Re: Why can't ISPs stop spam/virus ?!
Date: 09/22/03

Date: 22 Sep 2003 09:26:43 GMT

> Oops! was seen spray-painting on a wall:
> > Am I unreasonable to give my ISP 2 days to fix my spam/virus email
> > of > 10Mb/hr ?
Christopher Browne <> wrote:
> When there's a weekend in the way, yes.
> The _good_ staff programmers won't be interested in working the odd
> hours.
Perhaps, but some rightly describe this as a WAR !
Do they wait for the holidays to finish before they call in the_good_
firemen ?

> > Why can't they route my (and other reporting victims) mail, through
> > a filter . There are several possible criteria for such a filter
> > (if the ISP can't see then I can provide the filtering parameters)
> > which would remove most of the recent disasterous spam/virus which
> > fills up our mailboxes in one hour, and blocks most valid posts.
> It turns out that the "possible criteria" aren't actually all that
> simple, not to do it _right_, anyways.
Apparently you're no aware of this (IMO starting on the 18 Sept)
worm/virus/spam wave ? My latsest 10 loads of average 100 mails
each (fills my 10Mb quota) would be effectively filtered by the following:
   90% > 80Mb size
   60% has no 'Subject' or 'sender' in the header (which my dir shows)
   30% has "icrosoft" in the 'subject'
   10% I can supply a header attribute to the filter.
IMO this give a very good 'kill-rate'. Much better than most treatments
in the medical profession.
> The much-loved "SpamAssassin" was letting most of them through, and
> some fairly smart people have worked on that one. ISP staff that are
> lucky if they know how to deal with all the hardware they bought
> aren't likely to do as well.
> --

I don't doubt that a small load of well designed spam can pass through.
This latest wave doesn't fit that description.

Jem Berkes <jem@users.pc9.EXTRA_org>
> My University uses Trend antivirus to scan incoming mail, and I've
> never seen a worm slip through.

Correct. Obviously attachments are easilyidentifyable

> On my home server I use my own 'renattach' software which can kill
> incoming mail with 'banned' attachment filenames; unfortunately testing
> is still underway and this hasn't been released yet. It will be available
> under the GNU GPL hopefully within a month.

Not a moment too soon.
But the viri/worm/spam must be killed before it gets to (and fills up)
the recepient's mail box.
In fact traps could be set out on the 'route' for:
    specified destination with trap criteria given by recipient.
Grant Edwards wrote:
> Decent ISPs have filters available. Mine runs stuff through
> Postini first, then provides procmail/SpamAssassin for use as a
> second stage. You need to get a decent ISP.
Yes, I just wanted to confirm before I fire my present ISP.
I could tolerate the standard spam, but this is a war, and need
more advanced weapons. My hit rate is about 100/hr, but
some newsgroups talk about receiving 3000/hr !!

Paul Lutus (perhps justifiable) ranted:
> Apart from the fact that all your suggestions are naive nonsense, there are
> some issues here you (and most people) do not understand. It has to do with
> the connection between virus writers and spammers.
Do you relise that you are a top-poster, in that you answer my
question(s), before they are asked ?

> In the early days of spam, spammers would --[snip historical
description; usefull/esential reading for those who don't know]--

> Here is a list of reasons spam cannot be stopped:
> 1. The method of distribution is now thousands of Windows computers,
> everywhere in the world, that are sending spam without the knowledge or
> consent of their owners. Result? You cannot filter by place of origin.
Yes. That's why I suggest that 'traps on the route' -- with AI methods
of 'moving' them closer to the origin will evolve.

> 2. The content is constantly varying, to avoid filtering methods. Result?
> You cannot filter by content.
IMHO virii/worms have easily identifiable contents ?
For recepients who reject attatchment from unauthorised senders ....

> Because of the above points, you cannot stop spam, you cannot easily trace
> it, and if someone goes to the trouble to locate a particular spamming
> computer, it is *by* *design* a single, expendable cell in a worldwide
> distributed network of the smallest possible cells -- end-user computers
> running Windows.
Yes. But I'm talking about virii/worms, not old fashion spam.

