...@gjd398.com> wrote in message
> I've seen "Virus Patrol" postings from NAI in quite a few newsgroups.
These
> posts announce the discovery of viruses within binary postings to the
group.
> This may be helpful but the posts include *heavy* advertising for Dr
> Solomons. They're basically adverts. Here's part of the ad section from
one
> of the posts:
>
> Sorry if this is repeating what people already know but I'm just curious
> about these posts. Although they may be helping some people it is
basically
> spam - what if every other AV company (AVP, Norton, Sophos and so on) was
to
> do the same.
>
> It also isn't a very sensible method of alerting people. Many servers
filter
> out inappropriately posted binary posts (to non-binary groups) anyway.
Many
> of these "Virus Patrol" posts have been sent to non-binary groups
increasing
> marketing coverage for NAI but not really focussing on the extent of the
> problem - a quick(ish) Dejanews search shows a large amount of these
> postings. If NAI was sensible adding a smallish binary addition to the
> "Virus Patrol" warning would make sure that it reached only the relevant
> groups.
>
> These NAI posts are just basically spam masquerading as a public service
> announcement.
>
> Gareth.
>
>
sop...@cix.compulink.co.uk
soho20N...@hotmail.com.invalid (Raid Slam) wrote:
> In article <8cfqfm$12d$1...@plutonium.compulink.co.uk>,
> sop...@cix.compulink.co.uk wrote:
>
> >Mostly advertising? Don't think so. Mostly they're
> >informative. I think it's a good service provided by Dmitry,
> >and if it advertises via the sig the company he works for - so
> >what?
>
> You don't? The IN HOUSE version (not the one available for
> download) is the one that detects the viruses,
Of course - why would they want to use anything other than the very latest
version available to them? It finds more viruses after all..
> and announces this with a huge advertisement for Dr Solomons
> (NAI). It does this regardless if the group is even a binaries
> group or not. At the very least, you could say the posts from
> it are off topic and against netique.
But it's providing a service, warning others that a virus has been posted.
> It might be different if it was the version people had access
> too, but it's the special in house version. And you have to
> obtain an extra.dat file from mcafee in order to detect the
> "virus" it's alerting you to in the first place.
Only if it's a virus the current shipping version of McAfee does not
detect.
> The post goes to great length to tell you who wrote it and
> where you need to go. It is indeed an advertising bot,
> under the guise of doing something useful.
Nah.. it does something useful, and it informs people of what they can do
next to protect themselves - particularly if they were unfortunate enough
to download and execute the virus. Why are you so strongly against it?
Randy Abrams
Raid Slam <soho20N...@hotmail.com.invalid> wrote in message
news:05ca0215...@usw-ex0106-045.remarq.com...
> In article <8cfqfm$12d$1...@plutonium.compulink.co.uk>,
> sop...@cix.compulink.co.uk wrote:
>
> >Mostly advertising? Don't think so. Mostly they're
> >informative. I think it's a good service provided by Dmitry,
> >and if it advertises via the sig the company he works for - so
> >what?
>
> against netique. It might be different if it was the version
> people had access too, but it's the special in house version. And
> you have to obtain an extra.dat file from mcafee in order to
> detect the "virus" it's alerting you to in the first
Actually, I have 2533 pieces of email that prove you don't have a clue as to
what you are talking about. Each of these email is a report of Happy99 that
was sent between 6/1/99 and today. The released version of McAfee, even with
significantly out of date DATs would detect the virus with no need for an
in-house version or extra.dat from prior to 6/1/99. If you like to be proven
even more wrong I could research all of the other reports of other viruses
that virus patrol has sent for viruses that the released version already had
detection for. You quite clearly have not done your homework and are
spouting erroneous information.
> place. The post goes to great length to tell you who wrote it and
> where you need to go. It is indeed an advertising bot, under the
> guise of doing something useful.
>
No guise at all, it is doing something useful. Clearly it is advertising as
well.
Regards,
Randy
--
--
The opinions expressed in this message are my own personal views
and do not reflect the official views of the Microsoft Corporation.
Raid Slam
<ran...@microsoft.com> wrote:
>Actually, I have 2533 pieces of email that prove you don't have
>a clue as to what you are talking about.
Randy.... you should know better then to try this shit with me. I
wouldn't have said what I said if I wasn't willing to back it up,
moron.
Dr solomons recently issued alerts on Irok, at the time of iroks
release (from the point I gave copies to some people) it was not
detected. Dr Solomons did not detect the virus before it went ITW
either. I'm sure we could both site more examples proving the
others side of the arguement. The question is, do I really need
to? Nah.. I don't.
Anytime you would like a battle of wits concerning viruses and
programming Randy, anytime... :)
Randy Abrams
> In article <eZALYvyn$GA.361@cpmsnbbsa04>, "Randy Abrams"
> <ran...@microsoft.com> wrote:
>
> >Actually, I have 2533 pieces of email that prove you don't have
> >a clue as to what you are talking about.
>
> Randy.... you should know better then to try this shit with me. I
> wouldn't have said what I said if I wasn't willing to back it up,
> moron.
You resort to name calling because you know you can't back up what you say
and once again you have proven it.
>
> Dr solomons recently issued alerts on Irok, at the time of iroks
> release (from the point I gave copies to some people) it was not
> detected. Dr Solomons did not detect the virus before it went ITW
> either. I'm sure we could both site more examples proving the
> others side of the arguement. The question is, do I really need
> to? Nah.. I don't.
No, the question deals with the accuracy of your statement. You said, and I
quote
"It might be different if it was the version people had access too, but it's
the special in house version. And
you have to obtain an extra.dat file from mcafee in order to detect the
"virus" it's alerting you to in the first
place."
Obviously the vast majority of the time your statement is inaccurate. If you
had said that occassionally an extra.dat is required I would have no
argument, but your statement is wrong over 99% of the time. I have no doubt
you'll stand behind it though.
> Anytime you would like a battle of wits concerning viruses and
> programming Randy, anytime... :)
>
As soon as you demonstrate you can stick with an issue I'll consider it. For
the time being, every time someone proves you wrong you change the subject,
you call them names, and then you proclaim yourself the winner. Everyone
knows what the emperor is wearing Raid :)
Dmitry Gryaznov
Say, WScript/Kak, a rather prevalent virus in Usenet today, propagates without a
binary attachment - the virus is in the HTML body of the message. Thus, it does
go even to the binaries-filtering servers.
