More Reflections on Recent Worms
In the wake of the extreme traffic generated from mass mailing worms like Beagle.A (reported in the last newsletter) and Novarg.A, aka Mydoom.A, lots of recommendations and rueful observations have been forthcoming from security experts of all stripes.
It seems that by spoofing the From: address in its sending, these worms have succeeded in doubling up on the number of e-mails that get generated. That’s because many SMTP servers send e-mails to putative senders when undeliverable or infected e-mail shows up in their incoming mail queues. Personally, I’ve probably received over 100 e-mails a day of that kind (they usually include subject lines that read something like: “Returned mail: delivery problems encountered” or “Mail transaction failed” or “Virus found in e-mail”) in addition to the plethora of infected e-mails that keep showing up at my spam service inbox.
It’s also been the case that I’ve found anywhere from 2 to 10 infected e-mail messages in my inbox daily, because sender addresses match those on my white list (the list of addresses from which I’ve already indicated an interest in reading incoming e-mail). Thank goodness that my local anti-virus solution (Norton Internet Security 2003, with automatic updates enabled) is able to catch and delete infected attachments automatically. Since this is true for most end-users, the danger of infection is not as vexing as the wasted time and bandwidth involved in handling messages that have no real reason to be in anybody’s inbox.
This helps me to understand why I agree with most security experts that e-mail should be subjected to content and anti-virus screening before making it into anybody’s inboxes. That way, infected e-mails can be stopped en route, and need not take up bandwidth and energy for very long. Lately, experts also recommend that automatic rejection notification be turned off at SMTP servers when worms like Beagle.A or Mydoom.A are active, to avoid sending lots of e-mail to warn putative rather than actual senders that a message has been rejected.
This latest round of aggravation will probably help content filtering solution providers convince customers that their solutions have merit. I’m also starting to find some value in the idea of small but measurable “e-postage” charges for sending e-mail to keep those who’d otherwise spam the rest of us into oblivion at bay. But that raises the very interesting question of who’s liable if a virus causes a computer to generate lots of e-mail that the real user/owner had no desire to send (or pay for). This helps me understand why the combination of content and anti-virus filtering or screening is more potent than either ingredient by itself.