« A Really Bad Case Of Senioritis | Main | Bonfire Of The Vanities Reminder »

E-Mail Viruses - The Real Culprit

Microsoft bashers and loyalists of other operating systems espouse that the blame for e-mail viruses lies squarely on the doorstep in Bellevue, Washington. I submit to you that the e-mail delivery system of the Internet is broken and there are a lot of other vendors to blame.

First a little background on the e-mail delivery system. The software that has the dominant market position in the e-mail server market is not from Microsoft, Lotus/IBM, or Sun; it's called Sendmail and it was originally written by Eric Allman and the open source version is now lives at The Sendmail Consortium. Eric started Sendmail, Inc. which produces a comercial version of the product. Sendmail from a technology perspective dates back to the pre ARPANET era of the Internet, and it is about as sysadmin friendly as other programs of that era. The following section is paraphrased from Paul Vixie's Sendmail Theory and Practice.

Why is Sendmail still in use?

Inertia, partly. Sendmail comes free with every modern UNIX system, which makes it a fairly attractive way to solve the average computer’s mail transport problem. Also, the cost of switching has yet to be lower than the cost of living with things as they are. In the opinion of many people (including those who choose the mail product strategies for the major UNIX vendors), the alternatives to Sendmail all have worse problems than Sendmail.

And then there’s simple inertia. Sysadmins generally already know how to cope with Sendmail and we expect to see it inside every server we install. Sendmail, once you get it working, works really well. Unless you run a large mail gateway, you don’t have to spend much time watching or reconfiguring Sendmail. This, combined with the fact that Sendmail comes with almost every UNIX system sold, makes it a solid winner with no relevant competition. Here, perhaps, is an instance of ‘‘good enough’’ being the enemy of ‘‘the best,’’ but we can’t argue with the result.

Chances are your ISP has Sendmail running, and based on my experience troubleshooting Sendmail configuration files, they've got configuration issues - but that's another story. The important point to note it that they are running software that enables the transmission of e-mail viruses, and most are not taking action to address this fact.

Here's the kicker - Sendmail had no capability to drop messages that contain viruses. There is simply no excuse for this situation. This is an example of an open source project in massive use that is a major contributor to the recent SoBig virus. Corporate users of Microsoft Exchagne and Lotus Notes have a multitude of options for Anti-Virus technology. Given the cost of a major infection, companies would be seriously derilict in their duties were they to fail to deploy a integrated virus solution.

ISP's and the vendors of commerical and open source mail server products are the chief enablers in the SoBig virus outbreak. The technology to stop viruses before they ever reach you Inbox exists. It's a pity that Unix and Linux vendors do not include a replacement for Sendmail that includes a virus detection and cleaning engine. Sendmail is the teflon culprit behind the proliferation of viruses, protected by the blameless cloak of the open source movement.

Update: Just to be clear - The people who implement unprotected systems are ultimately to blame, whether they implement Sendmail, Exchange, Notes, etc. The idea that Unix systems do not have to worry about virus transmission is an anachronism that persists in some quarters. I'm not a day to day Sendmail admin, but I've worked with enough ISP's to know that many do not implement virus scanning.


Listed below are links to weblogs that reference E-Mail Viruses - The Real Culprit:

» Signifying Nothing linked with Open source FUD

» blogoSFERICS linked with Why Viruses Propagate by E-Mail

» Backcountry Conservative linked with E-mail Viruses

» Practical Penumbra linked with Old issues, rehashed

» Kin's Kouch linked with Burnin' Down The House!

» Creative Slips linked with Carnival of the Vanities #49

» linked with Our Foes Flounder...

» linked with Filthy Lie roundup

» linked with Attention, Evil Minion!

Comments (13)

First, it's Stallman, not A... (Below threshold)
Bubba Sysadmin:

First, it's Stallman, not Allman.
The nature of Unix is not "one app to do it all", but more like "one app to do one thing well".
There ARE many drop-in replacements for sendmail (many people realized long ago..even Stallman has realized that sendmail is old)...the problem is that so many 'sys admins' today are taught/learn the point-and-click method of linux administraton and don't do any research...the default is not always the best method, but they have a "well if it wasn't good, why would redhat/suse/jobob linux include it?".
There are multitudes of programs to fight spam that run along side sendmail and its replacements. A good sysadmin will know that, look for it, and install it.
Much like the windows world..if users educated themselves (update that antivirus, don't open attachemnts unless you know it's coming - scan it before opening it)and stopped being so dependent on MS to take care of everything.

Sorry Bubba, it's <a href="... (Below threshold)

Sorry Bubba, it's Allman.

You are wrong on the name. ... (Below threshold)

You are wrong on the name. I've added a link.

Linux and Unix vendors included it because it works and it's free.

Why the 'Nix world gets a pass on viruses is beyond me. Just because they don't affect 'nix systems now, doesn't mean the won't later. If Unix systems are handling the bulk of the Intenet e-mail any good admin knows that you attack the problem and the server level first then the desktop.

Well, there are things abou... (Below threshold)

Well, there are things about the standard Unix security model that makes viruses exceedingly difficult to write.

Having said that, clearly, you make a good point, Kevin. Sendmail is a good case of "good enough" being the enemy of "better," only this time biting the *nix world instead of Microsoft.

The pity here is that you a... (Below threshold)

The pity here is that you and I basically agree that much of the problem is due to mail admins (whether corporate or ISP-based) who don't provide virus protection for their users despite its widespread (and, in the case of Linux, completely free) availability. Put a decent virus scanner behind the freemail services and I suspect not a single PC at my university would have been infected with SoBig (since we already have a commercial email scanner on the main campus server).

The culprit for the "don't protect at the server" attitude may be desktop antivirus software. Before the Internet, the assumption was that infections would be carried by disk--because they were. Hence desktop antivirus software was born in the Windows 3.1 era, and it never went away.

Even with server-side protection, though, desktop protection has to remain for all the morons who blindly click on external links in emails and transmit malware through other channels (like P2P, disks and CD-RWs). Both types of protection are needed.

And as for sendmail, it's an outdated piece of garbage. Hence why Debian ships with Exim as the default.

Interesting although a geek... (Below threshold)

Interesting although a geek/0™ like me still has no clue. I suppose I will just continue to depend on my user-side virus protection and my propensity to delete emails from people I do not know while they are still on the server. That is one of the things I like about ICQ. Configured to do email checks, it actually examines the mail residing on the server without downloading it, and allows me to delete it directly on the server.

I draw my mail from my host... (Below threshold)

I draw my mail from my host, which is a Debian Linux operation; they've long since dumped sendmail in favor of Postfix, and they've got the hooks working properly - they've trapped 168 (as of last night) copies of Sobig that were addressed to me, and none have been delivered.

I don't know why sendmail i... (Below threshold)

I don't know why sendmail is getting the blame, when an incompetent admin is dangerous using *any* OS.

Having said that though, my hosting guy (who uses exim on RH) brought up a good point in an explanatory "why I'm filtering your messages at the server" email. He noted that since he's filtering messages, to include an attachment, end users have to zip their attachments. Now for people like us, that is trivial, but to teach an end user to not only "attach" email but to zip it beforehand is a hassle.

That's one of my main point... (Below threshold)

That's one of my main points, anyone who got the virus should be pissed that their e-mail host happily stored it for them. I got exactly 0 copies of the virus delivered to me because my hosts took the time to have a virus scanner. I also got 0 copies at work for the same reason. Anyone receiveing copies of SoBig should be looking at their e-mail host and saying "What The Hell?".

Chris: You're right we do agree on most counts. The whole point of the excercise for me was; who is flying under the radar on this one? I say that any host that allows the transmission of a known virus is derilict in its duties to its customers.

Dean you are correct, but I would note that Sendmail itself is/was on of the biggest security threats for a long time due to buffer overflows and other exploits. Virus writters are opportunistic and popularity driven. This explains why Outlook is a major traget and the GroupWise mail client is not.

Of course desktop AV is important. The problem is for a long time that has been the first and last line of defense. Maintenace-wise we would all be better off it this was attacked at the server level. Exchange and Notes will never had built in AV because the AV vendors are too powerful (plus Microsoft got burned in the Desktop AV market in DOS 6), but Sendmail is wideopen.