Dmitry Gryaznov
>
> In article <gfJG4.38$1b7....@newreader.ukcore.bt.net>, "sid"
> <s...@grot.com> wrote:
>
> >who can trawl through Deja.
>
> the same time, they display a good image for mcafee to alot of
> potential customers. The IN HOUSE version detects the viruses,
> not the one you can download off their website, so what exactly
> is useful in the huge message that it posts? (buy mcafee buy
> mcafee) is the extint of the msg.
When "the one you can download off their website" cannot detect the virus,
Virus Patrol gives a clear indication of that, prompting to get an extra
driver for the virus.
kurt wismer
[snip]
> I'd say the advertising dr solly is doing is spam. But I don't
> anyones going to complain too much. :)
i don't think i can agree... at it's most fundamental, spam is a form of
net abuse... i think it's pretty clear that virus patrol is protecting the
public and inhibiting (though not completely) usenet's use as an infection
vector... despite the 'advertisement' i find it hard to classify that as
abuse...
kurt wismer
> In article <8cfqfm$12d$1...@plutonium.compulink.co.uk>,
> sop...@cix.compulink.co.uk wrote:
>
> >Mostly advertising? Don't think so. Mostly they're
> >informative. I think it's a good service provided by Dmitry,
> >and if it advertises via the sig the company he works for - so
> >what?
>
> You don't? The IN HOUSE version (not the one available for
> download) is the one that detects the viruses, and announces this
> with a huge advertisement for Dr Solomons (NAI). It does this
> regardless if the group is even a binaries group or not. At the
> very least, you could say the posts from it are off topic and
> against netique. It might be different if it was the version
> people had access too, but it's the special in house version. And
in a sense people do have access to it... if the in-house version can
detect it then you just get the current version and the extra.dat
file.. both of which are available...
Nick FitzGerald
> You don't? The IN HOUSE version (not the one available for
> download) is the one that detects the viruses, and announces this
> with a huge advertisement for Dr Solomons (NAI). It does this
> regardless if the group is even a binaries group or not. At the
> very least, you could say the posts from it are off topic and
> against netique. It might be different if it was the version
> people had access too, but it's the special in house version. And
> you have to obtain an extra.dat file from mcafee in order to
> detect the "virus" it's alerting you to in the first
Randy has already elegantly shown this claim of yours is
equal to the usual pile of excrement that oozes from your
posts. Your response to Randy's rebuttal once again
illustrates your legendary inability to comprehend the
most basic rules of debating engagment, and your complete
lack of a clue as to the rules of logic and relevance.
Was that attorney you recently claimed to have consulted
one of your cousins?
> place. The post goes to great length to tell you who wrote it and
> where you need to go. It is indeed an advertising bot, under the
> guise of doing something useful.
I will now demolish the 10% of a leg that the rest of
your case stands ("limps"?) on.
You say that Virus Patrol is advertising (perhaps even
spam) in the guise of something useful. You clearly
think this is "bad" or "undesirable" -- why would you
rile so hard against it if you thought it acceptable?
Let's look at the "facts"... In fact, let's *accept* your
clearly distorted beyond recognizable (as shown by Randy)
version of "the facts". You say that Virus Patrol alerts
mostly are for viruses that the shipping version of the
product/DATs does not yet detect.
For the sake of argument, I'll accept that.
Now, what does that tell us?
Let's combine this with our knowledge that NAI's virus
detection and rate of "keeping up" with new viruses is
right up there with the best (whatever you may think that
is doesn't matter at this point -- the fact is that NAI
gives to and receives from other AV developers copious
samples of new virues and this behaviour is common to all
the "top" AV developers... It is a big part of why they
are at the "top".).
This tells us that if NAI only detect "Virus X" or
"Trojan Y" with the in-house/development DATs, then few
if any other scanners are likely to detect this piece of
malware with their shipping product/updates either.
That means that NAI is providing a very valuable early
warning of new malware. Potentially foolhardy Usenet
readers who decide it is safe to run, say
ScrewMyDrive.exe, because their own up to date scanner
did not alert on it. So, what do we have now?
Raid says that VP is mostly detecting new viruses that
cannot be detected with the current DATs. We know that
is wrong. He also seems to be claiming that warning
people of the presence of new malware that their own
scanners do not yet detect is "mostly advertising" and
has little or no other value.
Maybe he came to that decision because he is pissed that
VP effectively warned the world of his distribution of
Irok. I wonder if Raid was silly enough to have tested
Irok against the shipping DATs before deciding to post
it all over the place and is now turning his deserved
anger at his own stupidity against the company that
"tricked" him?
Seems he's a confused, mixed-up, screwed-up fool
whichever way he tries to have it. All round wrong,
again.
But are we surprised of this is with Raid?
--
Nick FitzGerald
Gareth
"Dmitry Gryaznov" <gr...@dial.pipex.com> wrote in message
news:38EBAFDE...@dial.pipex.com...
> Say, WScript/Kak, a rather prevalent virus in Usenet today, propagates
without a
> binary attachment - the virus is in the HTML body of the message. Thus, it
does
> go even to the binaries-filtering servers.
Servers which filter out binary posts tend to filter out HTML posts - the
UUNET UK server rejects HTML posts as "HTLMised spam" for example.
Gareth.
Gareth
Still, the questions remains if other AV companies decided to offer the same
service - replicating Virus Patrol posts - would there then, perhaps, be a
spam problem?
I guess ultimately a common sense view prevails emphasising balance: viruses
damage data (and even hardware) and a friendly 20 line alert post can't do
much damage.
I didn't realise that these posts pre-dated tha NAI takover of Dr Solomons.
I suppose that given NAI's obscene spam policy it's easy to jump to hasty
conclusions about the motives of Dr Solomons in sending these posts.
I imagine that if other companies wanted to send similar messages then NAI
would be happy to incorporate links to other scanners in the Virus Patrol
message - perhaps for a fee but certainly in the interests of a spam free
public service ;-)
Gareth.
kurt wismer
wow... what's it like to have perfect knowledge of news servers?
Raid Slam
<ran...@microsoft.com> wrote:
>You resort to name calling because you know you can't back up
>what you say and once again you have proven it.
Really? Funny, the advertising bot itself tells you that it
detected it with the in house version, and to contact mcshit for
an extra.dat to detect the virus. It stresses that this is an IN
HOUSE VERSION, and practically demands you contact mcshit for the
extra.dat. It doesn't say "your current product might detect it."
it says, grab the extra.dat file, because it's not sure.
