Comment: No escape from tide of spam

19 May 2004

Virus alerts are the new spam. Think about it – chances are, sometime this week you received a message telling you that a mail bearing your address with a suspect attachment was sent to some third party. A fair portion of the rubbish I delete daily is in the form of emails telling me that I’m sending malicious emails to people I don’t even know, trying to infect their systems. Not guilty, your honour.

The messages themselves are legitimate — the senders believe that I’ve been doing something I shouldn’t and are contacting me in good faith. But they’re also plain wrong. Spoofing the headers in email is not big and it’s not clever, but it’s easy to do and these days it’s commonplace among virus and worm writers. Its effect is to divert attention away from the real culprits, plus it bungs up our networks in the process.

(As a separate but related point, have you noticed how the trend among malware is less about messing up an individual system, fun and all though that might be if you’re that way inclined. Instead, the purpose has become less noticeable but much more insidious, creating back doors into computers, to be exploited at a later date. It almost makes the recent Sasser outbreak something of a nostalgia trip, a throwback to the time when viruses mucked around with your computer and gave it a good kicking.)

As part of their propagation process, worms will often forge your email address, a process known as ‘spoofing’. It’s another piece of social engineering, aimed at making recipients more likely to open the mail. At this point, the cavalry rides in. Enter, stage left, the dutiful antivirus providers. Their role in this fiasco reminds me of the FBI in the movie Die Hard: theoretically there to do good, they totally misread the situation and their actions play into the hands of the bad guys.

Here’s how it goes: the security firms can generally be relied on to start sending a raft of sternly worded emails to the effect that “you sent my client a virus”. What purpose does this serve, really? It completely ignores the fact that your address was most likely spoofed and you were not the real sender. It’s a waste of everybody’s time.

Such attacks are hassle for internet service providers (ISPs) as they have to carry all this extra traffic — and if they are responsible they will generally monitor and screen it too. It’s a huge headache and shows that the antivirus industry and the ISPs aren’t always singing from the same hymn sheet.

What it all leads to is that the volume of email on the internet goes up exponentially. With a sufficiently widespread and concerted attack — and we’ve already seen a couple of good attempts this year alone — the internet’s infrastructure could well buckle under the strain. Some security experts reckon this is the real point of the exercise.

All of which relates back to a quote in these pages last month, when Bill Gates said that caller ID for email is critical to security. He’s right: tackle that and the problem of spoofed email goes away. Part of the reason why faked addresses are part and parcel of worm outbreaks is because it’s too easy not to do. Industry watcher Gartner recently echoed Gates’ sentiments; authentication is the way to go if we want to reclaim our email inboxes.

They used to say, “On the internet, no one knows you’re a dog”. Those days could soon be over, Rover.

By Gordon Smith