When there's a weekend in the way, yes.
The _good_ staff programmers won't be interested in working the odd
hours.
> Why can't they route my (and other reporting victims) mail, through
> a filter . There are several possible criteria for such a filter
> (if the ISP can't see then I can provide the filtering parameters)
> which would remove most of the recent disasterous spam/virus which
> fills up our mailboxes in one hour, and blocks most valid posts.
It turns out that the "possible criteria" aren't actually all that
simple, not to do it _right_, anyways.
The much-loved "SpamAssassin" was letting most of them through, and
some fairly smart people have worked on that one. ISP staff that are
lucky if they know how to deal with all the hardware they bought
aren't likely to do as well.
--
If this was helpful, <http://svcs.affero.net/rm.php?r=cbbrowne> rate me
http://www.ntlug.org/~cbbrowne/linuxdistributions.html
Rules of the Evil Overlord #214. "If a malignant being demands a
sacrificial victim have a particular quality, I will check to make
sure said victim has this quality immediately before the sacrifice and
not rely on earlier results. (Especially if the quality is virginity
and the victim is the hero's girlfriend.)"
<http://www.eviloverlord.com/>
My University uses Trend antivirus to scan incoming mail, and I've never
seen a worm slip through.
On my home server I use my own 'renattach' software which can kill incoming
mail with 'banned' attachment filenames; unfortunately testing is still
underway and this hasn't been released yet. It will be available under the
GNU GPL hopefully within a month.
--
Jem Berkes
http://www.sysdesign.ca/
> Am I unreasonable to give my ISP 2 days to fix my spam/virus
> email of > 10Mb/hr ? Why can't they route my (and other
> reporting victims) mail, through a filter .
Decent ISPs have filters available. Mine runs stuff through
Postini first, then provides procmail/SpamAssassin for use as a
second stage. You need to get a decent ISP.
--
Grant Edwards grante Yow! My Aunt MAUREEN was
at a military advisor to IKE &
visi.com TINA TURNER!!
Apart from the fact that all your suggestions are naive nonsense, there are
some issues here you (and most people) do not understand. It has to do with
the connection between virus writers and spammers.
In the early days of spam, spammers would acquire an Internet account and
spam until they were thrown off the site. Some would get a 30-day trial
account under an assumed name (without paying for it), and spam until they
were thrown out.
As spammers became more powerful, they would find ISPs that would tolerate
their presence, but this meant that the entire site would eventually be
blacklisted. As a result, fewer and fewer sites allowed spam. The spammers
had to think of some new way to distribute their crap. Call this "problem
1".
Turning now to virus and worm writers. They started out as amateurs of
limited cleverness and sense of ethics. Some were inexperienced copycats
that just downloaded scripts created by others and ran them, hence the term
"script kiddies."
Also, since I was a commercial programmer in the early 1980s the business of
programming has changed totally. It was once possible for an individual to
become a millionaire by designing and writing software (as I did). Now most
commercial software is written by large, anonymous (underpaid) teams who
work for corporations. Many programming jobs have been exported to places
like India, where there are many very skilled, diligent, hardworking
programmers willing to work for small fees. Call this "problem 2".
Problem 1: desperate spammers. Problem 2: desperate programmers. Are you
getting this? They've formed an alliance and are now creating virii and
worms of unprecedented sophistication. The purpose? To take over as many
*individual* Windows machines as possible, where they silently await a
signal to begin spamming. The present crop of virii and worms are written
very cleverly and are regularly updated to evade the filtering methods used
by the anti-virus companies. This means that existing virus filtering
methods *cannot* *possibly* *succeed*.
That takes care of the origin of the messages -- for all practical purposes
there isn't one that can be identified and controlled. As to the content of
spam messages including reply addressed and place of origin, it is trivial
to vary the language in an e-mail so that existing e-mail filtering methods
*cannot* *possibly* *succeed*.
Here is a list of reasons spam cannot be stopped:
1. The method of distribution is now thousands of Windows computers,
everywhere in the world, that are sending spam without the knowledge or
consent of their owners. Result? You cannot filter by place of origin.
2. The content is constantly varying, to avoid filtering methods. Result?
You cannot filter by content.
Because of the above points, you cannot stop spam, you cannot easily trace
it, and if someone goes to the trouble to locate a particular spamming
computer, it is *by* *design* a single, expendable cell in a worldwide
distributed network of the smallest possible cells -- end-user computers
running Windows.
Now think. What do Al Quaida and spammers have in common? Simple -- Al
Quaida relies on small, distributed cells of undercover loyal operatives,
ready to act when they receive a prearranged signal. In the same way, the
computers taken over by the new crop of viruses and worms are the computer
equivalent of terrorist cells and operatives -- they are hidden but deadly,
and they await a signal to begin spamming. The computers are the
footsoldiers of cyber-terrorists: the virus writers and spammers.
The new virus programs have a huge internal list of Internet addresses they
regularly poll for a message. The list is long obviously to make it more
difificult to shut down all the sending sites, and perhaps to disguise the
true trigger addresses. In the same way, an Al Quaida operative will have a
phone book with a long list of phone numbers -- I mean, assuming the
operative doesn't use encrypted e-mails for communication with his
controllers.
Make no mistake. In both cases, for both the concealed Al Quaida operative
and the infected computer, we are talking about terrorist cells.
According to a story I read yesterday, on Friday afternoon a teacher in a
large public school in the southern US received one of the spam/virus
e-mails disguised to seem to be a security alert from Microsoft, and,
impressed by the thoughtfulness of MS, gratefully clicked the attachment.
Fifteen minutes later the school was closed and the staff were gone for the
weekend. It turns out the school's machines have fulltime, fast Internet
access. This combination of factors has made the school a primary
distribution center for the virus, issuing tens of thousands of copies per
hour (using the large address books teachers are famous for compiling). Did
I add that no one seems have a key to the building?
Now, let's return to the first line in your message:
> Am I unreasonable to give my ISP 2 days to fix my spam/virus email
> of > 10Mb/hr ?
Don't you understand this is not a nuisance, it is a war? It will not stop
until the spammers begin to take heavy casualties.
Wake up and smell the capuccino. Once there is a death penalty for spammers
and virus writers, the problem will begin to abate, *BUT* *NOT* *BEFORE*.
