I just read through the "Inventory of problems" document, and I have a few
comments. Some of those comments reflect my anti-virus background, and the
increasing connection I am seeing between viruses and spam.
I have three separate comments on the document.
First I would like to add one problem - the issue of "unintentional" spam
generated by incorrectly configured mail filters.
I have brought this subject up elsewhere - see for examply my open letter
in http://www.f-prot.com/news/gen_news/open_letter_10sept2003.html
Basically the problem is the following:
Many mass-mailing worms do not only select the recipient at random, but
also forge the "From" address and possibly the envelope sender too. A
mail filter receives the worm, and responds by sending out two mails,
one going to the (assumed) sender, informing him that he sent a virus,
and the other going to the recipient, informing him that so-and-so just
sent him a virus.
Quite apart from the legal issues here (incorrectly claiming that someone
sent a virus may damage the reputation of that party), this is just
wrong behaviour, and while it is hard to define what would be "correct",
my position is the following:
A mail filter intercepting a virus/worm should respond to the sender
only if the sender is known with certainity to be the "real" sender,
not just a forgery. Determining this with absolute certainity is next
to impossible with the current mail transfer protocols, however, a virus
mail filter should in theory be able to keep a list of common
viruses/worms known to forge the sender's address, and not respond if
one of those viruses/worms is intercepted. Without such a list, the
filter should not respond to the (assumed) sender at all, for the
reason that the majority of mass-mailing worms in circulation forge the
sender this way.
As for mailing the recipient, there is simply no good reason for doing
so in the case of mass-mailing, self-contained worms. The recipient
does not in any way benefit from knowing that someone, somewhere
attempted to send him a virus. There is only one set of circumstances
where it might make sense to notify the recipient, and that is when
the mail contains a parasitic virus, which does not mail itself. A
reasonable approach is not to notify the recipient if the name of the
intercepted virus/worm contains "@m" or "@mm", as that implies
self-mailing capability.
My second point involves the point about spam as DoS attack. I would suggest
that this problem should be considered two separate problems, as there are
some fundamental differences.
On one hand we have direct DoS attacks, or more typically distributed
attacks (DDoS) where a large number of "zombie" machines under the control
of a single party participate in a concerted attack against a single
address or domain.
On the other hand we have indirect DoS attacks, which happen as a result
of an address being used as the "From" address of a spam campaign.
Various spam filters will respond with a "Message rejected" to the (assumed)
sender, who may in extreme cases receive tens of thousands of such notices.
My third point involves the "Fraud & Crime" section, where I suggest adding
two more types of spam scams.
First, stock manipulation. There are spammers that attempt to push
various penny stocks (most recently TRHL, PFDE and AZAA). I have done
some analysis on activity of the stocks in question and it is very
interesting to observe the increased trading volume in the weeks prior
to the spamming (presumably when the spammer is accumulating shares).
The second common category is the lottery scam - typically mails with
subjects like "YOU ARE A WINNER OF US$2.5MILLION LOTTO"
--
Fridrik Skulason Frisk Software International phone: +354-540-7400
Author of F-PROT E-mail: frisk(_at_)f-prot(_dot_)com fax:
+354-540-7401
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg