MyDoom Is Smart, The Internet Is Dumb
The MyDoom virus appears to be bigger than SoBig.
But for me the problem has not been MyDoom, but the dumb traffic it has created. MyDoom spoofs the From field in the emails it creates to spread, so that anyone receiving a virus-laden email will not know, in most cases, who it comes from. This is not in itself new, but MyDoom (also called Mimail.R, or Novarg) does it better. As far as I can see it uses two tricks for this:
- real email addresses, which it gets from address books on infected computers, and
- made-up email addresses, apparently made up from real email addresses. So, for example, if MyMail has an email address firstname.lastname@example.org, it will not only spoof that email address so that emails appear to come from Brian, but also make up dozens of other email addresses with the same last bit. For example: email@example.com, firstname.lastname@example.org, email@example.com or firstname.lastname@example.org. You get the picture.
Smart, in some twisted sort of way. What is dumb is the way some webmasters handle this kind of problem.
Email spoofing — or at least the first one, using real email addresses to send fake emails — has been around long enough for it to no longer make much sense for servers receiving viruses to send a message to the apparent sender of the virus-ridden with some stern email notice ‘YOU HAVE BEEN SENDING A VIRUS! NAUGHTY PERSON! PLEASE INSTALL A VIRUS SCANNER! DOLT!’ Why? Because chances are the person had nothing to do with the email. Their email address has been used, but that could have come from anyone with it in their address book. Telling them they’ve send a virus is pointless: It just generates more web traffic.
The second bit of this — the made-up email addresses — is the new element (as far as I know). What’s interesting about this is that it appears to be a deliberate ruse on the part of the virus writer to disseminate more virueses, and generate more traffic. If a virus creates a copy of itself with an email address that has a real domain (the billybraindead.com bit) behind it, it increases its chances of spreading. Either the recipient opens it or, if the recipient email address is not valid, it will bounce back to the sender. Now the sender’s address may be fake, but because the domain is real, it may well end up in someone’s inbox somewhere, especially if the domain is a personal one. That’s because email servers on most such domains route all incoming mail, whatever the bit before the @ sign, to one mailbox. So anything for Bob, Tessa, Susie or Tim will end up in a mailbox somewhere.
In both cases, with either notifications of virus-infected accounts, or bounced emails, servers are just helping the virus to spread and to create more traffic. Webmasters have GOT to switch off their automatic ‘YOU’VE GOT A VIRUS’ responses because that stuff is old, real old. But we have also got to figure out a way to deal with these spoof, but real domain, email addresses. I have received more than a dozen of the latter from one o my domains, all of them with the virus still attached. I’m sure I’m going go receive a lot more before this whole thing is over.
In other words, I’ve received more copies of MyDoom from webmasters than I have from real, or even fake, people. Who’s being dumb here?