Re: getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling]

From: Georg Schwarz (geos_at_epost.de)
Date: 02/04/04

  • Next message: langtuhaohoa caothuvolam: "Re: BUG IN APACHE HTTPD SERVER 2.0.47/48 (to who replied me)"
    To: Gadi Evron <ge@linuxbox.org>
    Date: Wed, 4 Feb 2004 21:04:41 +0100 (CET)
    
    

    > 2. In a broader view, notifications ARE currently the problem rather
    > than a solution.

    agreed, for the following reason: it is absolutely trivial to automatically
    detect any MS Windows/DOS executable or script in an attachment to an
    email (that is what a large number of virii are made of). Simply deleting all
    such mail greatly reduces the number of of unwanted emails in times of
    new virus outbreaks (and we are definitely to see quite a few of them in
    the months ahead... it is apparently so easy to fool many people into
    executing such programs on their PCs). I find it hard to think of a legitimate
    reason to have such attachments anyway, so throwing away such mail will not
    be a loss to many if not most users (your milage my vary of course).

    This however leaves open three types of virus-related emails:

    - bounces of virus-sent emails that used your email address as a fake sender
    address.

    - notifications of email scanners as a result of virii using your email address
    either as a sender or as a recipient address.

    - virus-infected (or rather -generated) email which on some intermediate host
    was scanned and stripped of the viral attachment (so the above-mentioned
    detection no longer catches it). Such mail has become "harmless" but annoying
    spam.

    I do not know whether there is anything in general to do about the first type
    of mails.
    For the second one it is clear that nowadays notifications do much
    more harm that good, so I hope email scanning software authors and users
    will disable that feature (probably most people that employ such software are
    unaware or ignorant about the effects of that feature :-(). You can start
    filtering such messages, but it is hard because there is not a really simple
    criterion to automatically detect them. Any suggestions?
    For the third type of emails more or less the same is true. Such filters that
    remove the virus but let pass the remaining "spam" body parts also do more
    harm than good. Today it is save to assume that virus-infected mail is
    virus-generated mail and thus can and should be killed off altogether.

    Since I am pesimistic regarding a change in email scanners' behavior I
    would welcome any suggestion for better filtering these types of unwanted
    emails.

    >
    > The AV industry is built on reaction rather than prevention. Adding new
    > signatures is still the #1 tool in the fight against malware.

    yes, and it is a loosing battle (for the user, not for that industry that
    is, of course).

    > With spam and mass mailers clogging the tubes, causing us all to waste
    > money on bigger tubes, as well as our time dealing with the annoyance
    > (more money), shouldn't the problem be solved there (at the main tubes
    > themselves) rather than at the end user's desktop?

    since the problem after all is at the end user's desktop desktop, I think
    it is only there where it can be solved. Anything else is just mitigating the
    symptoms (which can of course improve the situation).

    >
    > If backbones filtered the top-10 current outbreaks, with non-intrusive
    > means such as for example running MD5 checksum checks against
    > attachments, or whatever other way - wouldn't it be better? True, it may
    > cause a cry of "the government spies on us, but with the current
    > economic troubles outbreaks cause, can we really use that excuse
    > anymore? Doesn't the police regulate speeding?

    the true problem is that malware authors apparently are able to execute
    arbitary code on (many) other people's systems and can thus use that for
    all kind of criminal business. Filtering, whether done on servers or in
    backbones, will not stop that. Such filters will easily be circumvented.
    I am sure once such scanners are out clever programmers will find a way
    to produce viral code that passes them undetected. Just as with today's
    scanners they can only react to known incidents. So I think it would not
    make a real difference where scanning occurs.

    > - Make ISP's care (enforcing new laws?).

    I would rather say: make users care. I know it is a rather weak analogon,
    but if anyone commits a crime using your car, your weapon, your whatsover
    and it turns out that you have made this possible by grossly neglecting
    secure deposit of that device I am sure that in many coutries you can be
    held liable to some degree. This should put pressure from consumers on
    device (PC) vendors to take security of their products more serious.

    > We are reaching a place where 80-90% of the traffic is junk, it may be
    > economic but do we really want to stay there?

    since it in fact is an economic problem only economic (monetary) meassures
    will lead to a solution, which here means being held liable for damage
    caused by hooking up (or one step further, selling) systems that grossly
    undermine network security.
    Computer virii are no god-given thing (although the mere term might make
    many people think so), they are a result of neglected security in a networked
    world both with respect to device/software design and user behavior.

    -- 
    Georg Schwarz    http://home.pages.de/~schwarz/
     geos@epost.de     +49 177 8811442
    

  • Next message: langtuhaohoa caothuvolam: "Re: BUG IN APACHE HTTPD SERVER 2.0.47/48 (to who replied me)"