On 21 Sep 2003 at 6:48, David H. Bailey wrote: > At the risk of tempting fate, this morning was the first time in a > couple of weeks that I was able to download my email and not have any > infected with a virus.
I only received two such infected email messages, and my email address is all over the Web and Usenet (in a munged form), and I get tons spam and got plenty of SoBig emails. I can only conclude that one of two things is happening: 1. this one was heavily driven by addresses harvested from Usenet (the exploit includes a Usenet portion), and my munged address is protecting me from receiving the emails (though my ISP is having to bounce them). 2. my ISP is filtering all such emails in their mail server. I suspect the latter rather than the former, as spam has been at a low point for the past two or three weeks (only 10 a day instead of 20 or 30) and I think it's likely my ISP has put new protections in place. (I just discovered my ISP provides Spam Assassin as a free option, you just have to request that it be turned on; this could be the point at which I switch to IMAP from POP for my email client) > I think that one wave or another will be with us for some time to > come, simply because there aren't virus-catching programs running at > most email servers. . . . There may not be AV programs running, but almost every major email server I know of has hooks that they can be loaded. And, indeed, most ISPs are already processing email based on black hole lists (which, granted, takes somewhat less processing power as you reject based on the header rather than scanning the whole message content), so adding processing of content for SPAM identification is not that big a deal. AV protection is probably easier, as in many cases, rejecting worms like the current one (and SoBig) does not require scanning the message itself -- all that is needed is an examination of the header and a determination that message purports to include executable content. If the ISP subscribes to a service provided by one of the major AV vendors, they'd also have virus definition files that could be used. > . . . I can't imagine the bottleneck that would be > created if current antivirus programs inspected each and every > incoming e-mail message at a server. . . . On the contrary, such a "bottleneck" would decrease the bandwidth, storage and processing power needed. Consider: 1. if an ISP lets through one worm-infected email message and that one recipient executes it and is infected, that could generate literally thousands of outgoing infected email messages. If this happens to 100s of subscribers, you're talking 100s of thousands of unnecessary outgoing messages for the ISP's servers to handle. 2. if instead the ISP strips the executable content from the email message, none of its subscribers get infected, and the amount of outgoing bandwidth used by infected subscribers is ZERO. If *all* ISPs did this, these worms could not spread at all. The only thing that is required is that all messages with executable content be either stripped of the executable content or quarantined with a mechanism for the recipient to retrieve or delete it after the fact. > . . . But if somebody could write a > program which would innoculate infected messages at a high speed, then > virus writers would be out of business in short order (until somebody > figured out how to circumvent the anti-virus mail-servers). These really do exist already. They've existed since before the ILOVEYOU worm from May 2000. At this point in the game, there is really no excuse for any mail server to not be doing two things: 1. scanning outgoing mail for suspicious executable content and prohibiting it from being sent. 2. scanning incoming mail for executable content and prohibiting its delivery to the recipient. If all ISPs did these two things, THERE BE NO MORE WORMS! > Just be sure you have antivirus software running and keep the > signature files up to date. I don't use AV software and I've never once been infected by anything other than a boot sector virus (the vector being a floppy disk rather than email). I regularly download the scanning/cleanup tools for these to check that I've been infected. I *do* received many copies of infected messages, but I never get infected myself. Why? 1. I don't use an email program that will make it easily for me to unintentionally run executable content. 2. I don't open any attachment I am not expecting, or any attachment in a format that I don't already know is perfectly safe. Most of the exploits of the past 2-3 years have depended on the idea that a human would execute them in order to infect the local machine. This is one of the reasons why I trash all HTML email messages (this is the best single spam filter there is), because I don't want to run the risk of an HTML email message managing to execute something inappropriate. I also think HTML email is an abomination that should not exist in the first place, but that's a position that is simply not shared by many people. I have concluded that the people who are getting infected these days are mostly people who are to blame for it themselves, like the person who doesn't lock his car. Or a closer analogy would be a person who parks his car in a strange neighborhood and then hands the keys over to the first stranger he sees. Originally I would have said that this was caused by ignorance, but at this point in the game anyone who is *that* ignorant deserves to be shunned and ostracized. If you can't resist doubleclicking on any old strange attachment, then you are really far too dumb to live. -- David W. Fenton http://www.bway.net/~dfenton David Fenton Associates http://www.bway.net/~dfassoc _______________________________________________ Finale mailing list [EMAIL PROTECTED] http://lists.shsu.edu/mailman/listinfo/finale