To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/protectingid/0,3800002220,39122971,00.htm


Security Q&A: Your questions answered (Part 3)
Stopping spam, antivirus mail failings, hijacking email addresses, spyware liability, spoofing...

By Will Sturgeon

Published: Friday 06 August 2004

Last week we asked you to email us questions to put to our panel of security experts.

Following the publication of the first and second instalments of this three-part Q&A, here is the final batch of your questions answered. Click on a question to be directed to the answer or read all the questions and answers simply by scrolling down:

The Questions:

Q. Why are the sites that use spam to get new customers not taken down? Take away the money to fund spam and you stop it.

Q. If employees are allowed to conduct online banking using work computers, does any responsibility fall on the employer if an employee's bank account is compromised because it hasn't implemented anti-spyware software?

Q. There are still lots of antivirus software packages and systems out there that persist in informing the sender of the email that they have sent a virus. Of course they have not because viruses don't let on who sent them anymore. Why can't the industry get to grips with this and change the default behaviour of software to not inform the sender?

Q. How do spammers manage to hijack my email address as the sending address for their rubbish? What can I do to stop them?

Q. You often hear Hotmail, AOL etc proudly boasting that they block spam at the source, so my question is how come I still get so much of it?

Q. How easy is it to spoof an IP address?

Q. Could spam be easily stopped with a simple reverse look-up algorithm? If the return address is undeliverable then delete the email. It may slow delivery and it may not catch all spam but, surely, it would prevent most of it.

Q. If the antivirus software I have in place fails then in effect I've bought goods that aren't fit for the purpose for which they are designed. Shouldn't I therefore be entitled to take my software back and demand a full refund?

Q. Why is it so difficult to stop spammers who must be sending out millions of emails at a time? Someone, somewhere knows who they are and what they are doing.

Terry Carlin asks: "Why are the sites that use spam to get new customers not taken down? Take away the money to fund spam and you stop it."

Enrique Salem, CEO of Brightmail (now senior VP Symantec, post acquisition), answers: "One of the most challenging aspects of fighting spam is that everyone's definition of spam is different, as such closing down a site which you believe is in the wrong might not be an action everybody agrees is needed. Your colleague may welcome an advertisement for a new website while you may consider it spam. Not only does it require technology to reduce the amount of spam in our inboxes, but it also requires education for end users as well as best practices for direct marketers." Back to questions

Roger Harrison asks: "If employees are allowed to conduct online banking using work computers, does any responsibility fall on the employer if an employee's bank account is compromised because it hasn't implemented anti-spyware software for example?"

Simon Janes, international operations director, ibas, answers: "This is an excellent point and one which encompasses the whole grey area of the personal use of company IT. The short answer is maybe. There are many factors to consider such as: what is the company IT policy for both IT and email usage? What is the staff expectation of privacy and security that is enshrined within that policy? Within the Data Protection Act there is an onus on the company to operate sufficient security to protect data. However, would this apply to an employee using the IT system to conduct their banking?

"This is a very real problem for system administrators and security managers alike. The only practical way forward is to conduct a thorough risk assessment, and to detail and mitigate those risks in any subsequent policy. This policy will then set out what is acceptable use and what can be expected in terms of privacy and security if personal business is conducted."

David Naylor, partner at law firm Morrison and Foerster, adds: "The short answer is that, in the UK at least, if the employer takes a few common sense precautions, it is unlikely to incur liability in these circumstances.

"These precautions include having in place a 'technology use policy' that forms part of the employment contract. The technology use policy should set out how the employer's technology resources may be used by employees, ensure that employees understand that the company's resources are primarily for business use and that they should not assume that any personal use is private. All this information should be in plain English and clearly drawn to the employee's attention."

Mark Morris, head of forensics at Logica CMG, adds: "Leaving aside what the contract of employment may say as to personal use of the internet, I do not believe that it would be realistic to suggest that the employer may be found liable in such a situation for running an 'insecure' network. I think the common sense view would be that an organisation protects its network for corporate use, not for personal use. The whole idea behind internet banking is one of accessibility and many people conduct their banking on PCs attached to a network over which they have no control." Back to questions

Jonathan Hare writes: "There are still lots of antivirus software packages and systems out there that persist in informing the sender of the email that they have sent a virus. Of course they have not because viruses don't let on who sent them anymore. Why can't the industry get to grips with this and change the default behaviour of software to not inform the sender?"

Graham Cluley, senior technology consultant at Sophos, answers: "This is a real nuisance, often creating as much of an email tornado as the viruses themselves. All antivirus vendors should look at their gateway antivirus software and ensure that this option is removed, or at least disabled for viruses which forge the sender's information. I think it was one of those things that antivirus programmers knew was easy to implement and so included, but never realised how much of a problem it would become.

"Of course, some auto-replies do not come from vendor antivirus software but from scripts written by the company receiving a virus. These automated reply scripts seem even harder to excise." Back to questions

Stewart Buller asks: "How do spammers manage to hijack my email address as the sending address for their rubbish? What can I do to stop them?"