>No, the question deals with the accuracy of your statement. You
>said, and I quote
My statement is accurate.
>Obviously the vast majority of the time your statement is
>inaccurate.
Obviously going by what the bot posts each time it "alerts" my
statement is accurate. Have you read the posts it makes Randy?
>As soon as you demonstrate you can stick with an issue I'll
>consider it.
Get off your high horse. Your a real piece of work randy.
Btw, since the DoJ found microshit guilty, how's your job future
looking? Just wondering.
Gareth
"kurt wismer" <g9k...@cdf.toronto.edu> wrote in message
news:Pine.SOL.4.21.000406...@eddie.cdf...
> wow... what's it like to have perfect knowledge of news servers?
Kurt, you're about as creative with acidic wisdom as you are with sensible
replies. I suggest that you purchase a clue and, perhaps, develop insight in
to issues outside of your narrow world. Hint: get out a little more or,
failing that and as a proxy, just visit nanau once and a while to broaden
your horizons on this specific issue.
How's that for a constructive response?
Gareth.
Gareth
> If this is the case then the same servers should also filter out articles
> sent in response to the ones they've filtered out. What's the point in
allowing
> the replies to the articles which never showed up for the servers' users?
Injecting relevant discussion via mid thread crossposting from groups which
don't exist on the server? Avoiding the charge of censoring appropriately
formatted articles? I'm sure there are a few more possibilities ;-)
> Not that difficult to achieve by maintaining a database of Message-IDs of
the
> filtered out messages and by then comparing References: header against it.
For every message sent to a news server?
Besides who decides what is Spam and what isn't. Still, one of the Virus
Patrol posts (allegedly) had reached a BI>20 (I'm not sure if it was
cancelled).
I think that some adverts labelled as Spam are actually relevant and
helpful - sensibly advertising products relevant to group members. The
problem for Virus Patrol postings is that they are seen as coming from NAI
whose *e-mail* Spam policy was (and maybe still is) not too good at all to
put it mildly.
The question still remains unanswered though: what if Norton, AVP,
DataFellows, Sophos and a few others decided to launch a public service for
the Usenet community?
Microsoft's resent rallying of AV products and companies around an extended
trial AV solution shows that inter-company cooperation must be possible. I
don't want to labour this point - it's not *that* important - but I'm
interested in knowing whether or not NAI would provide a link to an
effective basket of AV products in the Patrol postings instead of being
quite so self-promoting under the guise of public service?
Gareth.
Randy Abrams
> Really? Funny, the advertising bot itself tells you that it
> detected it with the in house version, and to contact mcshit for
> an extra.dat to detect the virus. It stresses that this is an IN
> HOUSE VERSION, and practically demands you contact mcshit for the
> extra.dat. It doesn't say "your current product might detect it."
> it says, grab the extra.dat file, because it's not sure.
For new viruses, this may be true, but the majority of reports from Virus
Patrol are not for new viruses.
> >No, the question deals with the accuracy of your statement. You
> >said, and I quote
>
> My statement is accurate.
One out of four times. Wow, what a record. Do you think you're a baseball
player or something?
>
> >Obviously the vast majority of the time your statement is
> >inaccurate.
>
> Obviously going by what the bot posts each time it "alerts" my
> statement is accurate. Have you read the posts it makes Randy?
Of course. Obviously you have read precious few of them. If you'd like a
copy of my archives, I have more than 3,000 of them and you're welcome to
them. I won't charge you a penny or require that you trade any software for
them. They're as free as Internet Explorer without a license agreement.
Mighty magnanimous of me, don't you agree?
Here's the most recent one for Happy 99. Do you see any reference to
EXTRA.DAT???
----------------------------------------------------------------------------
---
WARNING! A virus has been found in a binary file posted to the following
newsgroup(s): rec.travel.asia
Message header follows:
>Message-Id: <ab%G4.232$7M5....@wagner.videotron.net>
>From: chromia <chr...@videotron.ca>
>Subject: Re: Currency Convertors
>Date: 06 Apr 2000 12:12:54 GMT
Dr Solomon's FindVirus/VirusScan report follows:
Dr Solomon's FindVirus IN-HOUSE version. Copyright (c) 1999 Network
Associates Inc.
Virus data file v9999 created Apr 05 2000
Scanning for 50977 viruses, trojans and variants.
Happy99.exe ... Found the W32/Ska.exe virus !!!
You can download a free evaluation (yet fully functional) copy of
the latest released version of Dr Solomon's FindVirus/VirusScan from
the following locations:
----------------------------------------------------------------------------
--------------------
Here's one for Ethan.A
----------------------------------------------------------------------------
--------------------
WARNING! A virus has been found in a binary file posted to the following
newsgroup(s):
relcom.commerce.raw-materials, relcom.commerce, relcom.commerce.chemical,
relcom.commerce.construction,
relcom.commerce.other
Message header follows:
>Message-Id: <FsLIH2.3Kt@#news.interline.ivanovo.ru>
>From: "streles" <str...@interline.ivanovo.ru>
>Subject: =?koi8-r?B?6dfBzs/X08vJxSDUy8HOyQ==?=
>Date: 06 Apr 2000 13:00:21 GMT
Dr Solomon's FindVirus/VirusScan report follows:
Dr Solomon's FindVirus IN-HOUSE version. Copyright (c) 1999 Network
Associates Inc.
Virus data file v9999 created Apr 05 2000
Scanning for 50977 viruses, trojans and variants.
=?koi8-r?B?7snXwdTFy9Mgz8LdycouZG9j?= ... Found the W97M/Ethan.a virus !!!
You can download a free evaluation (yet fully functional) copy of
the latest released version of Dr Solomon's FindVirus/VirusScan from
the following locations:
----------------------------------------------------------------------------
------------------------
What, no extra.dat there either. In fact, the majority of these posts make
no mention of an extra.dat and report viruses that do not require the
in-house version for detection and/or cleaning.
In my archives of these reports from 2/19/1999 to today, I find that
74.826254826254826254826254826255% of the time NO extra.dat is even
mentioned. So I exaggerated. You aren't wrong 99% of the time, only ~75% of
the time. You must feel much better about this now.
> >As soon as you demonstrate you can stick with an issue I'll
> >consider it.
>
> Get off your high horse. Your a real piece of work randy.
