Mail server filters. (Discuss.)

[Adam A. Wanderer]

Now and then, I get an e-mail with the notice that the original e-mail being
sent to me was blocked by a server filter, of some sort, because it
contained a virus and/or worm attachment. How expensive is such
software/hardware? Can it be effective enough to put a stop to these
constant virus/spam attacks? Second, how much monetary damage has this
latest virus/worm/Trojan done? Is it enough to justify the cost of
additional hardware/software effective enough to slow or stop
virus/worm/Trojan attacks? In short, as it's obvious that the perpetrators
of these attacks aren't going to be caught, is enough technology "cost
effective" in combating these problems? Is there anyone out there who has
the figures and knows the "ins and outs" of this issue to explain? Finally,
how many ISP currently use hardware/software to block virus/worm
attachments, or could it be "hard wired" into the next generation of PCs?

 

[Steve M (remove wax for reply)]

Now and then, I get an e-mail with the notice that the original e-mail being
sent to me was blocked by a server filter, of some sort, because it
contained a virus and/or worm attachment.

Who added this notice?

What usually happens is that an ISP will install this software. I
have gotten over 118 copies of the Swen virus. Most (but not all, not
sure why) were caught and deleted by Road Runner before they delivered
it to me.

How expensive is such
software/hardware? Can it be effective enough to put a stop to these
constant virus/spam attacks?

The only figure I have seen is this: There's a non-profit group in
Houston that offers Internet access. You can spend an extra $2 per
month to have your mailbox. I thought it was Postini (maybe it used
to be) but they now call it the "Mailbox Assistant".

Second, how much monetary damage has this
latest virus/worm/Trojan done? Is it enough to justify the cost of
additional hardware/software effective enough to slow or stop
virus/worm/Trojan attacks?

It depends on who you're talking about.

In my case, I'm a residential user. Not a business or admin. Road
Runner handles my email, and mostly does a good job. They have made
some investments in software, hardware, and settings, that stops most
viruses and spam as well. It's good enough that I don't have to buy
or install anything else (but I keep my virus software up to date!)

In short, as it's obvious that the perpetrators
of these attacks aren't going to be caught, is enough technology "cost
effective" in combating these problems? Is there anyone out there who has
the figures and knows the "ins and outs" of this issue to explain? Finally,
how many ISP currently use hardware/software to block virus/worm
attachments, or could it be "hard wired" into the next generation of PCs?

No idea, but for a lot of casual users the only important question is:
Is MY ISP using it? If I ran a mail server, you betcha, I would be
investing in this stuff.

However, spam is not just a technical problem, it's a social problem.

Almost as important as the technical means to prevent virus attacks,
is user education. I'm talking about the ways that experienced users
protect themselves, which should be as common as "common sense":

munging addresses on Usenet,
keeping virus software updated,
applying security patches to your OS,
not clicking on strange attachments,
using secure settings on email and browser software,
etc., etc.

 

[Steve M (remove wax for reply)]

I been been running this on my machine for about a year. It's kinda
cool.

http://folding.stanford.edu

Seeing it here today has reminded me of the following ideas, which
have been bubbling on the back burner for a long time.

Spammers and viruses use others versions of distributed computing, for
a very different purpose.

Why don't anti-spammers do something similar?

Folding@stanford has about 100,000 active users. 50 million people
signed up for the national Do-Not-Call list. What would happen if a
million users downloaded a spammer harassment tool?

Couldn't somebody write a program that would run in the background on
the user's computer, and about once a minute go "tickle" or ping or do
*something* to the networks where spammers hang out?

For those who say don't fight abuse with abuse: bite me. Non-violent
protests only work against an opponent with a conscience.

An executable, pinging a spammer's site every 30 seconds, should not
significantly affect my computer, my ISP, or its other customers.

But what effect would a million hits per minute have on a spammer and
their host? Coming from 1000 different ISP's?

The targets would rotate. Periodically, the little executable could
contact another known user, learn the target du jour and the start
time of the attack.

A centralized update center like Folding@ would not work, it would be
subject to DDOS like the ones that shut down Monkeys and Osirusoft.

This has a lot in common with Pandora, but I understand that Pandora
would only complain to a single sender. Lots of addresses at that
sender, and every day, until a proper "REMOVE" request is sent. Also,
the Pandora developer is waiting until laws are passed that
"legitimize" what Pandora would do.

My approach is different. I want to emulate the enemy's tactics and
hit them from everywhere. And I want to hit them now. As as long as
the targets are objectively chosen, I don't care if I never got a spam
from them, myself. When one person is spammed, we have all been
spammed.

I sure hope somebody's working on this.

 

[David Hurwitz]

Nice idea but since spammers change email addresses hourly, I'm not
sure how it would work. You could possibly completely shut down the
internet with this tactic which might get someone's attention and
start serious work on the problem.

 

[John Coutts]

The message was originated by the sending or relay server. Large ISP's will use
this technique to prevent their own customers from distributing a virus.
***************** REPLY SEPARATER ******************

 

[Steve M (remove wax for reply)]

An executable, pinging a spammer's site every 30 seconds, should not

Nice idea but since spammers change email addresses hourly, I'm not
sure how it would work. You could possibly completely shut down the
internet with this tactic which might get someone's attention and
start serious work on the problem.

My target would be web pages that appear in spam. The places that
send spam are disposable. But a web page needs to stay up for at
least a few days for the spammer to make any money.

 

[Gabriele Neukam]

On that special day, Steve M (remove wax for reply),
([email protected]) said...

Couldn't somebody write a program that would run in the background on
the user's computer, and about once a minute go "tickle" or ping or do
*something* to the networks where spammers hang out?

Others have had similar ideas. But you never know the real place where
the spammers are hiding. They abuse trojanized computers for sending out
spam, and create paper chases by setting up referrer chains, frames in
frames (all from a different domain), and JavaScripts that have to
decode themselves a dozen times before the next URL can be identified,
and so on.

In the German anti spam newsgroup de.admin.net-abuse.mail, some guys
developed tactics to track the URLs down to the place where a certain
expensive dialer was meant to be sent to and installed on the computer
of a clueless Internet Explorer user (the start URLs in the spams and
the names of the dialer programs were changing nearly every other day).

After identifying such a site, they would go there and massively
download the dialer, or a picture on the same site, copying it to
/dev/null, and create an overload on traffic. (wget) If you do have some
command of German, let Google groups search for the verb "heisen" or
"geheist" which was created in the progress of these events.

As a reaction, the spammers let the downloaders fetch only three times,
then the respective IP number which did the query, was blocked. The
anti-spammers in turn resorted to the use of anonymizing services who
would allow for the change of IP numbers at will.

You see, it isn't easy to force them to give up. The only thing that
*did* work was the investigation of a task force on dialer frauds. They
initiated a raid the day before yesterday, which was done against half a
dozen companies, all working in the same business, and exchanging their
programs.

I hope this has finally put an end to the dialer mafia. But who knows...


Gabriele Neukam

(e-mail address removed)

 

[Herbert West]

Nice idea but since spammers change email addresses hourly, I'm not
sure how it would work.

Targetting the mailers of the spam would not work for other reasons,
mainly the addresses they use are either bogus or forged.

I'm not in favor of DoS attacks or other forms of net-abuse, but the
idea intrigues me on the level of a "thought-experiment." So, just
this once, I'm going to play devil's advocate. <g>

The idea would not to attempt to attack the point where the spam
enters the net. As stated above, the address is usually bogus. Even
if the source is traced via "Return-Path:" or other header data, it is
constantly shifting and there are too many possible targets. Most
spammers hire multiple "distributors" and "affiliates" and hijack
unsuspecting proxies to do the dirty work. Some have *extensive*
"affiliate" networks doing the mass posting for them.

It would be far better to launch the attack upon the *actual* source
of the spammers profits - the websites advertised by the spam. These
sites are frequently hosted by "spam-friendly" hosting services that
specialize in adult sites and snake-oil sales outfits, hosting few, if
any legitimate enterprises. A DoS attack targeting a site on a single
spammer whose wares are hosted by that system would have the advantage
of "busying-out" the profit source of *multiple* spammers sites.

You could possibly completely shut down the
internet with this tactic which might get someone's attention and
start serious work on the problem.

Actually, I think my idea would have less effect on the net as a
whole, though it would certainly draw attention.

Then' it's just a weird idea going through a bored mind on a Saturday