dacs.doc electric

 

Spam, Email, Sobig.f, Worms and
Creatures That Go Bump in the Night

by John Heckman

 

The recent massive infestation of the Sobig.f Worm, with the promise of many more to come, renews the issue of how to deal with Spam/Viruses/Worms etc. Since I have a public web site and contribute to various listservs, I was getting over 200 Sobig messages a day. I’m sure a few genuine messages were lost in my increasingly automatic use of the delete key.

What is the best way to deal with what is at best an annoyance and at worst something that can destroy your PC? First, it is important to understand how this particular worm worked (and, because it was so massively successful, no doubt future ones will do the same).

It had two characteristics that set it off from previous worms. First, it not only broadcast to your address book, but it also scrounged your hard drive for other email addresses (for example, in downloaded temp or Web pages). Second, it spoofed the “from” address, frequently using the address of someone else in your address book. Thus, if someone received a copy of virus ostensibly from me, heckman@ heckmanco.com, it could actually have come from someone else who had me in their address book or even in some temp Internet file that had never been cleaned out.

While this magnified the spread of the worm, the bottom line is still that is spread because people have still not learned never to open attachments they are not expecting. Fortunately sobig.f had an expiration date (Sept. 10) and it stopped there.

So how do you deal with spam and various viruses/worms?

It is often said that you should never try to have yourself removed from a list, because that only tells the spammer that you have a valid email address. However, this advice needs some modification. Roughly speaking, spam can be broken down into three categories: actual porn; “sex pills” that offer to grow various body parts that you may or may not have; and commercial spam - mortgages, car loans, merchandise, etc. offered by more or less legitimate mer-chandizers.

Since the legitimate merchandizers don’t want to alienate potential customers, the chances are they will remove you from their lists. When I did this systematically, I found that my spam dropped by close to 50%. It does take a week or so of effort, and you have to keep at it because retailers routinely sell their lists to new spammers (Amazon.com does this all the time, for example). I also kept my “ask whether to accept cookies” turned on—why would anyone that is deleting me from their list want to set a cookie? But it does have an effect.

There is also a variety of anti-spam software on the market, which typically have some combination of four elements: white lists (accept any email from Jones); black lists (reject any email from Jones); rules (reject anything with “Viagra” in the subject line); and Bayseian filters.

White lists are necessary (although in the case of Sobig.f, it does lead to getting virus mailings supposedly from people on the “white list”). Black lists and rules are a losing battle because spammers keep changing their addresses and subject lines, and vary spellings so that rules are ineffective (how many variations on “Viagra” have you seen?). Therefore the key to an effective anti-spam program is Bayesian filters.

A Bayesian filter does a statistical analysis of allowed and rejected email and assigns it a percentage category (junk, 60% likelihood it is, not junk). It continues to learn as you have more and more email. This is by far the most effective and elegant way to combat spam. The best program I have found for Outlook is “junk-out” (See www.junk-out.com or www.wopr.com), although there are a number of others on the market. It moves suspected spam to a folder called “Junk” where you can inspect and delete it. This usually takes me only a few seconds every morning.

Other approaches, such as challenge-response (in which the first time you get an email from someone, a reply is sent to them asking for confirmation. Only when you get the response does your system let the email through), tend to have serious drawbacks. Challenge-response systems, for example, wreak havoc with listservs and a variety of email that you may actually want.
The general problem with all approaches is “false negatives,” i.e., mail you actually want that is rejected as spam. For example a lot of spam has “Hi” or “Hey” in the subject line. If you have a rule rejecting such email, then mail from actual friends that start “Hi” will also be rejected. This is a problem with many corporate email filters: they are locked down so tight that wanted email does not get through. For example, a client of mine recently made an on-line airline reservation, but the corporate spam filter blocked the confirmation since it was from an “unknown” source.

You have to decide where your tolerance level for spam falls. The extra time taken to review (even briefly) subject lines will eliminate false negatives (for example, I almost routinely deleted a message from my brother about “Isabelle” - the hurricane - because it seemed like it might be porn), but it does take you more time.

Finally, the success of recent viruses and worms only reinforce basic anti-virus rules:

  1. Have anti-virus software and keep it up to date.
  2. Keep your file extensions turned on and never open anything with programmatic-type extensions such as *.exe, *.com, *.vbs etc.
  3. Never open an email you are not expecting even if it “seems” to come from someone you know
  4. Turn the preview pane OFF in Outlook (turning it on automatically “opens” the email into the preview pane, thus violating rule 3).
John Heckman is the principal of Heckman Consulting in Old Saybrook, which does software consulting and integration for law firms.

BackHomeNext

© Copyright Danbury Area Computer Society, Inc. 1998-2003 All Rights Reserved
Web Site Terms & Conditions of Use