See, you prove my point. Rather than refute that you can't stick with an
issue long enough to debate it, you prove it by changing the subject again
(see DoJ reference below).
Incidently, you have to be very small to consider a Shetland Pony a "high
horse" :)
> Btw, since the DoJ found microshit guilty, how's your job future
> looking? Just wondering.
Completely unaffected. Now, if the DoJ were to break up Microsoft I might
have to choose which part to work for, but my job isn't going away anytime
soon. Thanks for asking!
Dmitry Gryaznov
>
> "Dmitry Gryaznov" <gr...@dial.pipex.com> wrote in message
> news:38ECE4D2...@dial.pipex.com...
>
> the
> > filtered out messages and by then comparing References: header against it.
>
> For every message sent to a news server?
Yep. What's the problem? They are doing a very similar thing routinely anyway:
I mean, searching for the article's Message-ID in the newsserver's database
and rejecting the article if it's already in there. And the ones that do
additional filtering scan all the articles for binary attachments, overquoting,
etc. anyway.
> Besides who decides what is Spam and what isn't. Still, one of the Virus
> Patrol posts (allegedly) had reached a BI>20 (I'm not sure if it was
> cancelled).
Could have happened IF the infected article Virus Patrol was replying to
was cross-posted to too many newsgroups. Then VP would have sent its
warning to exactly the same newsgroups.
> I think that some adverts labelled as Spam are actually relevant and
> helpful - sensibly advertising products relevant to group members. The
> problem for Virus Patrol postings is that they are seen as coming from NAI
> whose *e-mail* Spam policy was (and maybe still is) not too good at all to
> put it mildly.
>
> The question still remains unanswered though: what if Norton, AVP,
> DataFellows, Sophos and a few others decided to launch a public service for
> the Usenet community?
For one thing, it's not that easy to support and maintain. And they'll have
to invest a considerable amount of time and effort to create something similar
to Virus Patrol. I did it on my own out of pure enthusiasm back in 1996 :)
> Microsoft's resent rallying of AV products and companies around an extended
> trial AV solution shows that inter-company cooperation must be possible.
It *is* possible and had been possible long before Microsoft started doing this.
At the researchers level, AV companies have been cooperating and sharing info
since quite a few years ago. That's how CARO was created.
> I
> don't want to labour this point - it's not *that* important - but I'm
> interested in knowing whether or not NAI would provide a link to an
> effective basket of AV products in the Patrol postings instead of being
> quite so self-promoting under the guise of public service?
Well, but it *is* a public service, isn't it? As for including references to
other AV products - I somehow doubt our management would approve. Do any
AV companies have links to their competitors' sites on their Web pages? :)
kurt wismer
it's too bad you cut what i quoted... serves me right, i should have said
this the first time instead of simply alluding to it...
you stated that servers that filter out binaries "tend" to filter out html
aswell... unfortunately that leaves considerable leeway for error if one
were to assume that *all* servers that filter binaries also filter html
and use that assumption to justify the 'targeting' method you've been
suggesting... heaven forbid kak gets through some server that doesn't
follow the trend you've observed and virus patrol doesn't because dmitry
followed your advice and added a small binary to the virus patrol
message...
kurt wismer
[snip]
> Microsoft's resent rallying of AV products and companies around an extended
> trial AV solution shows that inter-company cooperation must be possible. I
> don't want to labour this point - it's not *that* important - but I'm
> interested in knowing whether or not NAI would provide a link to an
> effective basket of AV products in the Patrol postings instead of being
> quite so self-promoting under the guise of public service?
what exactly is the point of pointing people towards products if you don't
know the products can detect the virus at hand? virus patrol knows that
virusscan can detect the virus, it doesn't know if sweep or avp, or
f-prot, or any other product can detect the virus...
in fact, giving the impression that product X can handle a particular
threat when it can't is generally frowned upon...
Gareth
> For one thing, it's not that easy to support and maintain. And they'll
have
> to invest a considerable amount of time and effort to create something
similar
> to Virus Patrol. I did it on my own out of pure enthusiasm back in 1996 :)
I didn't realise. Apologies.
Gareth.
Catherine Hampton
:> Besides who decides what is Spam and what isn't. Still, one of the Virus
:> Patrol posts (allegedly) had reached a BI>20 (I'm not sure if it was
:> cancelled).
The Breidbart Index (the BI>20 business) is content neutral.
Basically, it is a mathematical formula applied to posts which
labels them spam if a single post is individually posted to more
than 20 newsgroups, or if posts are crossposted beyond a certain
extent, as defined by the formula.
Given this fact, Virus Patrol actually did spam a few times,
because the viruses it was responding to were themselves
spammed, and it responds with an identical message posted to
the same locations as the virus. That means that the response
would also qualify as spam by Breidbart Index standards.
This is one of those cases where a mathematical, content-neutral
definition actually goes astray, in my opinion. :) I do, however,
think that there might be a better way to handle the problem of
virus-infected Usenet posts, one that might make a lot of people
happier....
But it would have to be discussed in news.admin.net-abuse.usenet
first, and a consensus reached that this was an appropriate response
to a threat to the 'Net.
Dmitry -- since you are the original perpetrator of Virus
Patrol ;>, perhaps you should be the one to propose this, if
the idea meets with your approval. If you would like to, I'll
go over to NANAU and support you.
My idea is this: get the approval of the 'Net community to cancel
posts that contain viruses. Then, modify Virus Patrol to do the
following:
1) Cancel posts containing viruses.
2) Post the standard "Virus Patrol" follow-up message.
3) (Now here's the sneaky, brilliant part of this plan)
Cancel your own Virus Patrol follow-up message about
an hour after issuing it, to make sure it propogates
first.
What this should do is get rid of the virus-infected post on
those news systems which allow third-party cancels. For these
systems, your Virus Patrol warnings shouldn't show up (at
least, not for long) because you will have cancelled them.
They will show up for long enough to warn people who might
see a virus-infected post before the cancel nukes it, though.
For those systems that don't accept cancels and that therefore
will continue to have the viruses posted on them, your warnings
will also not be cancelled and will be there to warn people
about the virus-infected posts.
What do people here think about a plan like this? (I'd like
your feedback before anyone proposes it to NANAU.)
--
Catherine Hampton <ar...@tempest.boxmail.com>
Home Page * <http://www.hrweb.org/ariel/>
The Spam Bouncer * <http://www.hrweb.org/spambouncer/>
(Please use this address for replies -- the address in my header
is a spam trap.)
Dmitry Gryaznov
Well, I considered cancelling infected posts at the beginning
of Virus Patrol project and then decided against it. I did not
and do not want to be a self-appointed cybercop. You see, there
is a difference between telling someone "Look, the guy who's
just approached you is a known crook. So beware!" and taking
a shotgun and erm... cancelling the crook :) I believe Virus
Patrol provides enough information to newsservers administrators
(the official "cybercops" in the case) for them to cancel the offending
posts and then - to cancel now unnecessary warnings. And actually, this
*is* already happening, AFAICT. In most cases today an article
VP warns about is cancelled pretty soon after the VP warning
goes out. And pretty soon after that the warning itself is also cancelled.
So, at least some newsservers admins are doing this. Hopefully,
in automated way.
OTOH, if the admins indeed officially authorize me to cancel the
infected posts I might consider implementing it... If and when I
have spare time - that's a completely different problem...
Catherine Hampton
: Well, I considered cancelling infected posts at the beginning
: of Virus Patrol project and then decided against it. I did not
: and do not want to be a self-appointed cybercop. You see, there
: is a difference between telling someone "Look, the guy who's
: just approached you is a known crook. So beware!" and taking
: a shotgun and erm... cancelling the crook :)
I don't think many of us would equate cancelling a virus-infected
post with cancelling the poster of that post.... (As in, RAID,
you're safe, at least from that.) ;>
What I suggested isn't that you implement this unilaterally,
though, but that we first seek a consensus from the 'Net abuse
community that it is ok to cancel virus-infected posts. That's
exactly what Chris Lewis and most of the people who cancel
Usenet spam did before they started cancelling it -- they sought
a community consensus that this was the right thing to do.
(And got it, after a sometimes uncivil debate that took a long
time.)
THEN, if the net abuse community agreed, you could implement
what I suggested, if (of course) you have the time. So could
other people, of course, but since you've already got working
software, it would probably be easier for you to modify it
than for someone else to write it from scratch.
: Patrol provides enough information to newsservers administrators
: (the official "cybercops" in the case) for them to cancel the offending
: posts and then - to cancel now unnecessary warnings. And actually, this
: *is* already happening, AFAICT.
Exactly. This is what the net abuse community agreed should
be done in this situation, and I'm all for it. What I suggested
could be implemented automatically, though, and would work
much faster, and probably prevent many more users from getting
infected.
: OTOH, if the admins indeed officially authorize me to cancel the
: infected posts I might consider implementing it... If and when I
: have spare time - that's a completely different problem...
Understood. :) If they are willing to authorize this approach,
though, I think most of the 'Net community would be glad to see
something of this type. I certainly would.
ham...@cix.compulink.co.uk
> Do any AV companies have links to their competitors' sites on
> their Web pages? :)
Dr Solomon's website used to contain links to competitors' websites in the
Alan Solomon days. I think they were removed when he sold the company. I
seem to recall Alwil included links to competitors - maybe it still does.
We used to get lots of hits from Trend's website as they were linking to
our website for "calm" advice on the Y2K virus issue.
Randy Abrams
news:ses91a9...@corp.supernews.com...
>
> :> Besides who decides what is Spam and what isn't. Still, one of the
Virus
> :> Patrol posts (allegedly) had reached a BI>20 (I'm not sure if it was
> :> cancelled).
>
> The Breidbart Index (the BI>20 business) is content neutral.
> Basically, it is a mathematical formula applied to posts which
> labels them spam if a single post is individually posted to more
> than 20 newsgroups, or if posts are crossposted beyond a certain
> extent, as defined by the formula.
They said there wouldn't be any math :)
Saying that the Breidbart is content neutral is identical to saying that the
Breidbart is incapable of reasoning. Fair enough, just take that into
consideration (as I believe you do).
> Given this fact, Virus Patrol actually did spam a few times,
> because the viruses it was responding to were themselves
> spammed,
Huh, whose definition of spam have we adopted here? I think we need to go
back and figure out what we are calling spam.
> and it responds with an identical message posted to
> the same locations as the virus. That means that the response
> would also qualify as spam by Breidbart Index standards.
Obviously Breidbart isn't on the same page as a lot of other people :)
> This is one of those cases where a mathematical, content-neutral
> definition actually goes astray, in my opinion. :)
Cool opinion :)
> I do, however,
> think that there might be a better way to handle the problem of
> virus-infected Usenet posts, one that might make a lot of people
> happier....
I doubt it. I haven't seen that a lot of people are unhappy about the virus
patrol. I guess it depends on what you call "a lot of people".
> But it would have to be discussed in news.admin.net-abuse.usenet
> first, and a consensus reached that this was an appropriate response
> to a threat to the 'Net.
Tee hee hee. Reporting a virus is a threat to the net. I want to be in this
meeting :) You're kidding me aren't you? Will there be a contest to see who
can support the argument that Virus Patrol is a threat to the net for the
longest amount of time without laughing above 90DB? Could you get everyone
on camera, make them take a swig of milk and then listen to the arguments.
The one without milk coming out of their nose wins!
> Dmitry -- since you are the original perpetrator of Virus
> Patrol ;>, perhaps you should be the one to propose this, if
> the idea meets with your approval. If you would like to, I'll
> go over to NANAU and support you.
>
> My idea is this: get the approval of the 'Net community to cancel
> posts that contain viruses. Then, modify Virus Patrol to do the
> following:
>
> 1) Cancel posts containing viruses.
Hmmm.... As much as I'd like to see viruses go away, I see some warning
flags here. Where do you purport that we draw the line? Macro Viruses are
text based. If I put the text of one of these in a message, is that a virus?
Some virus scanners report joke programs as viruses. The makers of Back
Orafice purport that they have a legitimate utility...
I won't say this is insurmountable, but I don't think it's as easy as saying
that Virus patrol says you're a virus so you're not allowed on the net.
Should virus patrol be allowed to cancel an innocent message because of a
false positive. Do you mean to say that I MUST relinquish my ability to read
a message if virus patrol says so? Food for thought...
> 2) Post the standard "Virus Patrol" follow-up message.
>
> 3) (Now here's the sneaky, brilliant part of this plan)
> Cancel your own Virus Patrol follow-up message about
> an hour after issuing it, to make sure it propogates
> first.
And if the first cancel fails, it's better to stop warning people than take
a chance on the initials NAI getting out there?
> What this should do is get rid of the virus-infected post on
> those news systems which allow third-party cancels. For these
> systems, your Virus Patrol warnings shouldn't show up (at
> least, not for long) because you will have cancelled them.
> They will show up for long enough to warn people who might
> see a virus-infected post before the cancel nukes it, though.
They don't show up very long on some systems anyway. I have visibility from
2 to 12 days depending upon which ISP I use...usually about 5.
<snip>
> What do people here think about a plan like this? (I'd like
> your feedback before anyone proposes it to NANAU.)
>
Personally I think that it is the ultimate in irony and fairness that each
and every time Raid or Spanksa's, or anyone else's virus, shows up in virus
patrol they automatically advertise for their heroes at NAI. Serves them
right and shows what hypocrites those who complain about AV are when they
are willing, active, and highly enthusiastic unpaid shills for AV companies!
An eye for an eye, a tooth for a tooth, and an advert for NAI for a virus!
There's biblical justice for you!
Instead of discussing spam with Dmitry, ask the virus writers and who can't
figure out how to keep 10k of code on their own damned computers to quit
spamming the net.
I applaud your efforts Catherine. I mean you no disrespect in the least. I
think there are much more important and prevalent spam issues to deal with
than the question of virus patrol. If warnings that genuinely offer people
protection have to be sponsored with a few lines promoting the company doing
the service, big deal. At least every single virus patrol message is clearly
labeled. You read one, you know the approximate content of all of them.
Virus writers should be so competent.
Arthur Kopp
<ran...@microsoft.com> wrote:
<snipped to part I want to respond to>
>I won't say this is insurmountable, but I don't think it's as easy as saying
>that Virus patrol says you're a virus so you're not allowed on the net.
>Should virus patrol be allowed to cancel an innocent message because of a
>false positive. Do you mean to say that I MUST relinquish my ability to read
>a message if virus patrol says so? Food for thought...
Therein lies a REAL problem, IMO. I like what Virus Patrol does now
but I don't like giving it the power of cancellation.
Art
Patricia A. Shaffer
<ran...@microsoft.com> wrote:
>Catherine Hampton <x...@hrweb.org> wrote in message
>news:ses91a9...@corp.supernews.com...
>>
>> :> Besides who decides what is Spam and what isn't. Still, one of the
>Virus
>> :> Patrol posts (allegedly) had reached a BI>20 (I'm not sure if it was
>> :> cancelled).
>>
>> The Breidbart Index (the BI>20 business) is content neutral.
>> Basically, it is a mathematical formula applied to posts which
>> labels them spam if a single post is individually posted to more
>> than 20 newsgroups, or if posts are crossposted beyond a certain
>> extent, as defined by the formula.
>
>They said there wouldn't be any math :)
>
>Saying that the Breidbart is content neutral is identical to saying that the
>Breidbart is incapable of reasoning. Fair enough, just take that into
>consideration (as I believe you do).
>
>> Given this fact, Virus Patrol actually did spam a few times,
>> because the viruses it was responding to were themselves
>> spammed,
>
>Huh, whose definition of spam have we adopted here? I think we need to go
>back and figure out what we are calling spam.
There is more than one kind of spam ... Catherine is talking about
USENET spam, which is loosely defined as "the same thing, many times",
not about e-mail spam, which is mostly defined as unsolicited
promotional e-mail, but which comes in several flavors. No definition
of spam is content related. The Briedbart index computes points of
similarity in postings and degrees of crossposting and if the equation
comes out to 20 or more, then is declares it "USENET spam". It doesn't
work on e-mail spam because it has no contact with it.
>> and it responds with an identical message posted to
>> the same locations as the virus. That means that the response
>> would also qualify as spam by Breidbart Index standards.
>
>Obviously Breidbart isn't on the same page as a lot of other people :)
Again, the Briedbart Index measures USENET spam. Here's the FAQ entry
from <http://www.cybernothing.org/faqs/net-abuse-faq.html#3.2>
"3.2) What is the Breidbart Index (BI)?
The Breidbart Index (BI) is a measure of the breadth of any
multi-posting, cross-posting, or combination of the two. BI is defined
as the sum of the square roots of how many newsgroups each article was
posted to. If that number approaches 20, then the posts will probably be
cancelled by somebody.
For instance, four identical posts to nine newsgroups each (4 times 3)
has a BI of 12. However, nine identical posts to four newsgroups each (9
times 2) has a BI of 18."
>> This is one of those cases where a mathematical, content-neutral
>> definition actually goes astray, in my opinion. :)
>
>Cool opinion :)
>
>> I do, however,
>> think that there might be a better way to handle the problem of
>> virus-infected Usenet posts, one that might make a lot of people
>> happier....
>
>I doubt it. I haven't seen that a lot of people are unhappy about the virus
>patrol. I guess it depends on what you call "a lot of people".
Well, there was the poster who started this thread, asking why the Virus
Patrol warnings weren't considered spam. That was enough to generate a
fair amount of interest ... and Catherine noted that it was a fair
question (since the determination of spammishness is and must remain
content neutral), and offered a reasonable proposal to insure that the
warnings do not get cancelled in an untimely fashion. Such proposals
are discussed in news.admin.net-abuse.usenet (nanau), where, when a
consensus is obtained, spam-cancel policy is decided. Usenet without
spam-cancels and nocems would be useless for its purpose.
>> But it would have to be discussed in news.admin.net-abuse.usenet
>> first, and a consensus reached that this was an appropriate response
>> to a threat to the 'Net.
>
>Tee hee hee. Reporting a virus is a threat to the net. I want to be in this
>meeting :) You're kidding me aren't you? Will there be a contest to see who
>can support the argument that Virus Patrol is a threat to the net for the
>longest amount of time without laughing above 90DB? Could you get everyone
>on camera, make them take a swig of milk and then listen to the arguments.
>The one without milk coming out of their nose wins!
You missed the point ... spam is content neutral. The Briedbart Index
measures the mathematical sameness and the number of newsgroups that
receive the same postings, and *automatically* kills anything at or over
BI 20. The more viruses that are detected in cross-postings to numerous
newsgroups, the more likely the virus warnings will trigger the
Briedbart Index and be cancelled automatically. If that happens,the
virus-infested postings also have hit BI 20 and would automatically be
cancelled.
