<<< Date Index >>>     <<< Thread Index >>>

getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling]



There were some good ideas in this thread, so I would do my best not to repeat any of them and perhaps to look at a couple of points from a different angle. I will try and be very critical, please do not take it the wrong way.

This may look like a rant, but it really isn't. Please bare with me? :)


1.It is clear that as notifications are today, they are *mostly* plain and simple spam. Why do I believe that?

Since they usually contain information regarding getting a brand new AV, but not about the virus or how to get cleaned.


2. In a broader view, notifications ARE currently the problem rather than a solution. I got thousands of Mydoom.A. I also got X10 times that in AV notifications. Can we truly afford the extra-slowdown to the Internet when a major outbreak is out? A mini-outbreak can turn into a massive one due to AV notifications alone. Doesn't make any sense beyond the marketing idea, and we all see how malware spoofs email addresses. Hence why I call it spam.


3. I think we look at the whole problem in the wrong way, allow me to elaborate:

The AV industry is built on reaction rather than prevention. Adding new signatures is still the #1 tool in the fight against malware.

With spam and mass mailers clogging the tubes, causing us all to waste money on bigger tubes, as well as our time dealing with the annoyance (more money), shouldn't the problem be solved there (at the main tubes themselves) rather than at the end user's desktop?

If backbones filtered the top-10 current outbreaks, with non-intrusive means such as for example running MD5 checksum checks against attachments, or whatever other way - wouldn't it be better? True, it may cause a cry of "the government spies on us, but with the current economic troubles outbreaks cause, can we really use that excuse anymore? Doesn't the police regulate speeding?

If I were to take the conspiratorial side, perhaps backbones like it when people pay for tubes they don't need, which are used to deliver 90% junk.

There are enough solutions out there for spam and malware, they are mostly not being implemented for different political and commercial reasons.

Nobody wants to deal with "you are reading my mail!" or with "sorry, now people will pay for smaller tubes", perhaps even at the ISP level - "why should I pay for more filtering when it isn't demanded of me?".

They are right, it isn't currently demanded of them.

I would like to refer you to SpamCop (when it comes to spam) or MessageLabs (for malware), it works. But you need to pay to get (most of) their services.


4. As far as the IP-ADDRESS@isp goes, it IS a good idea, but not a very practical one in my opinion. Allow me to explain why.

First, the obvious reason against it would be how easy this will make spammers' lives.

Second, we need to remember that most of the DDoS attacks happening these days on the Internet are the cause of Drone Armies. Thousands upon thousands of machines infected with a Trojan horse that work for spamming the Internet or conducting cyber-"battles".

Many times we see tens of thousands of infected users, and we try and clean them remotely (we used to connect directly and remove the backdoor, but then we realized the legal problems with this approach).

Nowadays we "play" the controllers, find the control commands and passwords and remove the drone armies from where they echo to, such as an IRC channel.

The problem with this approach, which is a never-ending fight (you know how many times a minute you can get scanned on Cable/DSL IP ranges, how many other people are not protected?) is that the users, although now "clean", will soon show up with yet another Trojan horse, re-infected and used as a tool of war against different "groups", for spam or maybe to blackmail corporations.

Although completely not practical, a way to contact users (or ISP's, isn't that how it works?) by IP address would help a lot. But that would be circumventing the real problem which is ISP's not doing much about ABUSE REPORTS or USER SECURITY.

We all kept talking about anything from spam reporting, to ISP's preventing their own users from performing illegal activity, the whole issue of asking ISP's to do anything is simply wrong. It is not ECONOMICAL for them to do so unless the law dictates it.


5. Drifting a bit from the original subject at hand, we can go on forever discussing the problems with the net, such as spam, malware or ISP's not caring. The issue is how do we do one of the following:
- Make ISP's care (enforcing new laws?).
- Employ limited solutions on the backbones (spam filtering? malware
  filtering?).
We are reaching a place where 80-90% of the traffic is junk, it may be economic but do we really want to stay there?

There is no magic cure, and Every possible solution would have problems, Nothing is perfect. I don't understand why the biggest problems of the Internet should be commercialized and thus become static, rather than solved.

Obviously again, solving the problems is not easy, and nothing is trivial - I just don't see that any solution that may work gets implemented or tried.

My 2K bucks.

        Gadi Evron.