Alyn Hockey, director of research at Clearswift, answers: "There really is little you can do, they have your name and they will use it as a new source address for the message. Companies frequently set up lists of email addresses to block mail from. It will be very unlikely that your address will be on it, so using that address gets past at least one hurdle at the recipient's mail gateway."

Mike Small, director of security strategy at CA, adds: "The simple mail transport protocol (SMTP) includes fields whose content is not guaranteed by the sender. Even worse, many ISPs offer unauthenticated access via SMTP. This means someone else can use your email account to send mail." Back to questions

Mark Owen asks: "You often hear Hotmail, AOL etc. proudly boasting that they block spam at the source, so my question is how come I still get so much of it? I mean, the vast majority of spam seems to have been written from a template, and you can recognise it almost always by the subject line, yet still vast quantities get through."

Enrique Salem answers: "Spam has grown incredibly over the past three years and it now comprises more than 65 per cent of all internet email. Over that same time period, anti-spam technology has also improved incredibly - becoming more dynamic and proactive. However, since there is an economic incentive for spammers to continue, they do - and send out more and more email to get the same response rate. What you see in ten different spam messages may appear to be the same. However, if you look behind the message, you'll find that those ten messages are in fact very different. Blocking those ten messages based on the content of what you see may seem like a simple task. However, to block based only on content is very dangerous - you run the risk of filtering out legitimate email as well, which is a bigger problem than the spam." Back to questions

David Levin asks: "How easy is it to spoof an IP address? Since many services and applications are tied to allowing specified IP addresses to connect, this would seem to be quite a large security risk, especially for remote management of devices by IT administrative staff."

Mike Small answers: "When a message is sent over TCP/IP it contains the sender's IP address. Spoofing is sending a message with a false IP address. There are numerous tools available that can achieve this effect. However, it is possible to detect spoofed addresses in various ways - for example the routing of spoofed addresses will be inconsistent. Firewall software can be configured to only allow traffic with consistent routing addresses." Back to questions

Tim Maguire asks: "Could spam be easily stopped with a simple reverse look-up algorithm? If the return address is undeliverable then delete the email. It may slow delivery and it may not catch all spam but, surely, it would prevent most of it."

Paul Wood, chief information analyst at MessageLabs, answers: "Spammers often use spoofed return addresses. They'll often just pick a legitimate email address at random, and use that. However, there is a new system called Sender ID (as mentioned earlier), which takes your suggestion to the next level, checking not only the return email address, but also the originating server's address. If the originating server isn't authorised to send email on behalf of the domain found in the return address, then it's probably spam. Sender ID will be introduced over the next few years. The spammers may move on to creating new fly-by-night disposable-but-still-legitimate return addresses, with matching servers, but it may stem the tide a little.

"As the spoofing of email addresses remains a widespread and growing problem, efforts to strengthen the existing protocols will continue unabated. For example, we may begin to see a greater take-up of domain policy systems such as Sender ID or Yahoo!'s DomainKeys. This might mean that as they vie for market domination and closer integration, other approaches such as 'challenge-response' systems, 'electronic payment' and 'cryptographic puzzles' don't generate the broader adoption that their advocates would have perhaps hoped for. These mechanisms, although beneficent, are also equally vulnerable to spoofing and scalability becomes more of an issue, as global adoption seems more unlikely. For example, you may already be replying to 'challenges' that you didn't even initiate, just to make sure you're not missing any important mails!" Back to questions

Robert Gregorczyk asks: "If the antivirus software I have in place fails then in effect I've bought goods that aren't fit for the purpose for which they are designed. Shouldn't I therefore be entitled to take my software back and demand a full refund?"

Graham Cluley answers: "Aha! A legal question. If you read the small print of your antivirus software's license agreement you will almost certainly find that you do not own the software itself, only the media on which the software is contained. Furthermore, if you read the disclaimers (even tinier print) you'll almost certainly see that the vendor does not warrant that the product will detect or disinfect any viruses at all.

"Of course, you can still try and request a refund from your local friendly computer store, who may ignore the legalese to retain you as a happy customer and try and direct you towards another product." Back to questions

Stewart Buller asks: "Why is it so difficult to stop spammers who must be sending out millions of emails at a time? Someone, somewhere knows who they are and what they are doing."

Enrique Salem answer: "Spammers have continued to evolve their techniques to evade spam filters. Three years ago we saw primarily ASCII text spam asking consumers to call a phone number and now we see very dangerous phishing emails that ask consumers to provide personal and financial details. Phishing is more harmful than spam and email users need to know that they shouldn't respond to requests from supposed trusted vendors. Another important innovation that aims to change the economics of spam is traffic-shaping technology. This changes the game of spam by slowing down messages from known spammers, reducing their output tremendously." Back to questions


Quick Sitemap Links: