Yes, (some) antivirus companies are spammers.
A response to Brian Martin.
In an article titled
“Anti-Virus
Companies: Tenacious Spammers” Brian Martin criticises the antivirus industry.
Given that I have been an active member of that industry for 15 years, I consider
myself to have a right to respond.
Guess what - Brian Martin is right! (well, for the most part)
The practice of sending out mail alerts, possibly both to the recipient and
to the (assumed) sender of the message made sense back in 1998. If a virus was
found in a mail message at that time it would typically be an infected Word document,
and informing the sender (and possibly the recipient) would help to track down and
eliminate the infection.
The appearance of mass-mailing worms like Melissa changed the situation.
Instead of a single copy, there could be thousands of copies sent to people all
over the globe. Informing the recipients that a virus destined for their mailbox
had been stopped was utterly pointless. Still, some antivirus companies continued
doing this - probably thinking of this as a way to get some free “Our product
protected you!” advertising - a way to get more name recognition I guess.
Later we got worms like Klez
that forged the sender's address, and that is now the standard practice - after all,
the benefits to the worm are obvious - it makes it harder to track down the source.
Forged sender addresses should have made it obvious that sending mail to the
(assumed) sender when a worm is found is not a good idea.
Still, some antivirus companies persist in this practice. I have argued before
that this practice should be abandoned, see for example my
public letter of 10
September last year, at the time of the
Sobig.F outbreak,
titled “Why
(some) antivirus companies are to blame for the recent e-mail flood”
Some of those companies are still to blame. No competent antivirus company
should offer a feature in their mail filtering product allowing a notification
to be sent to the recipient when a mass-mailing worm is found - or to the assumed
sender, at least not when the worm is known to forge the sender's address.
I can only repeat what I said back in September:
Acceptable behaviour would be one of the following:
- Have the mail filter properly distinguish between worms that
falsify the “From:” address and ones that do not and only send
a warning message when the “From:” address is likely to be
genuine.
- Do not send the alerts at all.
In fact, sending an alert automatically to the “From:” address for every virus
or worm received by e-mail should not even be a selectable option, and for any
mass-mailing worm, no mail should ever be sent to the recipient.
The products which do not conform to the “acceptable behaviour” I have described
are a part of the problem, not the solution.
However, even though we at
FRISK Software are fundamentally against this
practice and do not offer this functionality in our mail-filter products, someone
could abuse our product in this way, for example by writing his own mail filter
using, e.g., our Linux/UNIX “daemon” virus scanner. What this means is that merely
getting the antivirus companies to stop offering this functionality is not
sufficient.
There are a few other things in the article by Brian Martin that
deserve comment.
He mentions the potential confusion when different antivirus companies select
different names for the same thing. I couldn't agree more. The antivirus
industry has a mechanism in place that is meant to reduce this problem. There is a
naming standard, describing what makes an acceptable name. There is also a
“sample and description”-sharing process, so antivirus companies can share samples
of any new threat appearing “in the wild”, hopefully before they start sending out
press releases.
If companies choose to ignore this mechanism and select an unacceptable name,
either due to ignorance or incompetence, there is just not much the rest of the
antivirus industry can do. The real problem arises when multiple companies
discover a new worm at the same time, and rush out detection, web description
and a press release about it before checking whether a different name has already
been proposed for the same thing.
This is what happened recently - one company named the worm
Mydoom.A
and another picked Novarg.A. These choices are understandable. But there is no
excuse for the other names.
The name Mimail.R was fundamentally wrong as the worm is wholly unrelated to the
other members of the Mimail family. The name Worm.SCO is also unacceptable as it
violated one of the naming rules, as it included a company name, presumably
trademarked.
Some of the companies using Novarg.A initially switched to
Mydoom.A, which is right now
used by 17 of the 21 products I just checked.
This is not a perfect situation, but it could have been worse.
Fridrik Skulason
(
frisk@f-prot.com )
Founder of FRISK Software International
|