Ironically, it may well be that a single company can stem the tide of
spam alone and, remarkably enough, it's Mr Gates' company.
OK, Barry, after sitting back on this one for a while, I'm going to pick up
your
bait.
Certainly there is a LOT they could do, but in practice probably little of that
is at the OS level.
Apparently much of the spam is forwarded via computers which have been
infected by viruses turning them into unwaitting mail slaves for
spammers.
There's LITTLE excuse for allowing that to happen.
Reviewing the most common of these viruses, such as Jeem, sobig.a and
Proxy-guzu, indicates that they all target Microsoft's winows
operating system. Versions up to and including their latest XP and ME.
Of course. If you were writing a virus, you'd also write it to propagate on
the
most likely systems you expected the code to land in. OF COURSE virus authors
target Outlook, Windows, Word, etc.
There have been plenty of worms on other systems, but those are a minority of
attackable systems so virus authors OF COURSE go for the more fertile ground.
There's a reason for this: Microsoft's operating systems are
vulnerable to viruses.
ALL operating systems are vulnerable to viruses, as long as the systems are
user-programmable (or program-extensible). OK, your digital watch, your
microwave oven (probably), and your laser printer probably aren't vulnerable to
viruses. But that's because nobody else can much change their code, either.
Other operating systems, or at least late-releases (e.g., Max OSX),
are not susceptible to viruses.
And just what is the "magic bullet" that you think magically makes those
systems
"not susceptible"? I don't believe that there IS such a magic bullet.
Any computer on which software can be installed could theoretically have BAD
software installed. I don't believe it's possible by any kind of automated
means to determine absolutely that an arbitrary subject program is bug-free, or
even that it will terminate.
And in particular, a WORD macro virus (for instance) which works on a
Windows-based OS will probably work on a Mac-based OS too... since the level of
abstraction provided by the macro facility SPECIFICALLY shields the executing
macro from vagaries based on the underlying OS.
The technology for immunizing OS's against viruses has been known for
about 40 years (before viruses even existed!) It's been commonly used
in other OS's for about 20 years.
What "immunizing technology" are you referring to?
The US military has spent many billions of dollars over the years in research
trying to find "absolutely secure" operating systems, and although they have
made some fairly impressive strides, I don't think that any of them has gotten
anywhere near 100%.
And it's been available on consumer/desktop PC-class machines for at least 10
years.
What "it" do you think "immunizes" OSes? And even if "it" did, what makes you
think that other vulnerabilities can't be opened by buggy or ill-conceived
applications?
So why does Microsoft continue to provide opportunity for spammers
unnecessarily?
While I would never claim that Microsoft has done everything possible to
prevent
abuse (far from it, at times) a LOT of the problem is at the application level,
and not at the OS level proper.
Buffer overflow exploits, in particular, (along with similar array subscript
range or string boundary violations) are readily possible with processors which
permit unconstrained address calculations, and (also in particular) C is pretty
much totally undisciplined about such things (and that's just as much true of C
on Mac or Unix systems as it is for C on Windows-based systems).
The better solution is really to put restrictions in place on incoming material
(and E-mail is our focus here) such that potentially dangerous executable stuff
(and in practice, this means ActiveX-type stuff, scripting, and potentially
malicious attachments) simply aren't allowed to be delivered unless they come
from pre-arranged (or post-permitted, maybe), _trusted_ people who we EXPECT
such type of stuff to come from.
Just as nobody should ever be stupid enough to run an executable that arrives
in
an E-mail from someone they don't know, they similarly shouldn't run
executables
that arrive from someone they DO know unless they know what it's about, and
have
verified (separately) with the sender why it was sent and that it's legitimate.
There is no reason why such windows of vulnerability should be left open for
no
reason at all.
I got a spam just a day or two ago shilling for a porn site and crowing about
how "no credit card required". The link said, in essence, "to connect to this
site directly using your modem, CLICK HERE." Under the concealment of the
HTML,
the link pointed to a URL of .exe type. Most lusers wouldn't realize (of
course) the implication of the (truthful) prompt... that the executable was
planning to hang up the person's Internet connection through their local ISP,
then redial on the user's modem to a 900-type international telephone number at
staggering per-minute charges, which will of course bill to the luser's phone
bill to arrive a month later. (And of course, if it's a business line at the
person's employer, they'll probably never even notice...! What employee ever
sees and studies the monthly phone bill for your desk's/computer's phone line?)
Such scams, by the way, also tend to (besides the porn site itself) embody
proxy
servers so that even after the visitor tires of whatever porn is on offer,
tends
to stay connected to the Net and continue their other net surfing through the
new, international premium pay-by-the-minute dialup connection, totally unaware
that they're no longer connected through their own local ISP.
Anyhow, here's just another example of a case where the original deception that
sets this whole mess up comes from the fact that the original message is
HTML-burdened, permitting the spammer to hide the downloading of an executable
inside an "invisible" link that just looks like any other "click here"
hyperlink. Of course, it would be nearly as easy to include an executable
attachment (which is the way that most such stuff has been pulled in the past).
Notably, my permission-list idea would most likely squash BOTH of these
deceptions... no unauthorized attachments, and forcing the user to
copy-and-paste a more-likely-visibly-dubious URL into their browser before
going
to get it.
Of course, on my machine this particular scam wouldn't work, since I don't use
a
dialup internet connection to begin with.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support the Anti-SPAM Amendment! Join at http://www.cauce.org/
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg