*** From the Archives ***
This article is from February 5, 2004, and is no longer current.
Under the Desktop: When Good E-Mail Meets Bad
The arrival of the MyDoom worm last week disrupted the regular working of the worldwide Internet. At the same time, it must have knocked more than a few professional content creators off the map for a good while.
This assertion isn’t mere conjecture: I was working with one of them, by the name of Mr. Smith (I’ve changed his name to protect the guilty). MyDoom’s many actions disrupted our usual e-mail-based workflow, now for more than a week.
Before the worm hit, I was in regular communication with this freelance designer about a planned series of images. Afterwards, it was as if Smith fell off the digital face of the earth.
Now I admit that my own e-mail service was problematic for much of a day, but his e-mail continued to be knocked out of for days (more than a week now and it’s still out). Compounding the problem, the worm attack occurred when Mr. Smith was working away from his office, so our phone contact also suffered from the vagaries of mobile communication.
So what happened?
Talking about MyDoom
Most people call any replicating computer threat a “virus”; however, that description is inaccurate. A virus is a small program that infects existing files or applications on your system as a part of its lifecycle. Although a worm replicates itself, it’s a stand-alone program.
Some worms take advantage of various automation features in the operating system or an application to replicate and then distribute copies of themselves. However, some worm threats, such as MyDoom, use so-called “social engineering,” or psychological methods, that persuade us to launch the program and help it to spread.
MyDoom arrives as an attachment to an e-mail message, often in disguise as some kind of graphic file. Almost all are aimed at Windows systems, that being the dominant platform. MyDoom was a Windows worm. Sometimes my Macintosh can penetrate the cloaking on these attachments, allowing me to see the differences between the name and type, so that a seeming graphic extension GIF is the sheep’s clothing for a program file, or EXE.
When launched, the worm quickly e-mails hundreds of copies of itself using a little built-in mailing program. It uses your own address book to send messages as well as mixing up bits and pieces of addresses in a chance that it will get lucky and find a new home.
The text and subject line of a MyDoom message looks like a report of a bounced message. Experts said this improved its social-engineering chances, since many computer users are leery of ordinary e-mails with images that sport the usual sexy come-ons. Security folks said the worm initially targeted big business users, who considered themselves more savvy and protected from such a psychological approach.
Instead, MyDoom was one of the most active worm attacks ever (see Figure 1).
Perhaps you like me, received at least hundreds if not many thousands of its messages. I did. According to the folks that track such things, 1 in 12 messages sent over the Internet about a week ago was infected with the worm. And when those worm messages hit a number antivirus filtering services, the server responded by sending a warning e-mail back to the sender.
The volume of messages with the worm or warning about the worm grew so large that the Internet slowed down. That’s a lot of traffic.
Figure 1: This graph from antivirus vendor MessageLabs Ltd.shows the varying infection rates for virus and worm attacks over the past year. That big jump in January is from a couple of big infections in the month: MyDoom and Bagle. Ouch.
Of course, aside from this initial flood of messages (or continuing one if it wasn’t taken care of), MyDoom did several other operations on an infected machine, including an action that blocked Web contact with antivirus sites and a time-delay program that would launch an attack on several Web sites such as www.microsoft.com.
This type of delayed attack is called a distributed denial-of-service — “distributed” in that its action will be released from many computers on the Internet, and “denial,” which describes resulting clicks overwhelm the Web server.
MyDoom did all this and more. You can find more about the hubbub at an eWEEK.com special report on the worm, including its follow-up actions and how to get rid of it.
But all this background doesn’t really explain what happened to Mr. Smith’s e-mail capability. Neither of us had this MyDoom worm.
Easy Come, Easy Gone
Now, you might think that this communication problem was between Mr. Smith and me. But it takes more than two to have true Internet miscommunication. In this case there are four (or more) parties: Mr. Smith and his ISP, and me and my ISP, or in this case, my system administrator.
I have a number of e-mail accounts hosted by different ISPs and services. For some of these accounts, I am the administrator, but others are handled by IT professionals. One is a corporate account and that’s the one that Mr. Smith was sending mail to.
When the worm hit, the system administrator of my mail server put a number of emergency policies into effect. To prevent the chance that some other user on the local network might be tempted by the MyDoom worm, he cut off both the sending and receipt of all e-mail attachments, regardless of their size or format.
That certainly put a stop to further instances of the worm; however, it also put a crimp on my graphics workflow. Until the spigot was turned back on, I wouldn’t be able to receive the file via e-mail attachment. But that was the smallest part of the matter.
The bigger problem appeared to be with Smith’s ISP or mail server. It was overwhelmed by the massive numbers of messages sent by the worm and must have stopped working. This happened around the Web as mail servers were swamped by the wave of infected e-mails rolled around the Internet.
But his mail services should have recovered shortly. Since I didn’t speak to Smith’s ISP, I don’t know for sure what caused his long-term outage. But I have some ideas.
First, ISPs set limits to the various parameters of accounts, mostly around bandwidth and capacity (see Figure 2). A customer can store only so many megabytes of data, comprising their e-mail messages and Web site; and can serve only so much data across the Internet. This latter figure usually includes all traffic, from the images served from the Web site to the e-mail messages.
Figure 2: This is the Java-based Web hosting management software that I use to control bandwidth and other factors for an account. It’s a primitive interface but straightforward, providing fields for bandwidth, storage, subdomains, the number of e-mail accounts allowed and more. Here, this account can use 100 MB of bandwidth per month. That wouldn’t be much for a graphics professional sending images and comps, but it should suffice for an ordinary user.
Worse, MyDoom’s attack occurred at the end of the month, when many hosting customers may have been close to their limits already. A fast-acting worm can quickly eat up a number of gigabytes of storage for unread messages and especially for bandwidth. When the limit is reached, mail services for the account can suddenly stop.
I’m sure many account holders tried getting in touch with their hosting administrator or ISP. That may have been tough to do on such a day or even during the week. Today’s Web servers can hold many hundreds of accounts, each one needing individual attention. And no doubt, your admin could have some of the same troubles with e-mail reliability that you’re having.
Worse, some professionals must have taken advantage of the Internet Message Access Protocol (IMAP) capabilities of their Web mail account and stored their mail remotely. This is a good thing, if it’s working correctly. Or at all.
As I described in a column in the fall, there two primary protocols for receiving mail: Post Office Protocol (POP) and IMAP. The nice thing about IMAP is that you can access your new messages and stored mail from different computers, at your office or at a client’s site. And if you use a notebook and a desktop workstation, you don’t have to worry about syncing up folders.
But following a worm attack, IMAP users could be cut off not only from their incoming and outgoing e-mail but also all the old messages they had sent or still in the inbox and folders.
Many people, such as Mr. Smith, mix their business workflows with their e-mail inbox, using it as a job and invoice tracker, contact database and file system. However, this practice ran into trouble when something cut off access to the remotely-stored data.
For example, as a creative kinda guy, Mr. Smith doesn’t really maintain a current job list or even a contact file of his clients. If he needs some information he searches through his mail until he finds what he needs in an old message or two. In this case, it was my phone number! Or so he said. Still, it was an excellent excuse for not getting in touch with me sooner.
Skirting the E-Mail Doom
What is certain is that MyDoom is only the latest example of a growing trend. We will see further worms entering the Internet ecology over the months ahead.
So what can content professionals do to plan for the attacks of e-mail worms? Here are a few ideas:
- Have a spare e-mail, FTP, and Web account ready to go. I have several mail accounts on different ISPs just in case one goes out of business or has some serious troubles. This should cost under $10 a month. Consider it a form of insurance.
- Reconsider your reliance on IMAP accounts. I like to keep my important data where it’s always accessible, even if my contact to the Internet becomes disrupted. At the same time, I recognize the convenience of Web access, especially when I’m working outside the office.Some folks may find remote file access as an alternative to IMAP or Web mail services. Mac users can take advantage of the integration with Apple Computer’s .Mac services; and there are several companies that offer similar remote storage for Windows users. The problem is synchronization of files and seamless access. In addition, I’m looking into some sneakernet solutions based on flash memory devices.
- Keeping in close communication with your clients is key. We’re used to the ebb and flow of regular e-mail, assuming that our clients have received the messages we’re sent. It can take a while to figure out that there’s a problem and then an even longer time to work out the solution or revised workflow.For example, do we really worry if we don’t hear from someone via mail? Nope. No message is good news, meaning that everything is okay with the job. We’re so used to successful, reliable e-mail, that we assume the positive, not the negative. By the time a problem with transmission is uncovered, your deadlines may be critical.
To work around this potential problem, I suggest that content creators have several instant messaging clients preinstalled on their systems and their handles communicated to your clients.
There are three major standards here: AOL Instant Messenger, Yahoo! Messenger, and MSN Messenger. Content creators can’t afford to take sides in a technological fight so use the standards that your clients use.
And don’t bother with a multiple protocol client, which are often flaky. The real-deal clients are the most reliable (as is a licensed, supported client, such as Apple’s iChat AV).
MyDoom is only the latest in a coming wave of security issues in the year ahead. As the Talmud said: “The words ‘and it came to pass’ usually introduces a tale of sadness.” Preparation for worm attacks and e-mail alternates can lessen the sorrow of content creators and their customers.
 |
…the one thing users MUST do to protect themselves. If you’re a Windows user, like me, you need to make sure you keep your system up to date. This doesn’t necessarily mean download and install patches the day they come out but check Windows Update once a week and make sure you have Automatic Update set to at the very least download the updates and notify you when they are ready to install. It would be best for most users to simply download and automatically install the updates. When checking Windows Update make sure you have ALL the critical updates applied. The rest you should read and apply if necessary.
If you use MS Office, especially Outlook, like me, then you need to keep this application suite up to date as well. Microsoft’s OfficeUpdate site (https://office.microsoft.com/officeupdate/) will automatically check to see which version of Office you are using and list any updates that you may need to apply. With the security updates applied Outlook no longer allows the receipt of “raw” .exe files. If you must receive .exe files, Flash and Director projectors for instance, have them sent as .zip files.
The third step that you must take is to learn about security. You don’t have to become an IT Admin or sign up for a pocket protector; you just need to make yourself aware of security issues as they relate to your platform. A good place to start for Windows users is https://www.microsoft.com/security/. They have easy to read and understand articles and links to updates and warnings concerning current security issues. The other thing you should do is download the Microsoft Baseline Security Analyzer (https://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/mbsahome.asp). This will not only catch any updates that might not be available on Windows Update just yet but it will also identify any security issues that may exist on your system that you are not aware of. This ranges from open ports and application security settings to updates not installed or passwords that are easy to crack. It’s simple to use, the reports it generates are easy to read and understand and it provides useful instructions to fix problems you may encounter.
Fourth step, and just as important, is to run a virus scanner. I run Norton Anti-Virus 2000 from Symantec and I have no problems with it. I know you will hear problems with Norton Anti-Virus but I’ve found that most of these problems are with Norton System Utilities and not specifically with Norton Anti-Virus itself. When you install Norton, make sure you set up a schedule for Norton to update the virus signatures. This is helpful if you have a broadband connection and can leave your system on these nights but if you have a dial-up connection do not ignore the update warning. A virus scanner is only useful if it knows to scan for the most current security issues so keep the virus definitions list up to date.
Windows is a secure system but it is up to the user to make it so. These four things will make your system far less susceptible to these worm and virus attacks. Since being networked 24/7 I have never gotten a computer virus, nor been bothered by a worm, and this during a time when networked computers are supposed to be far more susceptible to these security issues. Safe computing starts with the user and educating yourself about security will go a long way to making sure these worms and viruses do not interrupt your workflow.
…using a firewall is a key component for users especially those with 24/7 access to the internet via broadband. There are a number of good firewalls available on the market that are easy to setup and use. I have a Microsoft MN-700 (https://www.microsoft.com/hardware/broadbandnetworking/productdetails.aspx?pid=002) which provides firewall and internet sharing (router) for both wired and wireless (802.11g) networking. Linksys and Netgear also make great firewall/routers that allow multiple computers to share a single broadband connection as well as keep viruses, worms and spyware from making your life miserable. This is about a $100 investment depending on what you need but is well worth the security it provides.
I am the art/tech director for a mid sized printer in the Midwest and this article repeats some information we should all be familiar with by now. Keeping a firewall, updating your MS sotware, using anti-virus and most especially NOT opening attachments you didn’t ask for. In fact I have this exact warning on all of our Windows machines. So far, all of our employees have been following that last instruction, and we have not had a virus. Plus keeping everyone informed of what’s going on in the virus world. I will personally go to every person on a workstation and tell them there is a virus attack and to be suspicious of all emails they didn’t ask for. I still think that a pro-active approach is the best for these types of attacks.