Go ahead and laugh. Then start counting the days until such a seemingly
ludicrous, off-the-wall suggestion begins to seem reasonable.
As I write this, over half of the Internet's bandwidth is taken up
distributing either viruses or spam messages. And in the new twist
described here, once they take over some hapless user's machine, the
viruses are designed to emit spam as well as copies of themselves.
--
Paul Lutus
http://www.arachnoid.com
Jim
> Problem 1: desperate spammers. Problem 2: desperate programmers. Are you
> getting this? They've formed an alliance and are now creating virii and
> worms of unprecedented sophistication. The purpose? To take over as many
> *individual* Windows machines as possible, where they silently await a
> signal to begin spamming. The present crop of virii and worms are written
> very cleverly and are regularly updated to evade the filtering methods used
> by the anti-virus companies. This means that existing virus filtering
> methods *cannot* *possibly* *succeed*.
But in the particular case of e-mail-borne viruses, don't the vast
majority of the payloads still consist of attachments whose filename
ends in .EXE, etc.? You can filter on *that*. I do, as of yesterday
(when Swen finally pushed me to figure out fetchmail/procmail). Good
ISPs should, or should offer options along those lines.
> That takes care of the origin of the messages -- for all practical purposes
> there isn't one that can be identified and controlled. As to the content of
> spam messages including reply addressed and place of origin, it is trivial
> to vary the language in an e-mail so that existing e-mail filtering methods
> *cannot* *possibly* *succeed*.
The content needs to include the message that the spammer wants to get
across, in some sort of human-readable form, so that places some limits
on how much it can vary. The actual variance is a lot smaller than it
probably could be, presumably because spammers believe that most people
(especially their target market) are too stupid to filter effectively.
How would this stack up against Bayesian filtering? I can envision a
particularly sharp ISP offering to do it for the user: "Forward your
spam e-mails to sp...@sharpisp.com, and our SmartSystem will automagically
figure out how to identify and suppress future spam, based on the type of
spam that *you* have been receiving! (You can review the suppressed
messages at http://www.sharpisp.com/yourusername/spam/ - if a legitimate
message is mistakenly identified as spam, then just click on it, and it
will appear in your mailbox as normal. Messages stored here are deleted
after X days.)"
Then again, between the people computer-literate enough to do their own
reasonably effective filtering, and the people computer-illiterate enough
to either (a) get by with no filtering at all or (b) accept whatever
filtering their ISP offers without asking questions, how much of a middle
ground is there?
> On Sun, 21 Sep 2003 21:11:33 -0700, Paul Lutus wrote:
>
>> Problem 1: desperate spammers. Problem 2: desperate programmers. Are you
>> getting this? They've formed an alliance and are now creating virii and
>> worms of unprecedented sophistication. The purpose? To take over as many
>> *individual* Windows machines as possible, where they silently await a
>> signal to begin spamming. The present crop of virii and worms are written
>> very cleverly and are regularly updated to evade the filtering methods
>> used by the anti-virus companies. This means that existing virus
>> filtering methods *cannot* *possibly* *succeed*.
>
> But in the particular case of e-mail-borne viruses, don't the vast
> majority of the payloads still consist of attachments whose filename
> ends in .EXE, etc.?
Nope. Not those that rely for dissemination on flaws in Windows (there are
many). For those, no action on the part of the recipient is required, and
the package is not an .exe file.
> You can filter on *that*. I do, as of yesterday
> (when Swen finally pushed me to figure out fetchmail/procmail). Good
> ISPs should, or should offer options along those lines.
I agree, but this won't stop the virus/worm writers. It will provoke a
change in tactics. Imagine a list of all the executable file types that can
infect a Windows machine (including, just for starters, all Microsoft
Office file types). Imagine trying to filter on all of them, without
affecting the user's legitimate e-mail attachments.
>> That takes care of the origin of the messages -- for all practical
>> purposes there isn't one that can be identified and controlled.
>> As to the
>> content of spam messages including reply addressed and place of origin,
>> it is trivial to vary the language in an e-mail so that existing e-mail
>> filtering methods *cannot* *possibly* *succeed*.
>
> The content needs to include the message that the spammer wants to get
> across, in some sort of human-readable form, so that places some limits
> on how much it can vary.
Nope. Ultimately the wide array of spam message content is indistinguishable
from the wide array of legitimate content, which is why filters are so
politically controversial. When the phrase "sexually transmitted diseases"
triggers rejection of a notice about AIDS prevention, the filtering system
fails the computer's user, and society at large.
> The actual variance is a lot smaller than it
> probably could be, presumably because spammers believe that most people
> (especially their target market) are too stupid to filter effectively.
They are almost as stupid as the spammers believe. And if the spammers are
wrong, they will adjust their behavior to remain in the user's mailbox (the
entire point).
> How would this stack up against Bayesian filtering? I can envision a
> particularly sharp ISP offering to do it for the user: "Forward your
> spam e-mails to sp...@sharpisp.com, and our SmartSystem will automagically
> figure out how to identify and suppress future spam, based on the type of
> spam that *you* have been receiving! (You can review the suppressed
> messages at http://www.sharpisp.com/yourusername/spam/ - if a legitimate
> message is mistakenly identified as spam, then just click on it, and it
> will appear in your mailbox as normal. Messages stored here are deleted
> after X days.)"
Way too optimistic. Spammers obey the laws of evolution. Those that survive
do so by figuring out how not to be filtered. Once spammers realize that a
filter rejects the word "sex" but accepts such a message if it also refers
to "Planned Parenthood" (true now), how long do you think it wil be before
this becomes standard practice?
Imagine a million fruit flies in a chamber bathed in hard radiation. Let two
weeks go by. What do you get? Radiation-hardened drosophila melanogaster
great-great-great-grandchildren. Same idea.
>
> Then again, between the people computer-literate enough to do their own
> reasonably effective filtering, and the people computer-illiterate enough
> to either (a) get by with no filtering at all or (b) accept whatever
> filtering their ISP offers without asking questions, how much of a middle
> ground is there?
The entire world?
