Wednesday, January 10, 2007


But I use an antivirus!

I got a spam yesterday, sent from a compromised MS-Windoze computer on a DSL line. It had a real domain name so I left the guy a message and he called me back.

He was pretty angry, but it wasn't at me in particular. He's trying to run email service for three hundred customers on that computer, using some commercial mail-server-in-a-box product. He'd already fielded four trouble calls on it that day, and that was a typical day. It's keeping him from running his web design business. He didn't know it was spamming.

He couldn't believe it was spamming, either. He's spending hundreds of dollars per year on "antivirus" products, and they'd given him a powerful false sense of security. And he was using one of the "professional" antivirus things, not that stuff Symantec and McAfee sell to consumers.

When I want to watch the log from my mail server, I type "tail -f /var/log/mail.log". Usually it's in the shell history so I just call it up from that last time I typed it. Apparently the "user friendly" mail-server-in-a-box product has no equivalent functionality. He can't watch its activity in real time. Windoze has a task manager, but the spam bot was hiding from it. He's in the dark. But it does let him look in its mailboxes and queues, and he found a few hundred of the spams in there.

Now, I've been reading email headers and logs for a while. The only thing you can really trust is the IP address of the sender that your email software recorded. Practically everything else in the incoming spam is trivially easy to fake, and the spammers fake it. I'm not an expert on TCP/IP but I know faking the source IP address is so hard the spammers don't bother. Here's why: the spammer's software needs to hear back from my server to complete its transmission, and my server is going to reply to the fake address. So he has to control the computer at the fake address as well as the real one. There was one spammer doing that for a while. His fake address was a throw-away dial-up account, and the fakery protected his real, expensive Internet connection.

The poor guy couldn't believe his system could be compromised because he is doing everything right, according to the advice computer owners get from commercial sources. I explained the problem known as zero day threat. It is impossible to inspect the source code of the Microsoft system, because it's a trade secret. Also because it's way more complex than it needs to be. Therefore, when a new Microsoft system (or "security patch") comes out, we have to wait for an exploit to appear "in the wild" and then we have to wait some more while the antivirus venders figure out how to detect and remove the thing. There is no way to discover vulnerabilities before they are exposed to the hostile Internet environment. Therefore the most dangerous "virus" or intrusion technique is any brand new virus or intrusion technique. That's called the zero day threat. In all the self-training this guy had done to get a mail server going for three hundred people, he'd never come across the term.

Comments: Post a Comment

Links to this post:

Create a Link

<< Home

This page is powered by Blogger. Isn't yours?