Internet Pestilence

I’ve written about my tribulations with “Paris Hilton” related referrer spam before. Since my weblog tracks “inbound links” on the right side, spammers create spurious inbound links into my site so that their site will be linked from mine and thus have greater visibility and a higher Google PageRank. My solution has been to ban anything with the words “paris,” “hilton,” and a host of other porn-related terms from the list.

Starting today, I’m starting to get a new breed of referrer spam: Janet Jackson superbowl video referrers. Maybe it’s a bad idea to track inbound links at all. Or maybe the solution is to have my referrer tracker actually look at the supposed inbound link and make sure that it does, in fact, link to my site. In any case, I’ve now added a bunch of Janet Jackson related terms to my banned list.

How will this arms race end?

While I’m talking about scourges of the Internet, what’s the deal with autoreply virus/worm detectors? A huge number of corporate and educational mailservers scan incoming email for worms and viruses, and if they detect a worm or virus send a message to the sender telling them the message was subscribed and that they are infected. Usually, the autoreply also includes a plug for the email scanner software itself.

So how is it that the developers of this software are smart enough to include the distinctive signatures of all these email worms, but not smart enough to realize that those same worms always forge the “from:” part of the header. That means if the apparent sender actually is infected, it’s at best a total coincidence. There is no connection, with most worms, between the “sender” of an email and the person who is actually infected with the worm. (other than some third person who is infected might have the apparent sender in their address book). Presumably these software developers are smart people and spend some time trying to understand email worms and viruses, and send out frequent updates of the distinctive signatures of worms and viruses.

Does anyone have a rational explanation? Even better, can someone educate these software developers and the people who purchase their software to end this scourge of false “virus detected” emails?

4 comments

  1. Scott James Remnant Jan 28

    What about mail servers that simply reject mails containing viruses or those that are identified as SPAM with a standard bounce message? Should those simply bit-bucket the incoming mail, or should they at least make a valiant attempt to notify the (apparent) sender that their mail couldn’t be deliverered.

    What about those mail servers that reject such mails at SMTP-time, should the communicating mail server generate the appropriate bounce message to let the (apparent) sender know their message couldn’t be delivered.

    What about for those spam/virus runs that invent an e-mail address of the form $common_name@$random_domain and attempt to send to that, should a mail server on receiving this and discovering that they have no $common_name mailbox generate a bounce message to notify the (apparent) sender that their mail could not be delivered.

    What you are advocating is a change to the “correct operation” of mail servers so that any failure to deliver an e-mail simply results in the e-mail being thrown away. All forms of failure notice would have to be eradicated to ensure these poor unwitting non-senders don’t get mails in reply to ones they never sent.

    Systems like SPF try to solve this by being able to answer the question “can this host really speak for this address?” But this has several major flaws as well.

    These are all trying to fix the symptoms of the problem. I would much rather people advocated fixing the cause of the problem, and making it legal to blow spammers’ balls off with a 12-bore shotgun. That would solve the problem nicely without breaking the Internet.

  2. Scott James Remnant Jan 28

    What about mail servers that simply reject mails containing viruses or those that are identified as SPAM with a standard bounce message? Should those simply bit-bucket the incoming mail, or should they at least make a valiant attempt to notify the (apparent) sender that their mail couldn’t be deliverered.

    What about those mail servers that reject such mails at SMTP-time, should the communicating mail server generate the appropriate bounce message to let the (apparent) sender know their message couldn’t be delivered.

    What about for those spam/virus runs that invent an e-mail address of the form $common_name@$random_domain and attempt to send to that, should a mail server on receiving this and discovering that they have no $common_name mailbox generate a bounce message to notify the (apparent) sender that their mail could not be delivered.

    What you are advocating is a change to the “correct operation” of mail servers so that any failure to deliver an e-mail simply results in the e-mail being thrown away. All forms of failure notice would have to be eradicated to ensure these poor unwitting non-senders don’t get mails in reply to ones they never sent.

    Systems like SPF try to solve this by being able to answer the question “can this host really speak for this address?” But this has several major flaws as well.

    These are all trying to fix the symptoms of the problem. I would much rather people advocated fixing the cause of the problem, and making it legal to blow spammers’ balls off with a 12-bore shotgun. That would solve the problem nicely without breaking the Internet.

  3. Adam Kessel Jan 28

    Thanks for the comment; however, my complaint was really focused on the issue of virus scanners and their “counterspam” virus detection systems. I do understand that there would be serious consequences to dropping emails silently (which hotmail apparently does now); what I’m advocating is that if the virus scanner detects a virus that it knows uses forged headers, it doesn’t do any good to reply to the alleged sender saying “you have a virus.”

    Certainly spammers forge headers as well, but I think that’s a totally different issue. Here we’re dealing with a system that detects a unique virus signature, and it should know enough to realize that bouncing back an error (basically advertising its own service) is useless.

  4. Jamie Forrest Jan 28

    Yeah, that pisses me off. My wife Rachel is always asking me whether we have a virus on our computer because she gets messages that say that our computer is infected (due to forged headers causing viruses to appear to come from our address). I know how these things work so I assure her that we do not have a virus; why can’t these big systems be just as smart?

    In any case, I use Macs, and since they don’t have the PC marketshare, viruses just don’t get written for them. :)

Leave a Reply

(Markdown Syntax Permitted)