> In article <3f6e63e3$0$64...@hades.is.co.za>, easy...@absamail.co.za
> wrote:
>
>> Am I unreasonable to give my ISP 2 days to fix my spam/virus
>> email of > 10Mb/hr ? Why can't they route my (and other
>> reporting victims) mail, through a filter .
>
> Decent ISPs have filters available. Mine runs stuff through
> Postini first, then provides procmail/SpamAssassin for use as a
> second stage.
Interesting you should mention that. Today my neighbor, an end user, decided
to call the neighborhood computer guru (me) before installing the most
recent Microsoft security update he had just received (which turned out to
be a copy of Swen). The header showed it had waltzed throught Postini, the
filtering service on which our local ISP relies.
> You need to get a decent ISP.
Won't matter. There are no effective filtering methods. There are too many
messages, each with content that is too plausible for any kind of
ecffective filtering. And if a method is created that works for a while,
the spammers will think of a way around it. They have to -- they must try
to survive, like fruit flies. Some will die, the rest will thrive in the
vacuum that remains.
It's evolution at work. Survival of the most annoyingly persistent.
You are one of the few people on the Usenet that is willing to face that
simple and inescapable fact.
Content-based filtering doesn't and will never work. An entirely different
strategy is required.
>
> --
> Paul Lutus
> http://www.arachnoid.com
>
--
Later, Alan C
take control of your mailbox ----- elrav1 ----- http://tinyurl.com/l55a
spammers hate this program because they can't beat it
> The much-loved "SpamAssassin" was letting most of them through, and
> some fairly smart people have worked on that one. ISP staff that are
> lucky if they know how to deal with all the hardware they bought
> aren't likely to do as well.
After changing some standard filter values our SpamAssasin got most of
them (The Subject: header was mostly sent all capitals; no real mail
client does; but blocking all MS Executable-Attachments was the real
killer).
/Sven
--
Sven Semmler http://www.semmlerconsulting.com/
key fingerprint: 72CA E26D C2A3 1FEB 7AFC 10EA F769 A9A4 937F 5E67
Have you paid them for virus/spam filtering service? Does your agreement
guarantee response times?
> Why can't they route my (and other reporting victims)
> mail, through a filter .
Have you signed an agreement allowing them to do so? In many countries it
would be illegal for an ISP to filter, block or examine the content of
emails without your explicit consent.
--
Markku Kolkka
markku...@iki.fi
> Am I unreasonable to give my ISP 2 days to fix my spam/virus email
> of > 10Mb/hr ? Why can't they route my (and other reporting victims)
> mail, through a filter .
A lot of ISP's throw the mail through filters (and need big machines for
that) and still send you >10Mb/hr because they only disinfect the
message and send it on to the recipient. I received messages >100k lines
with the original infected messages where only on part was removed to
render the virus harmless (but my mailbox overflowing).
--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/civ
> But in the particular case of e-mail-borne viruses, don't the vast
> majority of the payloads still consist of attachments whose filename
> ends in .EXE, etc.? You can filter on *that*. I do, as of yesterday
> (when Swen finally pushed me to figure out fetchmail/procmail). Good
> ISPs should, or should offer options along those lines.
You've never acutally looked at the list of executable extensions that MS
uses, have you?
I tried to institute virs scanning on all possible downloads that could be
executed under windows. That lasted all of a day. Turns out that IE and
windows is so intricately tied in to downloaded executables that trying to
download them to a cache, scan them, and then forward them (we're talking
http here, not smtp) breaks many, many web pages.
Back to smtp - I have to let legitimate attachments/downloads through; we
regularly send/receive files of all sorts sorts of extensions, including
.exe, and sometimes exceeding 10MB.
-Dondo
--
o__
,>/'_ o__
(_)\(_) ,>/'_ o__
What am I on? (_)\(_) ,>/'_ o__
I'm on my bike, (_)\(_) ,>/'_ o__
6 hours a day, busting my ass. (_)\(_) ,>/'_
What are you on? --Lance Armstrong (_)\(_)
>> But in the particular case of e-mail-borne viruses, don't the vast
>> majority of the payloads still consist of attachments whose filename
>> ends in .EXE, etc.? You can filter on *that*. I do, as of yesterday
>> (when Swen finally pushed me to figure out fetchmail/procmail). Good
>> ISPs should, or should offer options along those lines.
> You've never acutally looked at the list of executable extensions that MS
> uses, have you?
Here's my current list of Stuff I Never Ever Want:
com|exe|bat|pif|scr|vbs|hta|msi|dll|bas|wsh|vbe|wsf|shs
Am I missing anything? (I agree that the existence of Word macro
viruses is a big fat pain in the ass wrt this issue.)
> I tried to institute virs scanning on all possible downloads that could be
> executed under windows. That lasted all of a day. Turns out that IE and
> windows is so intricately tied in to downloaded executables that trying to
> download them to a cache, scan them, and then forward them (we're talking
> http here, not smtp) breaks many, many web pages.
Are you speaking from the perspective of an end user or an ISP?
> Back to smtp - I have to let legitimate attachments/downloads through; we
> regularly send/receive files of all sorts sorts of extensions, including
> .exe, and sometimes exceeding 10MB.
I would highly suggest zipping them, and/or coming up with a method of
transfer other than e-mail (e.g. FTP).
> On Mon, 22 Sep 2003 04:30:38 -0400, Captain Dondo wrote:
>
>>> But in the particular case of e-mail-borne viruses, don't the vast
>>> majority of the payloads still consist of attachments whose filename
>>> ends in .EXE, etc.? You can filter on *that*. I do, as of yesterday
>>> (when Swen finally pushed me to figure out fetchmail/procmail). Good
>>> ISPs should, or should offer options along those lines.
>
>> You've never acutally looked at the list of executable extensions that MS
>> uses, have you?
>
> Here's my current list of Stuff I Never Ever Want:
>
> com|exe|bat|pif|scr|vbs|hta|msi|dll|bas|wsh|vbe|wsf|shs
>
> Am I missing anything?
Yes. To start with, all the Microsoft Office document types, any of which
can contain auto-executing (on document opening) macros. Then the various
executable Windows script types, a list that grows longer with each passing
year. Both largely missing from your list above.
< snip >
>> Back to smtp - I have to let legitimate attachments/downloads through; we
>> regularly send/receive files of all sorts sorts of extensions, including
>> .exe, and sometimes exceeding 10MB.