The other interesting point is that the commercial version of Sendmail has McAfee AV technology in it.

BTW - Chris you may be on t... (Below threshold)

BTW - Chris you may be on to something on the desktop AV hypothesis. I recall an exec uttering words to those effect when I recommended a server based AV gateway for his company a few years ago. Fortunatly he was in the minority then, and more so now.

Ironically, my big client l... (Below threshold)

Ironically, my big client let me get them setup with Sybari Antigen for the e-mail gateway, even though they dragged their feet a little at the $1700 cost, but has ignored me about desktop protection on top of it, which would run about $1200 each two years. We've been lucky nobody has brought in an infected floppy or done a direct download of something.

Interesting discussion here. Makes sense to me.

In my battles with Sobig fa... (Below threshold)

In my battles with Sobig fallout, I've concluded that more domains do filtering than don't, but a lot of them have done it badly.

AOL didn't catch the virus at first, but after the first 10 (!) it stopped passing them on to that box. However I've been inundated since with bouncebacks from clueless autoresponders telling me, as if they're being helpful, that they intercepted the virus I supposedly sent. Since at least a year ago worms have been forging their sender addresses, but really anyone could have seen that coming. I've raised the question: What idiot first programmed the notification feature into their e-mail filter (did they know nothing about the fudgability of the medium?), how many other brainless programmers thought it was a good idea, and how many came to the same idea independently?

I've been on a mission to tell admins running these clueless filters to turn off the notification "feature", and others (because regular autoresponders and undeliverable notices still come up) to install filters where they're not using any. So far I've had a success rate running maybe 70%, with some I can't reach and some just too clueless to ever get it. (Amusingly, the makers of Opera are a big offender on not filtering their e-mail.)

After learning DOS command-... (Below threshold)

After learning DOS command-line (after CPM), I struggled with the brain-dead 286 and the overwhelmed 386, and found the utility of the 486...

And along the way, I realized that with the abolishing of 'priesthoods' in this day, it was the responsibility of end-users everywhere to learn what's happening behind the curtain.

Windows/Linux moves the gears-and-levers one step up, or away, or deeper... whatever, but using one's tools is, IMO, ALWAYS indicative of character: Do you think you can 'drive' a car, without qualifying to yourself that you mean you can drive it IF its dry, level blacktop OR rainy less-than-1/2inch?

Or do you mean you can 'drive' a car, up to 80mph on glare-ice at night in a blizzard?

Same with computers. Can you only deal with first-level, up-and-running concepts OR can you bring in batch-programming concepts and operators and IT-professional use-of-tool requirements such as malware prevention policies, password-protection, intelligent backup and more?

No one behind the curtain except us gnomes, Pal.






Follow Wizbang

Follow Wizbang on FacebookFollow Wizbang on TwitterSubscribe to Wizbang feedWizbang Mobile


Send e-mail tips to us:

[email protected]

Fresh Links


Section Editor: Maggie Whitton

Editors: Jay Tea, Lorie Byrd, Kim Priestap, DJ Drummond, Michael Laprarie, Baron Von Ottomatic, Shawn Mallow, Rick, Dan Karipides, Michael Avitablile, Charlie Quidnunc, Steve Schippert

Emeritus: Paul, Mary Katherine Ham, Jim Addison, Alexander K. McClure, Cassy Fiano, Bill Jempty, John Stansbury, Rob Port

In Memorium: HughS

All original content copyright © 2003-2010 by Wizbang®, LLC. All rights reserved. Wizbang® is a registered service mark.

Powered by Movable Type Pro 4.361

Hosting by ServInt

Ratings on this site are powered by the Ajax Ratings Pro plugin for Movable Type.

Search on this site is powered by the FastSearch plugin for Movable Type.

Blogrolls on this site are powered by the MT-Blogroll.

Temporary site design is based on Cutline and Cutline for MT. Graphics by Apothegm Designs.

Author Login

Terms Of Service

DCMA Compliance Notice

Privacy Policy