The Old Joel on Software Forum: Part 3 (of 5)

Stopping the virus idea

From what I read about this mydoom virus thing, it seems it

(a) Has its own SMTP engine
(b) Sends out lots of copies of itself via attachments using the engine
(c) The attachments are always the same size

It seems to me that it would be easy for big ISPs to radically slow down the virus spread, even without virus scanning every incoming email [and ISPs don't seem to want to do that]

- Make a log of incoming email by IP and attachment size (i.e. they aren't compromising the sender or receipients privacy, unless you consider logging mere attachment size logging to be such)

- If you get 2 or more emails with the same IP and the suspect sized attachment. Add that IP to a special block list.

- The block list, means block any incoming email from that IP if it contains an attachment of the suspect size

- As the virus really blasts out email attachments, you only need to keep a log for the last 24 hours or so. As chances are any infected user will send multiple emails to your users within 24 hours.

If the major ISPs (AOL, earthlink etc) and email sites (hotmail etc) it would seem to me, that it would greatly reduce the virus spreading speed. So, it doesn't wipe out the virus -- but it does mitigate the damage it will cause.

Of course, it's not an absolute solution, but (a) it's simple, (b) doesn't require virus scanning or logging every email, (c) it's fast / low CPU per email.

S. Tanna
Wednesday, January 28, 2004

And in about one day virus writers will start randomly varying the attachment size...

sgf
Wednesday, January 28, 2004

It's not perfect for all future scenarios, therefore doing nothing now.

S. Tanna
Thursday, January 29, 2004

> doesn't require virus scanning or logging every email

Don't you think the virus scanners take into account the file size?

www.MarkTAW.com
Thursday, January 29, 2004

Presumably virus-sanners do

But presumably the ISPs don't do virus scanning on every email for some reason(s).

The only reasons I can think are cost or CPU type things. Perhaps it is too expensive in terms of resources to do a full virus scan on every email?

Just looking at the file size, as opposed to a full anti-virus scan, might reduce the cost to check each email???

S. Tanna
Thursday, January 29, 2004

So you're proposing a heuristic, or perhaps even bayesian antivirus solution:

1. Discover suspicious behaviour.
2. Create an Anti-Virus script that identifies that behaviour rather than comparing files to a list of known viruses.
3. Apply that behaviour to a real-world environment (i.e. e-mail servers).

A SpamBayes for viruses.

This is more complicated than Spam-Bayes because what's being looked for is a behaviour over time rather than on an incident by incident basis. Oh a high traffic website you're talking about comparing each incoming e-mail to several thousand emails.

Though, I think it could be done. I don't know that it would be less processor intensive than an antivirus, but it could run on a secondary computer that just monitors the main mail server and doesn't actually process any mail.

The upside would be it could (potentially) recognize a threat before before the antivirus companies could update their definitions.

The downside would be that if you get a false-positive, you could be keeping important and real mail in a holding area (which is why spam filtering happens on the client rather than the server).

A possible alternative:

A plugin to your mail client that compares your e-mail to all e-mail in your company / in the public and looks for patterns. It also blocks traffic on traditional SMTP lines, preventing your computer from launching a server and e-mailing others.

It quarantines possible viruses the same way spambayes does junk mail, and puts a letter in your inbox alerting you to the fact that it's done so.

www.MarkTAW.com
Thursday, January 29, 2004

Like I really want some halfwit at my ISP blocking my mail. There's enough of that shit going on already.

Thursday, January 29, 2004

Lookiin g at the content of an email is much more expensive in CPU than just looking at the information on the 'envelope' and passing it on to another mailserver. The amount of overhead for an MTA could be huge, especially if you want to keep a large cache of this kind of information.

I would not like my ISP to decide for me whether I'm allowed to send the same email three different times to three different people in a short time. The main problem is that there are no fixed clear-cut criteria for deciding if an email contains a virus or worm.

Jeroen
Thursday, January 29, 2004

> I would not like my ISP to decide for me whether I'm allowed to send the same email three different times to three different people in a short time.

I'm making a suggestion narrower than that

The same size attachment, not the same email

I'm also not even suggesting it as a blanket approach on all future emails, just the ones suspected of having Mydoom. -i.e. right length attachment to be that

Does it prevent all future viruses? No. Does it reduce the amount of damage that this particular virus does (which presumably is going to run into billions)? I think it would

You could make it slightly wider than mydoom

If 1% (or whatever) of ALL incoming emails have attachment of size exactly X bytes (e.g.. 22,134 bytes for example), then X byte attachments are in the "suspicious category" for potential blocking, according to the rule I suggested in my first post.

S. Tanna
Thursday, January 29, 2004

And when the president of the corporation sends PPT slides of his latest presentaiton to all of his employees only to find it's been blocked?

www.MarkTAW.com
Thursday, January 29, 2004

He's fairly unlikely to be doing that to AOL users

And it's rather unlikely the presentation will be *exactly* the same size as mydoom (specific case I started on),

or exactly the same size as 1% of all email attachments received by all AOL users (the more general case) in the last week or whatever

S. Tanna
Thursday, January 29, 2004

>Does it prevent all future viruses? No. Does it reduce the >amount of damage that this particular virus does (which >presumably is going to run into billions)? I think it would

My personal opinion is that there is much more to virus control than technological measures like these. I mean, runnining an SMTP server on the usual port requires root access under Unix, something that will prevent a normal user from spreading all this. My personal opinion is that Microsoft should take more precautions in its OS and applications to make this impossible, not just harder.

I know this is just wishful thinking, but the Internet is moaning and groaning under the amount of traffic this little critter generates.

I think your idea is not a good one, since it will set arbitrary limits on what people can do with email. If the current Windows virus of the day sends out attachments of 8 KB you want to prohibit the sending of emails with attachements of 8 KB? What about the next virus that will have a payload of 14KB?

Don't forget that even today Blaster is still sending out its packets, Sobig rears its head now and then and even Melissa is not totally gone from the net. Blocking every virus attachment size so far will probably onle allow attachments > 100KB.

Jeroen
Friday, January 30, 2004