>
> I would highly suggest zipping them, and/or coming up with a method of
> transfer other than e-mail (e.g. FTP).
Doesn't address the original issue. Ultimately someone unzips the file and
has to decide how to proceed. Just like now.
> > Why can't they route my (and other reporting victims) mail, through
> > a filter . There are several possible criteria for such a filter
> > (if the ISP can't see then I can provide the filtering parameters)
> > which would remove most of the recent disasterous spam/virus which
> > fills up our mailboxes in one hour, and blocks most valid posts.
>
> It turns out that the "possible criteria" aren't actually all that
> simple, not to do it _right_, anyways.
>
Apparently you're no aware of this (IMO starting on the 18 Sept)
worm/virus/spam wave ? My latsest 10 loads of average 100 mails
each (fills my 10Mb quota) would be effectively filtered by the following:
90% > 80Mb size
60% has no 'Subject' or 'sender' in the header (which my dir shows)
30% has "icrosoft" in the 'subject'
10% I can supply a header attribute to the filter.
IMO this give a very good 'kill-rate'. Much better than most treatments
in the medical profession.
> The much-loved "SpamAssassin" was letting most of them through, and
> some fairly smart people have worked on that one. ISP staff that are
> lucky if they know how to deal with all the hardware they bought
> aren't likely to do as well.
> --
I don't doubt that a small load of well designed spam can pass through.
This latest wave doesn't fit that description.
Jem Berkes <j...@users.pc9.EXTRA_org>
> My University uses Trend antivirus to scan incoming mail, and I've
> never seen a worm slip through.
Correct. Obviously attachments are easilyidentifyable
> On my home server I use my own 'renattach' software which can kill
> incoming mail with 'banned' attachment filenames; unfortunately testing
> is still underway and this hasn't been released yet. It will be available
> under the GNU GPL hopefully within a month.
Not a moment too soon.
But the viri/worm/spam must be killed before it gets to (and fills up)
the recepient's mail box.
In fact traps could be set out on the 'route' for:
specified destination with trap criteria given by recipient.
Grant Edwards wrote:
> Decent ISPs have filters available. Mine runs stuff through
> Postini first, then provides procmail/SpamAssassin for use as a
> second stage. You need to get a decent ISP.
>
Yes, I just wanted to confirm before I fire my present ISP.
I could tolerate the standard spam, but this is a war, and need
more advanced weapons. My hit rate is about 100/hr, but
some newsgroups talk about receiving 3000/hr !!
Paul Lutus (perhps justifiable) ranted:
> Apart from the fact that all your suggestions are naive nonsense, there are
> some issues here you (and most people) do not understand. It has to do with
> the connection between virus writers and spammers.
>
Do you relise that you are a top-poster, in that you answer my
question(s), before they are asked ?
> In the early days of spam, spammers would --[snip historical
description; usefull/esential reading for those who don't know]--
> Here is a list of reasons spam cannot be stopped:
>
> 1. The method of distribution is now thousands of Windows computers,
> everywhere in the world, that are sending spam without the knowledge or
> consent of their owners. Result? You cannot filter by place of origin.
>
Yes. That's why I suggest that 'traps on the route' -- with AI methods
of 'moving' them closer to the origin will evolve.
> 2. The content is constantly varying, to avoid filtering methods. Result?
> You cannot filter by content.
>
IMHO virii/worms have easily identifiable contents ?
For recepients who reject attatchment from unauthorised senders ....
> Because of the above points, you cannot stop spam, you cannot easily trace
> it, and if someone goes to the trouble to locate a particular spamming
> computer, it is *by* *design* a single, expendable cell in a worldwide
> distributed network of the smallest possible cells -- end-user computers
> running Windows.
>
Yes. But I'm talking about virii/worms, not old fashion spam.
> > Am I unreasonable to give my ISP 2 days to fix my spam/virus email
> > of 10Mb/hr ?
>
> Don't you understand this is not a nuisance, it is a war? It will not stop
> until the spammers begin to take heavy casualties.
>
> Wake up and smell the capuccino. Once there is a death penalty for spammers
> and virus writers, the problem will begin to abate, *BUT* *NOT* *BEFORE*.
>
> Go ahead and laugh. Then start counting the days until such a seemingly
> ludicrous, off-the-wall suggestion begins to seem reasonable.
>
> As I write this, over half of the Internet's bandwidth is taken up
> distributing either viruses or spam messages. And in the new twist
> described here, once they take over some hapless user's machine, the
> viruses are designed to emit spam as well as copies of themselves.
>
OK; do you remember the days of the common air-craft-hi-jacks ?
BTW the dynamics is identical to that of eg. foot-and-mouth
disease in live stock. And if those affected act like they did with
SARS (rather than those affected act like for HIV) is can be
managed/controlled.
--------
Paul Lutus wrote:
> > Problem 1: desperate spammers. Problem 2: desperate programmers. Are you
> > getting this? They've formed an alliance and are now creating virii and
> > worms of unprecedented sophistication. The purpose? To take over as many
> > *individual* Windows machines as possible, where they silently await a
> > signal to begin spamming. The present crop of virii and worms are written
> > very cleverly and are regularly updated to evade the filtering methods used
> > by the anti-virus companies. This means that existing virus filtering
> > methods *cannot* *possibly* *succeed*.
Ed Murphy wrote:
> But in the particular case of e-mail-borne viruses, don't the vast
> majority of the payloads still consist of attachments whose filename
> ends in .EXE, etc.? You can filter on *that*. I do, as of yesterday
> (when Swen finally pushed me to figure out fetchmail/procmail). Good
> ISPs should, or should offer options along those lines.
>
> > That takes care of the origin of the messages -- for all practical purposes
> > there isn't one that can be identified and controlled. As to the content of
> > spam messages including reply addressed and place of origin, it is trivial
> > to vary the language in an e-mail so that existing e-mail filtering methods
> > *cannot* *possibly* *succeed*.
>
> The content needs to include the message that the spammer wants to get
> across, in some sort of human-readable form, so that places some limits
> on how much it can vary. The actual variance is a lot smaller than it
> probably could be, presumably because spammers believe that most people
> (especially their target market) are too stupid to filter effectively.
>
That's right, and like for medical, you don't need a 100% kill rate to be
effective.
> How would this stack up against Bayesian filtering? I can envision a
> particularly sharp ISP offering to do it for the user: "Forward your
> spam e-mails to sp...@sharpisp.com, and our SmartSystem will automagically
> figure out how to identify and suppress future spam, based on the type of
> spam that *you* have been receiving! (You can review the suppressed
> messages at http://www.sharpisp.com/yourusername/spam/ - if a legitimate
> message is mistakenly identified as spam, then just click on it, and it
> will appear in your mailbox as normal. Messages stored here are deleted
> after X days.)"
>
This sounds good, expect it is a 'network problem' (not just individual ISPs)
and will need to be handled at the network-level.
> Then again, between the people computer-literate enough to do their own
> reasonably effective filtering, and the people computer-illiterate enough
> to either (a) get by with no filtering at all or (b) accept whatever
> filtering their ISP offers without asking questions, how much of a middle
> ground is there?
>
It's not good enough to be able to filter once it's in your mailbox.
In my and many other victims, the mail-box is disable by overflow !!
== Chris Glur.
>>> You've never acutally looked at the list of executable extensions that MS
>>> uses, have you?
>> Here's my current list of Stuff I Never Ever Want:
>>
>> com|exe|bat|pif|scr|vbs|hta|msi|dll|bas|wsh|vbe|wsf|shs
>>
>> Am I missing anything?
> Yes. To start with, all the Microsoft Office document types, any of which
> can contain auto-executing (on document opening) macros.
I don't have Microsoft Office, so it's not a problem for me
personally. Granted it's a sticky wicket for Windows users.
> Then the various
> executable Windows script types, a list that grows longer with each passing
> year. Both largely missing from your list above.
Mind sharing with the class? Hell, I don't even know what
some of those are; I grabbed the list from a web page that
was posted here the other day, and added MSI myself. (I
edu-guess that WSH and WSF refer to Windows Scripting, which
in turn I edu-guess is a fancification of the old DOS .BAT
files. I have no idea what SHS is, but I've never wanted
any files with that extension, so I left it in the filter.)
Another possible approach is to allow certain known-harmless
extensions (e.g. txt|html|pdf|gif|jpg|png), trash known-risky
extensions, and put anything else in a "check me" folder. If
something shows up there, then its extension can be considered
for addition to one of the other lists.
>>> Back to smtp - I have to let legitimate attachments/downloads through; we
>>> regularly send/receive files of all sorts sorts of extensions, including
>>> .exe, and sometimes exceeding 10MB.
>>
>> I would highly suggest zipping them, and/or coming up with a method of
>> transfer other than e-mail (e.g. FTP).
>
> Doesn't address the original issue. Ultimately someone unzips the file and
> has to decide how to proceed. Just like now.
But you can allow zips while disallowing executables, which is a lot
easier to automate than allowing legitimate executables while
disallowing virus executables.
> It's not good enough to be able to filter once it's in your mailbox.
> In my and many other victims, the mail-box is disable by overflow !!
Which is why I have fetchmail emptying the ISP's mailbox every 15 minutes
and moving its contents to my local box. (Where procmail sends most of
the flood to /dev/null, sight unseen.)
Quickly implementing a simple filter is relatively easy for a small site
that doesn't handle mission-critical data or is willing to take risks. It
may not be advisable for a large ISP to try do this, though. Suppose for
the sake of argument that an ISP currently has no spam or virus filters
but serves thousands of users. Just about any "quick and dirty" solution
would probably eliminate most of the Swen worms that are flying around,
but it would also be almost certain to have negative consequences that
would affect many of its clients. For instance, the solution might
discard legitimate mail because of a poorly conceived filter criterion;
or a filter might consume enough CPU time that the server would become
overloaded (if the current worm load isn't already doing so), causing
mail to be lost or delayed; or a new filter inserted in a working mail
system might cause permissions problems, file locking problems, or the
like, again causing lost or delayed mail. You don't take those sorts of
chances on a mission-critical server unless it's absolutely necessary to
do so.
Now, if the ISP already has spam/virus filters in place, updating them
would probably be a less difficult task, but it really depends on the
details. Is there a reliable way for the existing filters to detect Swen?
What sort of collateral damage would this detection cause? For instance,
if the ISP relies exclusively on the RBL or something similar, chances
are there'd be no ready solution that fits with that technology; but if
they do pattern matching on message bodies, chances are they could find
something unique in the Swen payload.
There's also the question of what sort of ISP this is. If you're paying
them thousands of dollars a month for business connectivity, including
e-mail services, you might be in a better position to make demands like
this than if you're paying $15/month for residential dial-up access.
One other point to consider: I've seen several accounts suggesting that
Swen is targeting Usenet users. Thus, those of us posting here are
probably the very worst affected by it, and the impression we get by
reading newsgroups will be extremely lopsided. Most Internet users don't
use Usenet, so if this method of spread is correct, chances are most
people aren't greatly affected by Swen. This means that an ISP's
motivation to do something about it is probably relatively small, and the
risks of negative consequences apply to far more than the affected users.
All that said, of course, it should be clear by now that e-mail malware
is such a huge problem that any ISP that offers mail services and that's
without at least plans to deal with it in some way is at least bordering
on negligent. IMHO, a 2-day deadline for a solution may be unreasonable
if your ISP currently offers little in the way of spam/malware filtering,
but if your ISP has no plans to offer such services in the next few
months, switching because of that may not be unreasonable.
As a practical matter, there are ways to deal with it yourself. If you're
collecting your mail from your ISP using POP, check out mailfilter
(http://mailfilter.sourceforge.net). This package enables you to delete
spam or malware before you retrieve the bulk of the message, based on the
header contents alone. This will cut back on your Swen-load quite
substantially. (Some are still likely to leak through, though, simply for
timing reasons -- some infected messages will arrive after mailfilter
checks the headers but before your regular mail program downloads the
messages.)
--
Rod Smith, rods...@rodsbooks.com
http://www.rodsbooks.com
Author of books on Linux, FreeBSD, and networking
I didn't see the original posting,
but "score MICROSOFT_EXECUTABLE 6.0"
in ~/.spamassassin/user_prefs
will stop almost all if not all of these,
in my experience.
Of course the stuff is still downloaded,
which is usually the main problem.
--
Timothy Murphy
e-mail: t...@birdsnest.maths.tcd.ie
tel: +353-86-233 6090
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland
> On Mon, 22 Sep 2003 04:30:38 -0400, Captain Dondo wrote:
>
> Here's my current list of Stuff I Never Ever Want:
>
> com|exe|bat|pif|scr|vbs|hta|msi|dll|bas|wsh|vbe|wsf|shs
>
> Am I missing anything? (I agree that the existence of Word macro
> viruses is a big fat pain in the ass wrt this issue.)
IIRC, my list ran to several lines.
>> I tried to institute virs scanning on all possible downloads that could
>> be executed under windows. That lasted all of a day. Turns out that
>> IE and windows is so intricately tied in to downloaded executables that
>> trying to download them to a cache, scan them, and then forward them
>> (we're talking http here, not smtp) breaks many, many web pages.
>
> Are you speaking from the perspective of an end user or an ISP?
Somewhere in between - I have my own mail server, and run squid, and I charge
people for access via the building's LAN, so I guess I'm sort of a private
ISP.
> I would highly suggest zipping them, and/or coming up with a method of
> transfer other than e-mail (e.g. FTP).
Alas, I can't control what people send in. I have an email-to-ftp gateway
set up, so stuff going out is zipped and posted, but others send stuff in
any odd way.
> The content needs to include the message that the spammer wants to
> get across, in some sort of human-readable form, so that places some
> limits on how much it can vary. The actual variance is a lot smaller
> than it probably could be, presumably because spammers believe that
> most people (especially their target market) are too stupid to filter
> effectively.
In the past, spam filtering looked at the (full) headers exclusively.
Now that no longer works very well. So filters like Spam Assassin must
look at the body of the e-mail. This is *much more costly* of processor
time.
>
> How would this stack up against Bayesian filtering? I can envision a
> particularly sharp ISP offering to do it for the user: "Forward
> your spam e-mails to sp...@sharpisp.com, and our SmartSystem will
> automagically figure out how to identify and suppress future spam,
> based on the type of spam that *you* have been receiving! (You can
> review the suppressed messages at
> http://www.sharpisp.com/yourusername/spam/ - if a legitimate message
> is mistakenly identified as spam, then just click on it, and it will
> appear in your mailbox as normal. Messages stored here are deleted
> after X days.)"
My ISP offers just such a service with SpamAssassin. There are two
problems I see with this.
1.) About 2/3 of the latest crap gets through Spam Assassin.
2.) When SpamAssassin has about 1000 candidates in the list of possible
spams, it is no longer possible to examine the list as the system just
locks up. So I must look about once an hour (500 or so), or it is too late.
>
> Then again, between the people computer-literate enough to do their
> own reasonably effective filtering, and the people
> computer-illiterate enough to either (a) get by with no filtering at
> all or (b) accept whatever filtering their ISP offers without asking
> questions, how much of a middle ground is there?
>
Since I have a dial-up link to the Internet, it is imperitive for me not
to try downloading these things since they come in faster than I can
download them. I have resorted to logging into my ISP's mail server
every hour or so and running mutt there and deleting 1500 or so at a
time. I can only see the ones that SpamAssassin did not catch. I guess
ISPs will just have to cancel users infected with the virus. Anyone
e-mailing a .exe file, for example, will have to be disconnected from
the internet until this is over. Can you imagine the help desk at an ISP
that does this?
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ Registered Machine 73926.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 8:35am up 2 days, 14:37, 2 users, load average: 2.12, 2.15, 2.10
ASCII-only e-mail.
No attachments.
No e-mail over 50,000 bytes.
Becha spammers would even find a way around that.
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ Registered Machine 73926.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 8:45am up 2 days, 14:47, 2 users, load average: 2.03, 2.11, 2.09
When you get this much spam it's usually because you have been very
careless with your email address over a fairly long period of time. You've
given your address away to spammers, either directly, or indirectly
through confirming a dictionary attack spam.
Get a new email address, find a sevice that provides some kind of
disposable addresses e.g. sub-domain addresses, and make sure you can
filter obsolete addresses servers-side. Services like spamgourmet.com are
useful too. Then back-out of your current address, and be more
careful in future.
- Don't give a real and valuable address in newsgroups, web forums, or on
your website.
- dont confirm spam by clicking links (including unsubscrible links), or
by allowing web-bugs to load.
- use disposable addresses for signing-up on websites.
Depends on your definition of "right". I'd consider deleting all mail
containing Microsoft executables the right thing to do.
--
John Hasler
jo...@dhh.gt.org (John Hasler)
Dancing Horse Hill
Elmwood, WI
> The much-loved "SpamAssassin" was letting most of them through, and
> some fairly smart people have worked on that one.
SpamAssassin is a spam filter, not a virus detection program.
--
Tim C
ti...@accesswave.ca
>Why can't they route my (and other reporting victims)
> mail, through a filter
Some ISPs/mail providers filter. ProHosting, not a small player in the
market, removes infected attachments from mails and filters known spam
completely.
M.
>>> Am I unreasonable to give my ISP 2 days to fix my spam/virus
>>> email of > 10Mb/hr ? Why can't they route my (and other
>>> reporting victims) mail, through a filter .
>>
>> Decent ISPs have filters available. Mine runs stuff through
>> Postini first, then provides procmail/SpamAssassin for use as a
>> second stage.
>> You need to get a decent ISP.
>
> Won't matter. There are no effective filtering methods.
That's simply not true. As of yesterday I'm getting over 100
virus-laden e-mails an hour. Only 1-2 per _day_ get through
postini, and they're usually caught by SA.
If you don't call that effective, then we're not speaking the
same language.
> There are too many messages, each with content that is too
> plausible for any kind of ecffective filtering.
Nonsense. Postini filters out 99.9% of the crap sent to me. I
call that effective.
--
Grant Edwards grante Yow! Was my SOY LOAF left
at out in th'RAIN? It tastes
visi.com REAL GOOD!!
