getting rid of outbreaks and spam (junk) [WAS: Re: RFC: virus handling]

[Gadi Evron <ge () linuxbox org>]

There were some good ideas in this thread, so I would do my best not to 
repeat any of them and perhaps to look at a couple of points from a 
different angle. I will try and be very critical, please do not take it 
the wrong way.

This may look like a rant, but it really isn't. Please bare with me? :)


1.It is clear that as notifications are today, they are *mostly* plain 
and simple spam. Why do I believe that?

Since they usually contain information regarding getting a brand new AV, 
but not about the virus or how to get cleaned.


2. In a broader view, notifications ARE currently the problem rather 
than a solution. I got thousands of Mydoom.A. I also got X10 times that 
in AV notifications. Can we truly afford the extra-slowdown to the 
Internet when a major outbreak is out? A mini-outbreak can turn into a 
massive one due to AV notifications alone.
Doesn't make any sense beyond the marketing idea, and we all see how 
malware spoofs email addresses. Hence why I call it spam.


3. I think we look at the whole problem in the wrong way, allow me to 
elaborate:

The AV industry is built on reaction rather than prevention. Adding new 
signatures is still the #1 tool in the fight against malware.

With spam and mass mailers clogging the tubes, causing us all to waste 
money on bigger tubes, as well as our time dealing with the annoyance 
(more money), shouldn't the problem be solved there (at the main tubes 
themselves) rather than at the end user's desktop?

If backbones filtered the top-10 current outbreaks, with non-intrusive 
means such as for example running MD5 checksum checks against 
attachments, or whatever other way - wouldn't it be better? True, it may 
cause a cry of "the government spies on us, but with the current 
economic troubles outbreaks cause, can we really use that excuse 
anymore? Doesn't the police regulate speeding?

If I were to take the conspiratorial side, perhaps backbones like it 
when people pay for tubes they don't need, which are used to deliver 90% 
junk.

There are enough solutions out there for spam and malware, they are 
mostly not being implemented for different political and commercial reasons.

Nobody wants to deal with "you are reading my mail!" or with "sorry, now 
people will pay for smaller tubes", perhaps even at the ISP level - "why 
should I pay for more filtering when it isn't demanded of me?".

They are right, it isn't currently demanded of them.

I would like to refer you to SpamCop (when it comes to spam) or 
MessageLabs (for malware), it works. But you need to pay to get (most 
of) their services.


4. As far as the IP-ADDRESS@isp goes, it IS a good idea, but not a very 
practical one in my opinion. Allow me to explain why.

First, the obvious reason against it would be how easy this will make 
spammers' lives.

Second, we need to remember that most of the DDoS attacks happening 
these days on the Internet are the cause of Drone Armies. Thousands upon 
thousands of machines infected with a Trojan horse that work for 
spamming the Internet or conducting cyber-"battles".

Many times we see tens of thousands of infected users, and we try and 
clean them remotely (we used to connect directly and remove the 
backdoor, but then we realized the legal problems with this approach).

Nowadays we "play" the controllers, find the control commands and 
passwords and remove the drone armies from where they echo to, such as 
an IRC channel.

The problem with this approach, which is a never-ending fight (you know 
how many times a minute you can get scanned on Cable/DSL IP ranges, how 
many other people are not protected?) is that the users, although now 
"clean", will soon show up with yet another Trojan horse, re-infected 
and used as a tool of war against different "groups", for spam or maybe 
to blackmail corporations.

Although completely not practical, a way to contact users (or ISP's, 
isn't that how it works?) by IP address would help a lot. But that would 
be circumventing the real problem which is ISP's not doing much about 
ABUSE REPORTS or USER SECURITY.

We all kept talking about anything from spam reporting, to ISP's 
preventing their own users from performing illegal activity, the whole 
issue of asking ISP's to do anything is simply wrong. It is not 
ECONOMICAL for them to do so unless the law dictates it.


5. Drifting a bit from the original subject at hand, we can go on 
forever discussing the problems with the net, such as spam, malware or 
ISP's not caring. The issue is how do we do one of the following:
- Make ISP's care (enforcing new laws?).
- Employ limited solutions on the backbones (spam filtering? malware
  filtering?).
We are reaching a place where 80-90% of the traffic is junk, it may be 
economic but do we really want to stay there?

There is no magic cure, and Every possible solution would have problems, 
Nothing is perfect. I don't understand why the biggest problems of the 
Internet should be commercialized and thus become static, rather than 
solved.

Obviously again, solving the problems is not easy, and nothing is 
trivial - I just don't see that any solution that may work gets 
implemented or tried.

My 2K bucks.

        Gadi Evron.