The arrival of the MyDoom worm last week disrupted the regular working of the worldwide Internet. At the same time, it must have knocked more than a few professional content creators off the map for a good while.
This assertion isn’t mere conjecture: I was working with one of them, by the name of Mr. Smith (I’ve changed his name to protect the guilty). MyDoom’s many actions disrupted our usual e-mail-based workflow, now for more than a week.
Before the worm hit, I was in regular communication with this freelance designer about a planned series of images. Afterwards, it was as if Smith fell off the digital face of the earth.
Now I admit that my own e-mail service was problematic for much of a day, but his e-mail continued to be knocked out of for days (more than a week now and it’s still out). Compounding the problem, the worm attack occurred when Mr. Smith was working away from his office, so our phone contact also suffered from the vagaries of mobile communication.
So what happened?
Talking about MyDoom
Most people call any replicating computer threat a “virus”; however, that description is inaccurate. A virus is a small program that infects existing files or applications on your system as a part of its lifecycle. Although a worm replicates itself, it’s a stand-alone program.
Some worms take advantage of various automation features in the operating system or an application to replicate and then distribute copies of themselves. However, some worm threats, such as MyDoom, use so-called “social engineering,” or psychological methods, that persuade us to launch the program and help it to spread.
MyDoom arrives as an attachment to an e-mail message, often in disguise as some kind of graphic file. Almost all are aimed at Windows systems, that being the dominant platform. MyDoom was a Windows worm. Sometimes my Macintosh can penetrate the cloaking on these attachments, allowing me to see the differences between the name and type, so that a seeming graphic extension GIF is the sheep’s clothing for a program file, or EXE.
When launched, the worm quickly e-mails hundreds of copies of itself using a little built-in mailing program. It uses your own address book to send messages as well as mixing up bits and pieces of addresses in a chance that it will get lucky and find a new home.
The text and subject line of a MyDoom message looks like a report of a bounced message. Experts said this improved its social-engineering chances, since many computer users are leery of ordinary e-mails with images that sport the usual sexy come-ons. Security folks said the worm initially targeted big business users, who considered themselves more savvy and protected from such a psychological approach.
Instead, MyDoom was one of the most active worm attacks ever (see Figure 1).
Perhaps you like me, received at least hundreds if not many thousands of its messages. I did. According to the folks that track such things, 1 in 12 messages sent over the Internet about a week ago was infected with the worm. And when those worm messages hit a number antivirus filtering services, the server responded by sending a warning e-mail back to the sender.
The volume of messages with the worm or warning about the worm grew so large that the Internet slowed down. That’s a lot of traffic.
Figure 1: This graph from antivirus vendor MessageLabs Ltd.shows the varying infection rates for virus and worm attacks over the past year. That big jump in January is from a couple of big infections in the month: MyDoom and Bagle. Ouch.
Of course, aside from this initial flood of messages (or continuing one if it wasn’t taken care of), MyDoom did several other operations on an infected machine, including an action that blocked Web contact with antivirus sites and a time-delay program that would launch an attack on several Web sites such as www.microsoft.com.
This type of delayed attack is called a distributed denial-of-service — “distributed” in that its action will be released from many computers on the Internet, and “denial,” which describes resulting clicks overwhelm the Web server.
MyDoom did all this and more. You can find more about the hubbub at an eWEEK.com special report on the worm, including its follow-up actions and how to get rid of it.
But all this background doesn’t really explain what happened to Mr. Smith’s e-mail capability. Neither of us had this MyDoom worm.
Easy Come, Easy Gone
Now, you might think that this communication problem was between Mr. Smith and me. But it takes more than two to have true Internet miscommunication. In this case there are four (or more) parties: Mr. Smith and his ISP, and me and my ISP, or in this case, my system administrator.
I have a number of e-mail accounts hosted by different ISPs and services. For some of these accounts, I am the administrator, but others are handled by IT professionals. One is a corporate account and that’s the one that Mr. Smith was sending mail to.
When the worm hit, the system administrator of my mail server put a number of emergency policies into effect. To prevent the chance that some other user on the local network might be tempted by the MyDoom worm, he cut off both the sending and receipt of all e-mail attachments, regardless of their size or format.
That certainly put a stop to further instances of the worm; however, it also put a crimp on my graphics workflow. Until the spigot was turned back on, I wouldn’t be able to receive the file via e-mail attachment. But that was the smallest part of the matter.
The bigger problem appeared to be with Smith’s ISP or mail server. It was overwhelmed by the massive numbers of messages sent by the worm and must have stopped working. This happened around the Web as mail servers were swamped by the wave of infected e-mails rolled around the Internet.
But his mail services should have recovered shortly. Since I didn’t speak to Smith’s ISP, I don’t know for sure what caused his long-term outage. But I have some ideas.
First, ISPs set limits to the various parameters of accounts, mostly around bandwidth and capacity (see Figure 2). A customer can store only so many megabytes of data, comprising their e-mail messages and Web site; and can serve only so much data across the Internet. This latter figure usually includes all traffic, from the images served from the Web site to the e-mail messages.
Figure 2: This is the Java-based Web hosting management software that I use to control bandwidth and other factors for an account. It’s a primitive interface but straightforward, providing fields for bandwidth, storage, subdomains, the number of e-mail accounts allowed and more. Here, this account can use 100 MB of bandwidth per month. That wouldn’t be much for a graphics professional sending images and comps, but it should suffice for an ordinary user.
Worse, MyDoom’s attack occurred at the end of the month, when many hosting customers may have been close to their limits already. A fast-acting worm can quickly eat up a number of gigabytes of storage for unread messages and especially for bandwidth. When the limit is reached, mail services for the account can suddenly stop.
I’m sure many account holders tried getting in touch with their hosting administrator or ISP. That may have been tough to do on such a day or even during the week. Today’s Web servers can hold many hundreds of accounts, each one needing individual attention. And no doubt, your admin could have some of the same troubles with e-mail reliability that you’re having.
Worse, some professionals must have taken advantage of the Internet Message Access Protocol (IMAP) capabilities of their Web mail account and stored their mail remotely. This is a good thing, if it’s working correctly. Or at all.
As I described in a column in the fall, there two primary protocols for receiving mail: Post Office Protocol (POP) and IMAP. The nice thing about IMAP is that you can access your new messages and stored mail from different computers, at your office or at a client’s site. And if you use a notebook and a desktop workstation, you don’t have to worry about syncing up folders.
But following a worm attack, IMAP users could be cut off not only from their incoming and outgoing e-mail but also all the old messages they had sent or still in the inbox and folders.
Many people, such as Mr. Smith, mix their business workflows with their e-mail inbox, using it as a job and invoice tracker, contact database and file system. However, this practice ran into trouble when something cut off access to the remotely-stored data.
For example, as a creative kinda guy, Mr. Smith doesn’t really maintain a current job list or even a contact file of his clients. If he needs some information he searches through his mail until he finds what he needs in an old message or two. In this case, it was my phone number! Or so he said. Still, it was an excellent excuse for not getting in touch with me sooner.
Skirting the E-Mail Doom
What is certain is that MyDoom is only the latest example of a growing trend. We will see further worms entering the Internet ecology over the months ahead.
So what can content professionals do to plan for the attacks of e-mail worms? Here are a few ideas:
- Have a spare e-mail, FTP, and Web account ready to go. I have several mail accounts on different ISPs just in case one goes out of business or has some serious troubles. This should cost under $10 a month. Consider it a form of insurance.
- Reconsider your reliance on IMAP accounts. I like to keep my important data where it’s always accessible, even if my contact to the Internet becomes disrupted. At the same time, I recognize the convenience of Web access, especially when I’m working outside the office.Some folks may find remote file access as an alternative to IMAP or Web mail services. Mac users can take advantage of the integration with Apple Computer’s .Mac services; and there are several companies that offer similar remote storage for Windows users. The problem is synchronization of files and seamless access. In addition, I’m looking into some sneakernet solutions based on flash memory devices.
- Keeping in close communication with your clients is key. We’re used to the ebb and flow of regular e-mail, assuming that our clients have received the messages we’re sent. It can take a while to figure out that there’s a problem and then an even longer time to work out the solution or revised workflow.For example, do we really worry if we don’t hear from someone via mail? Nope. No message is good news, meaning that everything is okay with the job. We’re so used to successful, reliable e-mail, that we assume the positive, not the negative. By the time a problem with transmission is uncovered, your deadlines may be critical.
To work around this potential problem, I suggest that content creators have several instant messaging clients preinstalled on their systems and their handles communicated to your clients.
There are three major standards here: AOL Instant Messenger, Yahoo! Messenger, and MSN Messenger. Content creators can’t afford to take sides in a technological fight so use the standards that your clients use.
And don’t bother with a multiple protocol client, which are often flaky. The real-deal clients are the most reliable (as is a licensed, supported client, such as Apple’s iChat AV).
MyDoom is only the latest in a coming wave of security issues in the year ahead. As the Talmud said: “The words ‘and it came to pass’ usually introduces a tale of sadness.” Preparation for worm attacks and e-mail alternates can lessen the sorrow of content creators and their customers.
This article was last modified on January 3, 2023
This article was first published on February 5, 2004
Commenting is easier and faster when you're logged in!