>> Nope. Ultimately the wide array of spam message content is indistinguishable
>> from the wide array of legitimate content, which is why filters are so
>> politically controversial. When the phrase "sexually transmitted diseases"
>> triggers rejection of a notice about AIDS prevention, the filtering system
>> fails the computer's user, and society at large.
>
> You are one of the few people on the Usenet that is willing to face that
> simple and inescapable fact.
>
> Content-based filtering doesn't and will never work.
That's quite simply nonsense. Postini and SA work beautifully
for me -- reducing a stream of 100+ bogus emails an hour down to
a couple per day.
--
Grant Edwards grante Yow! Yow! Am I in
at Milwaukee?
visi.com
Cheers,
--
========================================================================
Martin Schöön <Martin...@ericsson.com>
"Problems worthy of attack
prove their worth by hitting back"
Piet Hein
========================================================================
After deleting mails I obviously don't want on the server (that don't have
my address in the first position of the To: line and aren't from a mailing
list I am subscribed to, and are over 20k and from a stranger) I accept mail
from those on my passlist and send all others, truncated to 100 lines, to
a quarantine directory and send out an RAV (request-for-address-validation).
If the RAV (which requires a real human being to paste a unique and one-time
password on the subject line) isn't returned in 72 hours, the mail is
deleted and the address goes on a list.
If I receive another mail from that address that fails to return the RAV, it
goes on the block-list and from then on any mail from that address goes to
/dev/null.
(The next step will be to delete block-listed mail on the server, but I have
just started working on this.)
All of that is done without me even being aware that it is going on.
When someone returns the RAV, it and the quarantined mail show up in my
inbox.
I get no spam. And there is no way to beat this strategy.
The only effect this deluge is having on me NOW, is that I have to check my
mail fairly often to keep the POP account from being clogged.
That's two more than I get, and *I* know my program hasn't deleted mail
that I want to get, which straight content-filtering can never offer.
And most of the UM (un-desirable mail) is deleted on the server, which saves
a LOT of bandwidth and time.
> --
> Grant Edwards grante Yow! Yow! Am I in
> at Milwaukee?
> visi.com
--
>>> Content-based filtering doesn't and will never work.
>>
>> That's quite simply nonsense. Postini and SA work beautifully
>> for me -- reducing a stream of 100+ bogus emails an hour down
>> to a couple per day.
>
> That's two more than I get, and *I* know my program hasn't
> deleted mail that I want to get, which straight
> content-filtering can never offer.
How does your system deal with mail generated mechanically?
There isn't going to be anybody at Amazon.com replying to your
address verification scheme.
I've had 2-3 false positives since I started using Postini (6
months?). All of those were rescued from "quarantine" and the
addresses added to my whitelist, but it is something that you
have to keep in mind.
> And most of the UM (un-desirable mail) is deleted on the
> server, which saves a LOT of bandwidth and time.
Same with Postini: 99.9% of the crap is filtered out before it
even gets to my ISP's mail server -- let alone to my machines.
--
Grant Edwards grante Yow! I want EARS! I
at want two ROUND BLACK
visi.com EARS to make me feel warm
'n secure!!
< big snip >
> Paul Lutus (perhps justifiable) ranted:
>> Apart from the fact that all your suggestions are naive nonsense, there
>> are some issues here you (and most people) do not understand. It has to
>> do with the connection between virus writers and spammers.
>>
> Do you relise that you are a top-poster, in that you answer my
> question(s), before they are asked ?
Do you realize you cannot define "top posting" in any way you please? "Top
posting" means placing one's reply above the text to which one is replying,
and that is its only meaning. Since my reply applies only to your first few
lines, I clearly did not do what you suggest, in spite of your having
edited out the fact that I replied below a selected quote from your
original message.
The only way to avoid your variant definition of "Top posting" would be to
fully quote each and every post to which one replies, even if you intend
only to reply to a small part of the message. This is a sure way to clog
Usenet with useless copies of already-posted messages (as well as, given
the present topic, dwelling in a slough of irony). This, by the way, is
exactly what you did in your reply to my post -- the majority of it is long
quotes with no replies. The newsgroup thread already contains the full
text, so there is no reason to quote it in full all over again.
>> In the early days of spam, spammers would --[snip historical
> description; usefull/esential reading for those who don't know]--
Good snip, though it places you in the position I am supposedly in,
vis-a-vis your "top-posting" idea above. Equally untrue, but not the point.
>> Here is a list of reasons spam cannot be stopped:
>>
>> 1. The method of distribution is now thousands of Windows computers,
>> everywhere in the world, that are sending spam without the knowledge or
>> consent of their owners. Result? You cannot filter by place of origin.
>>
> Yes. That's why I suggest that 'traps on the route' -- with AI methods
> of 'moving' them closer to the origin will evolve.
Any AI methods developed by the defenders will be matched and exceeded by
the AI methods of the aggressors. The proof of that is clogging inboxes all
over the country right now.
>> 2. The content is constantly varying, to avoid filtering methods. Result?
>> You cannot filter by content.
>>
> IMHO virii/worms have easily identifiable contents ?
If that were true, we wouldn't be plagued by Swen right now. But in fact,
Swen is a cleverly designed worm meant to look and feel like a legitimate
post. Once it has been characterized and filtered by all concerned, its
replacement will appear and the entire process will start over.
> For recepients who reject attatchment from unauthorised senders ....
(1) All attachments? My neighbor, an end user, sends and receives
attachments regularly (MS Office documents). They in principle could
contain executable content. Many people exchange such documents. Without
modifying people's behavior, dropping Windows and/or moving to a strict
text-only e-mail system, this is an impractical suggestion.
(2) Unauthorized senders? Don't you know how virii work? A virus takes over
a computer, uncovers the owner's name and his address book, and mails
copies of itself to all the addresses in the list, with the owner's name
prominently displayed in the message and header. The message is therefore
from an authorized sender.
So your suggestion reveals the same naivete about which I originally
commented.
>
>> Because of the above points, you cannot stop spam, you cannot easily
>> trace it, and if someone goes to the trouble to locate a particular
>> spamming computer, it is *by* *design* a single, expendable cell in a
>> worldwide distributed network of the smallest possible cells -- end-user
>> computers running Windows.
>>
> Yes. But I'm talking about virii/worms, not old fashion spam.