I tend to agree with the rest of your points about the cancellation of
the virus-infested posts, and I'll offer another reason for leaving them
alone: I think automatic cancels for "virus" content would make the
average newsgroup readers less cautious, and that they would blame the
Virus Patrol if any viruses were missed (and we all know that new
viruses are not always caught by AV programs).
I suggest that perhaps the virus warnings could be tagged to tell the BI
program to leave them alone, and just let the Virus Patrol go on doing
the great job it does.
--
Patricia
Proud Citizen of the Commonwealth of Virginia
"Anti-spammers are the immune system of the Internet." (CDR M. Dobson)
"The spam wars are about rendering email useless for unsolicited
advertising before unsolicited advertising renders email useless
for communication."(Walter Dnes/Jeff Wynn) Opt-out is cop-out! <http://www.cauce.org>
Anthony Simek
technology isn't free buddy.
"Gareth" <nospam_so...@gjd398.com> wrote in message
news:8cdo4b$mp2$1...@lure.pipex.net...
> I've seen "Virus Patrol" postings from NAI in quite a few newsgroups.
These
> posts announce the discovery of viruses within binary postings to the
group.
> This may be helpful but the posts include *heavy* advertising for Dr
> Solomons. They're basically adverts. Here's part of the ad section from
one
> of the posts:
>
> "You can download a free evaluation (yet fully functional) copy of
> the latest released version of Dr Solomon's FindVirus/VirusScan from
> the following locations:
>
> WWW: http://www.nai.com/download/downloads
> FTP: ftp://ftp.nai.com/pub/antivirus
> CompuServe: GO DRSOLOMON or GO MCAFEE
> AOL: SAFETYONLINE
>
> IMPORTANT! The virus has been detected by the latest IN-HOUSE version of
> Dr Solomon's FindVirus/VirusScan. As new viruses and trojans appear at the
> rate
> of several hundreds a month, the latest RELEASED version of
> FindVirus/VirusScan
> might be unable to detect this particular virus. If you have downloaded
the
> above
> file and your copy of FindVirus/VirusScan does not detect the virus in it,
> contact Dr Solomon's Technical support and ask for the extra driver to
> detect
> the WScript virus.
>
> --
> Dr Solomon's Virus Patrol UK Support: sup...@drsolomon.com
> NAI Total Virus Defense US Support: sup...@nai.com
> WWW: http://www.nai.com/products/antivirus UK Tel: +44 (0) 1296 318700
> CompuServe: GO DRSOLOMON USA Tel: +1 408
988-3832"
> =====
>
> Sorry if this is repeating what people already know but I'm just curious
> about these posts. Although they may be helping some people it is
basically
> spam - what if every other AV company (AVP, Norton, Sophos and so on) was
to
> do the same.
>
> It also isn't a very sensible method of alerting people. Many servers
filter
> out inappropriately posted binary posts (to non-binary groups) anyway.
Many
> of these "Virus Patrol" posts have been sent to non-binary groups
increasing
> marketing coverage for NAI but not really focussing on the extent of the
> problem - a quick(ish) Dejanews search shows a large amount of these
> postings. If NAI was sensible adding a smallish binary addition to the
> "Virus Patrol" warning would make sure that it reached only the relevant
> groups.
>
> These NAI posts are just basically spam masquerading as a public service
> announcement.
>
> Gareth.
>
>
Catherine Hampton
:> The Breidbart Index (the BI>20 business) is content neutral.
:> Basically, it is a mathematical formula applied to posts which
:> labels them spam if a single post is individually posted to more
:> than 20 newsgroups, or if posts are crossposted beyond a certain
:> extent, as defined by the formula.
: They said there wouldn't be any math :)
Then they lied. :> The Breidbart Index works well in most cases,
in my opinion, because it's a mathematically based and content-
free standard. That means, post too many copies of the same thing
and you're spamming. We don't care if your post tells us all how
to MAKE*MONEY*FAST or that you need to accept Buddha as your
personal savior or whatever. <wry grin>
If you get into arguing about content, the arguments can go on
forever.
However, when you're facing a threat to users and the 'Net
itself, like certain viruses pose, you may also need to bend
the rules a bit. IMHO this is one of those situations.
: Saying that the Breidbart is content neutral is identical to saying that the
: Breidbart is incapable of reasoning. Fair enough, just take that into
: consideration (as I believe you do).
Precisely. And, in most cases, it works -- the necessary
reasoning was done before the standard was developed.
:> Given this fact, Virus Patrol actually did spam a few times,
:> because the viruses it was responding to were themselves
:> spammed,
: Huh, whose definition of spam have we adopted here?
As I said, by BI>20 standards. You may disagree, but if Virus
Patrol does what it was designed to do and responds to 20 or
more identical copies of a spammed virus with 20 or more
identical posts warning about the virus-infected spam, it is
=technically= also spam.
Of course, someone who breaks a window to escape a burning
building may also technically be guilty of vandalism. We
count on human common sense to recognise exceptions to the
rule.
: I doubt it. I haven't seen that a lot of people are unhappy about the virus
: patrol. I guess it depends on what you call "a lot of people".
There have been a lot of people complaining about it over in
news.admin.net-abuse.usenet for some time, but I actually wasn't
thinking of them. I was thinking of people who would prefer
to have the viruses cancelled outright, so they don't risk
getting infected before they see the Virus Patrol warning.
: Tee hee hee. Reporting a virus is a threat to the net. I want to be in this
: meeting :) You're kidding me aren't you?
No, you need to reread my message when you haven't been up since
O-dark-thirty working for Mr. Gates. I was referring to viruses
as a threat to the net, NOT to reporting them. :>
: Hmmm.... As much as I'd like to see viruses go away, I see some warning
: flags here. Where do you purport that we draw the line? Macro Viruses are
: text based. If I put the text of one of these in a message, is that a virus?
: Some virus scanners report joke programs as viruses. The makers of Back
: Orafice purport that they have a legitimate utility...
That's why you need a discussion and agreement from the abuse
community first, to hash out issues like this. IMHO anything
that can infect my computer and modify my hard disk without my
permission or knowledge should be cancellable except in a
newsgroup specifically for posting viruses, assuming such a thing
exists.
If someone wants to post a macro virus, let them modify or comment
out a few characters so that it can't actually infect anyone until
the user modifies it to "activate" it. Then we can let it alone.
:> 3) (Now here's the sneaky, brilliant part of this plan)
:> Cancel your own Virus Patrol follow-up message about
:> an hour after issuing it, to make sure it propogates
:> first.
