Sobig.f proves why focusing on commercial spam is a mistake

One of the biggest mistakes being made on the anti-spam front by vendors, service providers, lawmakers, and lawyers is the focus they are placing on technological and legal solutions that attempt to define, in one-size-fits-all fashion, what spam is.

Many of these solutions start with the notion that spam is unsolicited commercial e-mail. They leave alone other types of unwanted e-mail --- worms, viruses, surveys, political messages, chain letters, etc ---- that are equally empowered to destroy the Internet's e-mail system.

Perhaps now, with the latest variant of the Sobig worm wreaking havoc on the Internet, these misguided anti-spam fighters will realize that defining spam is a waste of time. Tracing Sobig's footsteps and side effects, as I am about to do, shall reveal that focusing on any one type of unwanted e-mail leaves the Internet's e-mail system vulnerable to an irretrievable breakdown. The same industry-wide standards that could help in the battle against spam can also relieve the Internet's e-mail system of the life-threatening congestion caused by worms like Sobig.

We all have our own idea of what unwanted e-mail is and, more often than not, it starts with determining who originated the e-mail. Unfortunately, there is no way to reliably do this today because the part of an inbound e-mail that contains the originator's credentials is simple to forge.

To cover their tracks, senders of unwanted e-mail prey on this weakness --- the ability to "spoof" an e-mail header --- in the Internet's SMTP standards. Even worse, this weakness is often exploited to make an e-mail look to the recipient as though it's coming from someone they already know. This technique increases the likelihood that the unwanted e-mail will get opened by the recipient. .

To a recipient, the Sobig worm and a spammer look very much the same. They're both the source of a tremendous amount of unwanted e-mail. They both forge the originator's credential information to cover their tracks. They both flood the Net with unnecessary traffic. They're both a drain on the recipient's (or receiving organization's) time, money, and productivity. But where they differ is in their distribution. Whereas a spammer will often send transmissions from a single or small number of addresses, Sobig works like a Distributed Denial of Service (DDoS) attack. First, it finds vulnerable systems on the Internet and then, via its payload, it deputizes them into originating more worm-laden e-mail.

The result is very spam-like. An enormous amount of e-mail traversing the Internet, all bearing forged credentials that not only aren't traceable to the originators of the worm itself, but aren't even traceable to the deputized system. But it gets worse.

Another similarity between Sobig and a spammer is the way in which they impersonate an e-mail's source. Spammers cross-tabulate their databases to find the e-mail addresses of your co-workers, and then use that information to make the spam they send to you look as though its coming from those co-workers. Sobig is equally tenacious. According to ZDNet virus expert Robert Vamosi, "Sobig searches browser caches and stored files on an infected machine looking for e-mail addresses. Anyone who's read something by me in the last few days and that is infected by Sobig is now broadcasting copies of the worm in my name."

It's bad enough that Sobig, in DDoS fashion, is deputizing thousands of systems across the Internet to send Net-artery clogging traffic. But, since Sobig is a worm that most centralized e-mail scanners are capable of detecting, there's a double whammy on the congestion front. That's because when a centralized antivirus solution (like those run by many businesses) that's watching all inbound and outbound e-mail for worms and viruses detects a problem, it usually quarantines the e-mail (or the e-mail's payload) and notifies the originators, as a courtesy, that they've been identified as the source of a worm or virus.

Thanks to this "courtesy," my inbox has received over a thousand messages in the last few days informing me that I've been identified as a source of a worm or virus. These notifications have sent my personal productivity into a tailspin. The company-set storage limit on my inbox has been overrun, which has forced me to wade through and delete all of these messages. Despite being a fastidious practitioner of safe computing (I almost never open attachments) and having anti-virus technologies running on both my workstation and CNET's corporate e-mail servers, I worry that I've somehow become infected.

According to Vamosi, one way to confirm whether a system has been victimized by Sobig.f is to check the system's registry. But a check of the registry on my system indicates that I'm virus-free, which leaves only one option: Sobig.f is finding my e-mail address in the systems it has infected and is originating e-mail that impersonates me as the source. As a result, antivirus systems across the world are seeing my credentials on worm-laden e-mail and are responding by sending a warning to me.

