Spam, Viruses and Message Undelivered

EARLIER FEATURES

FEATURES CONTENTS

LATER FEATURES

2nd February 2004

SPAM, VIRUSES AND MESSAGE UNDELIVERED

Brian Grainger

brian@grainger1.freeserve.co.uk

Last week saw the most virulent virus ever unleashed on the Internet. Is it just the virus writers that are to blame for reducing the usefulness of the Internet? Should anti-virus software writers also take some responsibility? Every other serious commentator has been taking a pop, so I thought I would have my two-pennyworth!

Sometime around the 26th/27th January 2004 the MyDoom Virus, (a.k.a. Novarg), was unleashed. Message Labs, who monitor the Internet for the number of messages with viruses attached, soon reported that it was spreading rapidly. By the 27th I could also report it was spreading rapidly! I mentioned in my Christmas Waffle that my e-mail address had been hijacked last year to send spam and the resulting 'mail undelivered' messages caused my mailbox to overflow. However, that was nothing compared to what happened on the 27th January. First, I was being sent numerous messages with the virus attached. Secondly, the virus spoofs the 'From' e-mail address and clearly mine had been used, because I was also getting 'mail undelivered' messages with the virus attached. This was on top of the usual spam I get, which has been steadily increasing over the last year. Fortunately, the virus splurge did not last long, but an analysis of my e-mail messages over the last week are very revealing.

Date	Mails With Viral Attachments	Mails Undelivered returned with viral attachment!	Mails Undelivered returned with the attachment deleted	Junk Mail	Valid Mail
27/01/04	68	32	8	21	8
28/01/04	68	17	2	20	4
29/01/04	1	7	5	17	5
30/01/04	1	9	4	16	6
31/01/04	0	3	2	16	2
01/02/04	0	2	2	18	3

It should be noted that the virus attachment was about 250KB long. As I am on a dialup 56K modem it took 10 minutes, just to download my e-mail, on 27th and 28th. What had I done to deserve this? Simply create this web site with my e-mail address on it so readers can contact me. It is times like these when I wonder whether it is worth it. (Before anyone writes back - I know I could hide my e-mail address in a graphic, or use some other ruse. This makes it slightly more difficult for my readers to e-mail me and, so far, I have avoided making their life more difficult.)

Anyway, back to the analysis. Here are some points from the figures above.

1	It took 2 days before the number of viral messages sent were reduced. Is this the time lag before anti-virus signatures are updated? I always had misgivings on the value of anti virus (AV) software.
2	Clearly, if I was getting so many virus messages there are a lot of people out there who read these pages and have them archived in their Temporary Internet Files folder. (This is one place on an infected computer where the virus picks up e-mail addresses to proliferate itself.). That is good to know!
3	Despite all the warnings there are still many people who open attachments on e-mail from people they do not know. Unfortunately, some of these people read this web site. Whether that says something about the readership is an interesting question!
4	On day 1, 37% of viral e-mail was being sent by AV software or mailer daemons returning mail to people who hadn't sent it!
5	By day 5, virus e-mail had stopped. However, there was still a residual noise from AV software and mailer daemons.

As you can imagine, I am seriously irritated by the figures for useless mail that I pay to download. We know spam is a source and a way needs to be found to get rid of it. However, at least spam messages are not usually 250KB long. They are a minor irritant in comparison. The trouble with spam is the time taken to remove it and the potential to destroy valid mail, thinking it is spam.

Viral messages are a real pain. Their length causes serious cost and time penalties. Most importantly, it clogs up the Internet and reduces the available bandwidth. There are many people to blame for the spread of viruses, including the stupid user who will not heed the warnings about opening attachments. The MyDoom virus did not use any social engineering. It did not promise compromising pictures of a celebrity. It did not open automatically - the user had to open it. It was obviously potentially dangerous. For goodness sake, stop opening them!

(OK - I will relent a little! If you are a special case, like me, who has reasons for opening some of them, use Wordpad. You can now read the mail without the virus being executed. As an aside you may like to now why I have to open some of them. Some readers will sometimes send me e-mails with the subject simply as 'Hi'. Unfortunately, some viral messages and a lot of spam have the subject 'Hi'! Consequently I open these, with Wordpad, just in case. Future senders of e-mail to me may like to ease my life by using a more relevant subject line.)

Despite these problems, which are difficult to solve, there is one glaring problem that is easy to solve. That is the problem of returned mail. Points 4 and 5 are damning. Stop returning undelivered viral mail. From my figures above, 37% of viral e-mail traffic could have been avoided.

Now, I CAN see some value in letting the sender know when an e-mail is undelivered, when it is a valid e-mail. However, when some software tells me it has detected a virus and then sends it back again, I think the world has gone mad! There is, now, not much point in letting a user know they have a virus. More likely than not, the supposed sender of the mail did not send it. In the past I did this as a help, which was usually appreciated, but it is not relevant today.

I would say that all mailer daemon software and AV software should comply with two rules.

If such software detects a virus, do NOT send any 'mail undelivered' message.
If a virus is not detected then do NOT send any attachments back. A simple message saying it could not be delivered, or .exe attachments will not be accepted, (if that is the problem), will suffice. Keep the bandwidth free for useful stuff.

TOP