Yes, (some) antivirus companies are spammers.

A response to Brian Martin.

In an article titled “Anti-Virus Companies: Tenacious Spammers” Brian Martin criticises the antivirus industry. Given that I have been an active member of that industry for 15 years, I consider myself to have a right to respond.

Guess what - Brian Martin is right! (well, for the most part)

The practice of sending out mail alerts, possibly both to the recipient and to the (assumed) sender of the message made sense back in 1998. If a virus was found in a mail message at that time it would typically be an infected Word document, and informing the sender (and possibly the recipient) would help to track down and eliminate the infection.

The appearance of mass-mailing worms like Melissa changed the situation. Instead of a single copy, there could be thousands of copies sent to people all over the globe. Informing the recipients that a virus destined for their mailbox had been stopped was utterly pointless. Still, some antivirus companies continued doing this - probably thinking of this as a way to get some free “Our product protected you!” advertising - a way to get more name recognition I guess.

Later we got worms like Klez that forged the sender's address, and that is now the standard practice - after all, the benefits to the worm are obvious - it makes it harder to track down the source. Forged sender addresses should have made it obvious that sending mail to the (assumed) sender when a worm is found is not a good idea.

Still, some antivirus companies persist in this practice. I have argued before that this practice should be abandoned, see for example my public letter of 10 September last year, at the time of the Sobig.F outbreak, titled “Why (some) antivirus companies are to blame for the recent e-mail flood”

Some of those companies are still to blame. No competent antivirus company should offer a feature in their mail filtering product allowing a notification to be sent to the recipient when a mass-mailing worm is found - or to the assumed sender, at least not when the worm is known to forge the sender's address.

I can only repeat what I said back in September:

Acceptable behaviour would be one of the following:

1. Have the mail filter properly distinguish between worms that falsify the “From:” address and ones that do not and only send a warning message when the “From:” address is likely to be genuine.



2. Do not send the alerts at all.

In fact, sending an alert automatically to the “From:” address for every virus or worm received by e-mail should not even be a selectable option, and for any mass-mailing worm, no mail should ever be sent to the recipient.

The products which do not conform to the “acceptable behaviour” I have described are a part of the problem, not the solution.

However, even though we at FRISK Software are fundamentally against this practice and do not offer this functionality in our mail-filter products, someone could abuse our product in this way, for example by writing his own mail filter using, e.g., our Linux/UNIX “daemon” virus scanner. What this means is that merely getting the antivirus companies to stop offering this functionality is not sufficient.

There are a few other things in the article by Brian Martin that deserve comment.

He mentions the potential confusion when different antivirus companies select different names for the same thing. I couldn't agree more. The antivirus industry has a mechanism in place that is meant to reduce this problem. There is a naming standard, describing what makes an acceptable name. There is also a “sample and description”-sharing process, so antivirus companies can share samples of any new threat appearing “in the wild”, hopefully before they start sending out press releases.

If companies choose to ignore this mechanism and select an unacceptable name, either due to ignorance or incompetence, there is just not much the rest of the antivirus industry can do. The real problem arises when multiple companies discover a new worm at the same time, and rush out detection, web description and a press release about it before checking whether a different name has already been proposed for the same thing.

This is what happened recently - one company named the worm Mydoom.A and another picked Novarg.A. These choices are understandable. But there is no excuse for the other names.

The name Mimail.R was fundamentally wrong as the worm is wholly unrelated to the other members of the Mimail family. The name Worm.SCO is also unacceptable as it violated one of the naming rules, as it included a company name, presumably trademarked.

Some of the companies using Novarg.A initially switched to Mydoom.A, which is right now used by 17 of the 21 products I just checked.

This is not a perfect situation, but it could have been worse.

Fridrik Skulason        ( frisk@f-prot.com )
Founder of FRISK Software International