: And if the first cancel fails, it's better to stop warning people than take
: a chance on the initials NAI getting out there?
Huh? Where'd you get this? If the first cancel fails, that
would normally be because a site doesn't accept cancels. If
that happens, then the second cancel will also fail.
But, as Dmitriy pointed out, the system administrators at the
sites where viruses are posted are already cancelling their
virus-infected posts, and then the Virus Patrol warning.
As that appears to be working, maybe it isn't worth the extra
effort to develop a standard to make it faster and automatic.
But maybe it is....
: Personally I think that it is the ultimate in irony and fairness that each
: and every time Raid or Spanksa's, or anyone else's virus, shows up in virus
: patrol they automatically advertise for their heroes at NAI. Serves them
: right and shows what hypocrites those who complain about AV are when they
: are willing, active, and highly enthusiastic unpaid shills for AV companies!
ROFL! Not a bad way of looking at it.... :>
William Thomas Quick
<dislik...@uswest.net> wrote:
>Usenet was founded on commercial bucks.
Wrong.
Usenet was created in 1979, with connections among duke, duke medical
school, and the university of north carolina, using unix shell scripts
written by, among others, grad students Tom Truscott, Jim Ellis, and
Steve Bellovin.
Bill
William Thomas Quick : Iceberg Productions
ice...@iw3p.com : http://www.iw3p.com
Science Fiction Writers of America : The Authors Guild
Writers Guild of America, West
http://www.iw3p.com/pgp.htm for PGP Public Key
Gareth
"Randy Abrams" <ran...@microsoft.com> wrote in message
news:e4$oyEOo$GA.260@cpmsnbbsa04...
> Tee hee hee. Reporting a virus is a threat to the net. I want to be in
this
> meeting :) You're kidding me aren't you? Will there be a contest to see
who
> can support the argument that Virus Patrol is a threat to the net for the
> longest amount of time without laughing above 90DB? Could you get everyone
> on camera, make them take a swig of milk and then listen to the arguments.
> The one without milk coming out of their nose wins!
The point is that Virus Patrol posts contain advertising. The question then
is this: what if every big AV producer decided to start a system similar to
Virus Patrol? Would replication of alerts then be considered a problem? I
think if NAI continues to claim that their "service" is a public service
(which it is) then they have to be consistent and move towards a less
exclusive advert approach. If Microsoft can rally AV producers around an
extended free trial then it shouldn't be too difficult for a less exclusive
solution web link to be contained within Patrol postings in addition to the
advert.
Gareth.
Frederic Bonroy
> 1) Cancel posts containing viruses.
Take a look at the message that started a thread somewhat earlier. Besides Kak
(which was reported by Virus Patrol), it also contained a request for help.
Some malware attaches itself to outgoing news messages.... how can we help such
people if we cancel their messages?
Or did I miss something?
Nick FitzGerald
> Raid Slam <soho20N...@hotmail.com.invalid> wrote:
>
> > You don't? The IN HOUSE version (not the one available for
> > download) is the one that detects the viruses, and announces this
> > with a huge advertisement for Dr Solomons (NAI). It does this
> > regardless if the group is even a binaries group or not. At the
> > very least, you could say the posts from it are off topic and
> > against netique. It might be different if it was the version
> > people had access too, but it's the special in house version. And
> > you have to obtain an extra.dat file from mcafee in order to
> > detect the "virus" it's alerting you to in the first
>
> Randy has already elegantly shown this claim of yours is
> equal to the usual pile of excrement that oozes from your
> posts. Your response to Randy's rebuttal once again
> illustrates your legendary inability to comprehend the
> most basic rules of debating engagment, and your complete
> lack of a clue as to the rules of logic and relevance.
<<snip>>
Come on Raid -- why haven't you made one of your typically
banal, pointless, thread-missing comebacks to this post?
Too elegant for you to even come up with a single banality?
Maybe it's true what I hear about you losing your grip...
--
Nick FitzGerald
Ian Whalley
>Well, I considered cancelling infected posts at the beginning
>of Virus Patrol project and then decided against it. I did not
>and do not want to be a self-appointed cybercop. You see, there
>is a difference between telling someone "Look, the guy who's
>just approached you is a known crook. So beware!" and taking
>Patrol provides enough information to newsservers administrators
>(the official "cybercops" in the case) for them to cancel the offending
>posts and then - to cancel now unnecessary warnings. And actually, this
>VP warns about is cancelled pretty soon after the VP warning
>goes out. And pretty soon after that the warning itself is also cancelled.
>So, at least some newsservers admins are doing this. Hopefully,
>in automated way.
For what it's worth, I have also campaigned in the past *against*
giving Virus Patrol the power of cancellation.
Cancellation is a bad thing -- for one thing, it doesn't work (the
post never disappears from all news servers, and some don't even
implement it). And as Dmitry says (and as I have said in the past),
giving a program the power to cancel posts that it doesn't like the
look of (in Virus Patrol's case, because it thinks there's a virus) is
a serious step.
Quite apart from the fact that Virus Patrol suffers false positives.
Allbeit comparatively rarely, it does suffer false positives, and this
would result not only in an erroneous warning message being posted,
but also in an erroneous cancellation message being generated.
Has anyone been sued for erroneous Usenet message cancellation? It's
surely only a matter of time before some legal-type gets to try it.
>OTOH, if the admins indeed officially authorize me to cancel the
>infected posts I might consider implementing it... If and when I
>have spare time - that's a completely different problem...
But there are no 'admins' :-). And (the separate problem) no spare
time...
Best;
inw
--
Ian Whalley
<first name> @ <last name> . org
Randy Abrams
>
<snip>
> exclusive advert approach. If Microsoft can rally AV producers around an
> extended free trial then it shouldn't be too difficult for a less
exclusive
> solution web link to be contained within Patrol postings in addition to
the
> advert.
>
an AV marketroid if they want visibility for their product on Microsoft.com
and it's a no brainer. This is a world apart from dictating, or even
suggesting news post content.
It isn't difficult for a different solution. If Dmitry wants to change his
message, it's his and he can. If Dmitry doesn't want to, I don't have any
problem with it.
Gareth
> Apples and oranges here. Microsoft didn't have to do much rallying. You
ask
> an AV marketroid if they want visibility for their product on
Microsoft.com
> and it's a no brainer.
Sometimes it's hard to see the apples for the trees ;-) Good point!
Gareth.