> Now think. What do Al Quaida and spammers have in common? Simple -- Al
> Quaida relies on small, distributed cells of undercover loyal operatives,
> ready to act when they receive a prearranged signal. In the same way, the
> computers taken over by the new crop of viruses and worms are the computer
> equivalent of terrorist cells and operatives -- they are hidden but deadly,
> and they await a signal to begin spamming. The computers are the
> footsoldiers of cyber-terrorists: the virus writers and spammers.
> The new virus programs have a huge internal list of Internet addresses they
> regularly poll for a message. The list is long obviously to make it more
> difificult to shut down all the sending sites, and perhaps to disguise the
> true trigger addresses. In the same way, an Al Quaida operative will have a
> phone book with a long list of phone numbers -- I mean, assuming the
> operative doesn't use encrypted e-mails for communication with his
> controllers.
> Make no mistake. In both cases, for both the concealed Al Quaida operative
> and the infected computer, we are talking about terrorist cells.
> According to a story I read yesterday, on Friday afternoon a teacher in a
> large public school in the southern US received one of the spam/virus
> e-mails disguised to seem to be a security alert from Microsoft, and,
> impressed by the thoughtfulness of MS, gratefully clicked the attachment.
> Fifteen minutes later the school was closed and the staff were gone for the
> weekend. It turns out the school's machines have fulltime, fast Internet
> access. This combination of factors has made the school a primary
> distribution center for the virus, issuing tens of thousands of copies per
> hour (using the large address books teachers are famous for compiling). Did
> I add that no one seems have a key to the building?
> Now, let's return to the first line in your message:

> > Am I unreasonable to give my ISP 2 days to fix my spam/virus email
> > of 10Mb/hr ?
> Don't you understand this is not a nuisance, it is a war? It will not stop
> until the spammers begin to take heavy casualties.
> Wake up and smell the capuccino. Once there is a death penalty for spammers
> and virus writers, the problem will begin to abate, *BUT* *NOT* *BEFORE*.
> Go ahead and laugh. Then start counting the days until such a seemingly
> ludicrous, off-the-wall suggestion begins to seem reasonable.
> As I write this, over half of the Internet's bandwidth is taken up
> distributing either viruses or spam messages. And in the new twist
> described here, once they take over some hapless user's machine, the
> viruses are designed to emit spam as well as copies of themselves.
OK; do you remember the days of the common air-craft-hi-jacks ?
BTW the dynamics is identical to that of eg. foot-and-mouth
disease in live stock. And if those affected act like they did with
SARS (rather than those affected act like for HIV) is can be
Paul Lutus wrote:
> > Problem 1: desperate spammers. Problem 2: desperate programmers. Are you
> > getting this? They've formed an alliance and are now creating virii and
> > worms of unprecedented sophistication. The purpose? To take over as many
> > *individual* Windows machines as possible, where they silently await a
> > signal to begin spamming. The present crop of virii and worms are written
> > very cleverly and are regularly updated to evade the filtering methods used
> > by the anti-virus companies. This means that existing virus filtering
> > methods *cannot* *possibly* *succeed*.

Ed Murphy wrote:
> But in the particular case of e-mail-borne viruses, don't the vast
> majority of the payloads still consist of attachments whose filename
> ends in .EXE, etc.? You can filter on *that*. I do, as of yesterday
> (when Swen finally pushed me to figure out fetchmail/procmail). Good
> ISPs should, or should offer options along those lines.
> > That takes care of the origin of the messages -- for all practical purposes
> > there isn't one that can be identified and controlled. As to the content of
> > spam messages including reply addressed and place of origin, it is trivial
> > to vary the language in an e-mail so that existing e-mail filtering methods
> > *cannot* *possibly* *succeed*.
> The content needs to include the message that the spammer wants to get
> across, in some sort of human-readable form, so that places some limits
> on how much it can vary. The actual variance is a lot smaller than it
> probably could be, presumably because spammers believe that most people
> (especially their target market) are too stupid to filter effectively.
That's right, and like for medical, you don't need a 100% kill rate to be

> How would this stack up against Bayesian filtering? I can envision a
> particularly sharp ISP offering to do it for the user: "Forward your
> spam e-mails to, and our SmartSystem will automagically
> figure out how to identify and suppress future spam, based on the type of
> spam that *you* have been receiving! (You can review the suppressed
> messages at - if a legitimate
> message is mistakenly identified as spam, then just click on it, and it
> will appear in your mailbox as normal. Messages stored here are deleted
> after X days.)"
This sounds good, expect it is a 'network problem' (not just individual ISPs)
and will need to be handled at the network-level.

> Then again, between the people computer-literate enough to do their own
> reasonably effective filtering, and the people computer-illiterate enough
> to either (a) get by with no filtering at all or (b) accept whatever
> filtering their ISP offers without asking questions, how much of a middle
> ground is there?
It's not good enough to be able to filter once it's in your mailbox.
In my and many other victims, the mail-box is disable by overflow !!

== Chris Glur.