In the bigger scheme of defining spam, not only was the original e-mail carrying the Sobig.f worm unwanted, but, for me, so too were the thousand-plus (and still counting) unjustified warnings that appeared in my inbox. If you extrapolate my situation to the millions of Internet users, the effects of all this unnecessary, unwanted e-mail on the Internet's arteries is obviously significant.

A lot of this congestion can be prevented. The same standards, if developed and widely embraced, that can help in the battle against spam could have stopped most if not all of the unjustified warnings that flooded the Internet, corporate e-mail systems, and many inboxes as a result of Sobig.f. For example, if anyone of those anti-virus systems was able to validate the originator's credentials on a Sobig.f-laden e-mail, most if not all of the unjustified warnings would never have been sent.

Likewise, two answers to the spam problem are to design systems that can optionally reject e-mails with invalid credentials (once a standard for such credentials is in place) and to pass laws that either prevent the sending of e-mails without credentials, or make it unlawful to tamper or falsify the credentials.

The ability to forge an e-mail originator's credentials and the lack of any ability on the receiving end to validate those credentials is one of the Internet email system's most lethal vulnerabilities. That's because it opens the Net up to life-threatening congestion, the ultimate source of which could be unsolicited commercial email or worms like Sobig. If you ask me, both are equally unwanted. This is why, instead of defining spam, the anti-spam bodies should focus on something much simpler: unwanted e-mail. Leave it up to the recipient to define what is and what isn't unwanted e-mail, and use a more fortified credential-standard as the starting point for giving those recipients the tools they need to separate the wheat from the chaff.

Creating standards for tamper-proof e-mail credentials and providing ways for systems to validate the originator's authenticity isn't nearly has hard as some would lead us to believe. For example, as DNS inventor Paul Mockapetris says, an existing specification called DNSSEC, if widely deployed, could provide the means for validating the source of an e-mail. Although the system isn't foolproof, it likely would have foiled a lot of the traffic that resulted from Sobig. Using the method he describes, most anti-virus systems could easily detect that the e-mails carrying the Sobig.f payload were not from who they said they were from.

So, what's standing in the way? Lack of cooperation. In order for a credential standard to work, it has to be widely adopted by many of the communities that have a vested interest in the ongoing health of the Internet's e-mail system. These communities are the Internet inbox providers, the Internet Service Providers, the e-mail client and server makers, anti-virus system vendors, anti-spam system vendors and so forth. But so far, that cooperation has been slow in coming. To date, the only framework that exists for this sort of industry-wide cooperation is one that I spearheaded earlier this year called JamSpam.

This is inexcusable, since the industry has shown that it's capable of working together. For example, as the Web services ecosystem continues to evolve, it needs dozens of new interoperable standards to prop it up. Vendors with a commercial interest in its success (many of whom are the same vendors with a stake in the spam problem) are working together at unprecedented levels to set Web services standards at a record-setting pace. Meanwhile, in the world of spam, the silence is deafening. Instead of working together, most companies are working unilaterally or, rarely, in small alliances.

Who do I blame for not doing enough? America OnLine, Microsoft, Yahoo!, Earthlink, Verisign, Sun, and IBM all attended the JamSpam meetings. If those seven companies banded together and put just one-fourth the effort into spam that has so far been poured into Web services, the rest of the industry would follow and we'd be well on the way to a major curtailment of unwanted e-mail.

While I can continue to write about this travesty, it's beholden upon you, as customers of these companies, to influence their policies with your dollars. Hold your solution providers accountable. If they're not committed to solving this problem in conjunction with the rest of the industry, let them know you're not prepared to commit to them until they do. After all, not a day passes where some solution provider doesn't tell me "the reason we did xyz is because our customers asked for it."

If enough of you ask for it, and use your checkbooks as leverage, some big guy at the top will get the message. Then, and only then, will mountains start to move.

Were your e-mail servers slammed by faulty warnings from Sobig? Are you sick and tired of unwanted e-mail and the inability of the industry to get something done? Voice your frustrations with your fellow readers using ZDNet's TalkBack. Or write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.