Friday, August 22, 2003

Sobig, Spam, and the Demise of Email ... but there is a fix.

BBC NEWS | Technology | Sobig is biggest virus of all

The debut of sobig (see my early encounter) may be acknowledged as the day the original internet email model (SMTP) died.

I'm having trouble contacting business partners because of network disruptions from Sobig and other (seemingly) unrelated viruses. It turns out a large percentage of Chinese PCs run without patches or virus protection, many of them are now infected and are pumping out Sobig emails. Many will never get patched. [1]

Supposedly the Sobig distributed SMTP server will start pumping out spam this weekend. If that really happens, based on what we're seeing now, this will be a historic episode. Network effects may bring down both a large part of the North American electrical grid AND the Internet itself.

The sad thing is there's a simple and affordable technical fix for spam. It's a bit subtle in how it works, but I believe over time it would take care of the problem. Essentially it's variable filtering by the receiving service (IMAP, POP, etc) based on the reputation [2] of the sending service (SMTP), with optional user preferences.

I think 3 to 5 levels of filtering would do the trick. Messages from an authenticated sending service with a good reputation (low spam output) would not be filtered. No messages would get deleted. Today most legitimate corporations and some ISPs fall into that category.

Messages from an average reputation sending service (many ISPs, most academic servers, etc) would experience fairly severe filtering; some valid messages would be erroneously deleted. Filtering does that, sorry. If you think filtering is perfect, you don't understand positive predictive value. Little or no spam would get through and no Sobig messages.

Messages from a poor reputation sending service, or a sending service with no reputation (that would include all the Sobig messages, Sobig is its own sending service) would experience severe filtering. A lot of valid messages would be deleted. No spam would get through and no Sobig messages.

There are several optional variations on this approach. Advanced users could set their own preferences for how different sending services are handled, or implement filters on their own mail clients. Digitally signed email might be handled differently; this is how legitimate marketers could reach people who WANTED marketing material.

This is a sneaky approach. It doesn't work all at once, though it helps a lot immediately. Fairly quickly users would understand that their email is basically "first class" or "third class" based on their ISP or sending service. They would push their ISP/sending service to improve its reputation, or they would switch. They want their email to get through. End user management becomes the domain of the sending service; they can apply approaches that work best for their clients.

It's not a super high tech solution. It's sneakier than it sounds at first. I think it would work.


[1] I've long thought that Microsoft benefitted from its insecure software in several perverse ways. One of them I described earlier. Another is that once Microsoft stops providing security patches to an OS it really should no longer be exposed to the Internet in any way. The latter turns out to be a two edged sword -- those insecure machines can then be turned into weapons that attack Microsoft (and the rest of us too.) Microsoft may not be able to stop patching their legacy OSs.

[2] This is a variation of reputation management. Reputation management implies authentication. There are several ways to authenticate sending services, I think that is manageable.

No comments: