Anti-Virus Outfits as Dastardly Spammers
Some recent viruses I’ve written about here are smart enough to create their own artificial sender e-mail addresses—by harvesting name pieces and domain name pieces separately, then combining them at random. Some spoof the sender’s address completely, by harvesting sender addresses as well as recipient addresses from address books, Web pages, and other likely files on infected machines. These include the MyDoom and Mimail variants that have been so active recently.
But there’s another insidious problem that occurs when this kind of thing happens. It’s what happens when anti-virus or content screening software detects an infected message. In an effort to demonstrate its benefits and capabilities, such software routinely sends a message to both the sender and recipient informing them that an infected message has been blocked, and providing pointers to more information about the software that performed this presumably wonderful service.
Why is this a problem? There are at least two reasons why this is not an unmixed blessing. For one thing, when an active virus, like the mass mailing worms mentioned in the first paragraph of this story, breaks loose it itself generates huge message volumes. When screening software adds to this volume by reporting on its activity, it takes a bad or worsening problem of bandwidth lost to illegitimate or unwanted traffic and makes it even worse by inflating those volumes with virus reports. Best case, when both sender and recipient are copied on the same message, it doubles message traffic. When messages have multiple recipients, message volume increases to match. For another thing, the viruses mentioned synthesize sender addresses so many people who receive screening service notifications that amount to “Hey! You sent an infected message…” didn’t actually do so, nor are they necessarily infected. But receiving such messages certainly does add some excitement (or stress, alas) to one’s inbox.
Anti-virus and content screening vendors need to consider the impact of traffic they generate automatically, especially when the volumes of traffic involved are already high. Hopefully, these vendors will police themselves and build automatic throttles or controls into their software, so that when viruses proliferate, especially using harvested addresses, no ‘doubling up’ from screening servers occurs.
For more interesting byplay on this topic, see: