getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling]

From: Gadi Evron (
Date: 02/03/04

  • Next message: James C. Slora Jr.: "Re: RFC: virus handling"
    Date: Tue, 03 Feb 2004 11:11:33 +0200

    There were some good ideas in this thread, so I would do my best not to
    repeat any of them and perhaps to look at a couple of points from a
    different angle. I will try and be very critical, please do not take it
    the wrong way.

    This may look like a rant, but it really isn't. Please bare with me? :)

    1.It is clear that as notifications are today, they are *mostly* plain
    and simple spam. Why do I believe that?

    Since they usually contain information regarding getting a brand new AV,
    but not about the virus or how to get cleaned.

    2. In a broader view, notifications ARE currently the problem rather
    than a solution. I got thousands of Mydoom.A. I also got X10 times that
    in AV notifications. Can we truly afford the extra-slowdown to the
    Internet when a major outbreak is out? A mini-outbreak can turn into a
    massive one due to AV notifications alone.
    Doesn't make any sense beyond the marketing idea, and we all see how
    malware spoofs email addresses. Hence why I call it spam.

    3. I think we look at the whole problem in the wrong way, allow me to

    The AV industry is built on reaction rather than prevention. Adding new
    signatures is still the #1 tool in the fight against malware.

    With spam and mass mailers clogging the tubes, causing us all to waste
    money on bigger tubes, as well as our time dealing with the annoyance
    (more money), shouldn't the problem be solved there (at the main tubes
    themselves) rather than at the end user's desktop?

    If backbones filtered the top-10 current outbreaks, with non-intrusive
    means such as for example running MD5 checksum checks against
    attachments, or whatever other way - wouldn't it be better? True, it may
    cause a cry of "the government spies on us, but with the current
    economic troubles outbreaks cause, can we really use that excuse
    anymore? Doesn't the police regulate speeding?

    If I were to take the conspiratorial side, perhaps backbones like it
    when people pay for tubes they don't need, which are used to deliver 90%

    There are enough solutions out there for spam and malware, they are
    mostly not being implemented for different political and commercial reasons.

    Nobody wants to deal with "you are reading my mail!" or with "sorry, now
    people will pay for smaller tubes", perhaps even at the ISP level - "why
    should I pay for more filtering when it isn't demanded of me?".

    They are right, it isn't currently demanded of them.

    I would like to refer you to SpamCop (when it comes to spam) or
    MessageLabs (for malware), it works. But you need to pay to get (most
    of) their services.

    4. As far as the IP-ADDRESS@isp goes, it IS a good idea, but not a very
    practical one in my opinion. Allow me to explain why.

    First, the obvious reason against it would be how easy this will make
    spammers' lives.

    Second, we need to remember that most of the DDoS attacks happening
    these days on the Internet are the cause of Drone Armies. Thousands upon
    thousands of machines infected with a Trojan horse that work for
    spamming the Internet or conducting cyber-"battles".

    Many times we see tens of thousands of infected users, and we try and
    clean them remotely (we used to connect directly and remove the
    backdoor, but then we realized the legal problems with this approach).

    Nowadays we "play" the controllers, find the control commands and
    passwords and remove the drone armies from where they echo to, such as
    an IRC channel.

    The problem with this approach, which is a never-ending fight (you know
    how many times a minute you can get scanned on Cable/DSL IP ranges, how
    many other people are not protected?) is that the users, although now
    "clean", will soon show up with yet another Trojan horse, re-infected
    and used as a tool of war against different "groups", for spam or maybe
    to blackmail corporations.

    Although completely not practical, a way to contact users (or ISP's,
    isn't that how it works?) by IP address would help a lot. But that would
    be circumventing the real problem which is ISP's not doing much about

    We all kept talking about anything from spam reporting, to ISP's
    preventing their own users from performing illegal activity, the whole
    issue of asking ISP's to do anything is simply wrong. It is not
    ECONOMICAL for them to do so unless the law dictates it.

    5. Drifting a bit from the original subject at hand, we can go on
    forever discussing the problems with the net, such as spam, malware or
    ISP's not caring. The issue is how do we do one of the following:
    - Make ISP's care (enforcing new laws?).
    - Employ limited solutions on the backbones (spam filtering? malware
    We are reaching a place where 80-90% of the traffic is junk, it may be
    economic but do we really want to stay there?

    There is no magic cure, and Every possible solution would have problems,
    Nothing is perfect. I don't understand why the biggest problems of the
    Internet should be commercialized and thus become static, rather than

    Obviously again, solving the problems is not easy, and nothing is
    trivial - I just don't see that any solution that may work gets
    implemented or tried.

    My 2K bucks.

            Gadi Evron.

  • Next message: James C. Slora Jr.: "Re: RFC: virus handling"