getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling]
From: Gadi Evron (ge_at_linuxbox.org)
Date: Tue, 03 Feb 2004 11:11:33 +0200 To: firstname.lastname@example.org
There were some good ideas in this thread, so I would do my best not to
repeat any of them and perhaps to look at a couple of points from a
different angle. I will try and be very critical, please do not take it
the wrong way.
This may look like a rant, but it really isn't. Please bare with me? :)
1.It is clear that as notifications are today, they are *mostly* plain
and simple spam. Why do I believe that?
Since they usually contain information regarding getting a brand new AV,
but not about the virus or how to get cleaned.
2. In a broader view, notifications ARE currently the problem rather
than a solution. I got thousands of Mydoom.A. I also got X10 times that
in AV notifications. Can we truly afford the extra-slowdown to the
Internet when a major outbreak is out? A mini-outbreak can turn into a
massive one due to AV notifications alone.
Doesn't make any sense beyond the marketing idea, and we all see how
malware spoofs email addresses. Hence why I call it spam.
3. I think we look at the whole problem in the wrong way, allow me to
The AV industry is built on reaction rather than prevention. Adding new
signatures is still the #1 tool in the fight against malware.
With spam and mass mailers clogging the tubes, causing us all to waste
money on bigger tubes, as well as our time dealing with the annoyance
(more money), shouldn't the problem be solved there (at the main tubes
themselves) rather than at the end user's desktop?
If backbones filtered the top-10 current outbreaks, with non-intrusive
means such as for example running MD5 checksum checks against
attachments, or whatever other way - wouldn't it be better? True, it may
cause a cry of "the government spies on us, but with the current
economic troubles outbreaks cause, can we really use that excuse
anymore? Doesn't the police regulate speeding?
If I were to take the conspiratorial side, perhaps backbones like it
when people pay for tubes they don't need, which are used to deliver 90%
There are enough solutions out there for spam and malware, they are
mostly not being implemented for different political and commercial reasons.
Nobody wants to deal with "you are reading my mail!" or with "sorry, now
people will pay for smaller tubes", perhaps even at the ISP level - "why
should I pay for more filtering when it isn't demanded of me?".
They are right, it isn't currently demanded of them.
I would like to refer you to SpamCop (when it comes to spam) or
MessageLabs (for malware), it works. But you need to pay to get (most
of) their services.
4. As far as the IP-ADDRESS@isp goes, it IS a good idea, but not a very
practical one in my opinion. Allow me to explain why.
First, the obvious reason against it would be how easy this will make
Second, we need to remember that most of the DDoS attacks happening
these days on the Internet are the cause of Drone Armies. Thousands upon
thousands of machines infected with a Trojan horse that work for
spamming the Internet or conducting cyber-"battles".
Many times we see tens of thousands of infected users, and we try and
clean them remotely (we used to connect directly and remove the
backdoor, but then we realized the legal problems with this approach).
Nowadays we "play" the controllers, find the control commands and
passwords and remove the drone armies from where they echo to, such as
an IRC channel.
The problem with this approach, which is a never-ending fight (you know
how many times a minute you can get scanned on Cable/DSL IP ranges, how
many other people are not protected?) is that the users, although now
"clean", will soon show up with yet another Trojan horse, re-infected
and used as a tool of war against different "groups", for spam or maybe
to blackmail corporations.
Although completely not practical, a way to contact users (or ISP's,
isn't that how it works?) by IP address would help a lot. But that would
be circumventing the real problem which is ISP's not doing much about
ABUSE REPORTS or USER SECURITY.
We all kept talking about anything from spam reporting, to ISP's
preventing their own users from performing illegal activity, the whole
issue of asking ISP's to do anything is simply wrong. It is not
ECONOMICAL for them to do so unless the law dictates it.
5. Drifting a bit from the original subject at hand, we can go on
forever discussing the problems with the net, such as spam, malware or
ISP's not caring. The issue is how do we do one of the following:
- Make ISP's care (enforcing new laws?).
- Employ limited solutions on the backbones (spam filtering? malware
We are reaching a place where 80-90% of the traffic is junk, it may be
economic but do we really want to stay there?
There is no magic cure, and Every possible solution would have problems,
Nothing is perfect. I don't understand why the biggest problems of the
Internet should be commercialized and thus become static, rather than
Obviously again, solving the problems is not easy, and nothing is
trivial - I just don't see that any solution that may work gets
implemented or tried.
My 2K bucks.