They are the same. You did read my original article, yes? Virii/worms and
spam are two parts of the same underlying phenomenon: a new strategy for
distributing advertising.
< snip HUGE pointless quote to which no reply was made >
>> As I write this, over half of the Internet's bandwidth is taken up
>> distributing either viruses or spam messages. And in the new twist
>> described here, once they take over some hapless user's machine, the
>> viruses are designed to emit spam as well as copies of themselves.
>>
> OK; do you remember the days of the common air-craft-hi-jacks ?
> BTW the dynamics is identical to that of eg. foot-and-mouth
> disease in live stock. And if those affected act like they did with
> SARS (rather than those affected act like for HIV) is can be
> managed/controlled.
False, as proven by (1) September 11th (wait until the guardians let down
their guard) and (2) the present rash of mad cow disease/foot & mouth
disease reports (let nature take its course).
< snip >
> Ed Murphy wrote:
< snip >
>> The content needs to include the message that the spammer wants to get
>> across, in some sort of human-readable form, so that places some limits
>> on how much it can vary. The actual variance is a lot smaller than it
>> probably could be, presumably because spammers believe that most people
>> (especially their target market) are too stupid to filter effectively.
>>
> That's right, and like for medical, you don't need a 100% kill rate to be
> effective.
Manifestly not true. Exactly as with treatments for bacterial infections or
cancer, 100% effectiveness is a requirement. It is clear you don't
understand the difference between:
(1) additive processes:
y(t) = a (an initial value)
y'(t) = f (a growth factor)
Solution to (1):
y = a + f * t
And (2) exponential process:
y(t) = a (initial value)
y'(t) = y(t) * f (growth factor)
Solution to (2):
y = a * exp(f * t)
Note that the second function grows without bound over time. Because each
virus creates new viruses, the present e-mail plague is like the second,
not the first, physical model. Further, any variant virii that escape
filtering will grow in number very quickly, more than making up for the
filtered variants, in a perverse example of evolution.
Or, to say it in a more prosaic way, if filtering is so effective, why is
everyone's inbox full? Answer: they are filled with the offspring of
whatever worms/virii escaped filtering. Just like bacteria exposed to
antibiotics -- the only bacteria that survive are those that happen to be
resistant to the antiboiotic. Result? any antibiotic you can name becomes
ineffective over time -- a truism proven repeatedly in current medical
practice.
>
>> How would this stack up against Bayesian filtering? I can envision a
>> particularly sharp ISP offering to do it for the user: "Forward your
>> spam e-mails to sp...@sharpisp.com, and our SmartSystem will automagically
>> figure out how to identify and suppress future spam, based on the type of
>> spam that *you* have been receiving! (You can review the suppressed
>> messages at http://www.sharpisp.com/yourusername/spam/ - if a legitimate
>> message is mistakenly identified as spam, then just click on it, and it
>> will appear in your mailbox as normal. Messages stored here are deleted
>> after X days.)"
My neighbor received his Swen copy through Postini (a highly rated filtering
service). Q. E. D.
< snip >
> This sounds good, expect it is a 'network problem' (not just individual
> ISPs) and will need to be handled at the network-level.
In a distributed network with no center (like the Internet), drawing a
distinction between network and individual solutions is meaningless --
there are only individual solutions. Apart from name resolution, the
Internet has no center. This is by design.
>> Then again, between the people computer-literate enough to do their own
>> reasonably effective filtering, and the people computer-illiterate enough
>> to either (a) get by with no filtering at all or (b) accept whatever
>> filtering their ISP offers without asking questions, how much of a middle
>> ground is there?
>>
> It's not good enough to be able to filter once it's in your mailbox.
> In my and many other victims, the mail-box is disable by overflow !!
Which puts the lie to the idea that filtering works at all. Plus, those
worms activated by their recipients (a surprising number) add to the glut.
Think about differential equation two above. Think about virulent bacterial
strains. Think about evolution. And don't suggest solutions that cannot
possibly work.
*******************
In fact, as to spam, US attitudes are the key problem (along with Windows).
The British have on the table a proposal for an "opt-in" system. Anyone who
wants to receive spam can tell the spammers of his wish. Any other spam is
a felony with serious punishments. The US, by contrast, has suggested
various "opt-out" proposals, in which the recipients must contact each and
every spammer, expressing a wish not to receive the messages. Guess which
proposal is favored by spammers and corporate interests in general?
If it wasn't addressed personally to me, it never made it off the server.
(unless it was from a mailing list I subscribe to)
Like I said, the second time an address fails to return the RAV, they go
to /dev/null from then onward. (and I will be deleting this members of my
blocklist on the server soon.)`
> I've had 2-3 false positives since I started using Postini (6
> months?). All of those were rescued from "quarantine" and the
> addresses added to my whitelist, but it is something that you
> have to keep in mind.
The problem is that you have to manually CHECK your quarantine directory.
And you always will have to manually check it.
I never see mine.
>
>> And most of the UM (un-desirable mail) is deleted on the
>> server, which saves a LOT of bandwidth and time.
>
> Same with Postini: 99.9% of the crap is filtered out before it
> even gets to my ISP's mail server -- let alone to my machines.
>
> --
> Grant Edwards grante Yow! I want EARS! I
> at want two ROUND BLACK
> visi.com EARS to make me feel warm
> 'n secure!!
--
>> How does your system deal with mail generated mechanically?
>> There isn't going to be anybody at Amazon.com replying to your
>> address verification scheme.
>
> If it wasn't addressed personally to me, it never made it off
> the server. (unless it was from a mailing list I subscribe to)
The stuff I'm asking about would be addressed "personally" to
you.
> Like I said, the second time an address fails to return the
> RAV, they go to /dev/null from then onward. (and I will be
> deleting this members of my blocklist on the server soon.)`
Doesn't that cause you to loose ham that is generated by
automated systems which aren't going to respond to challenges?
>> I've had 2-3 false positives since I started using Postini (6
>> months?). All of those were rescued from "quarantine" and the
>> addresses added to my whitelist, but it is something that you
>> have to keep in mind.
>
> The problem is that you have to manually CHECK your quarantine
> directory. And you always will have to manually check it. I
> never see mine.
Usually I only check it when I have reason to believe that
something I want has been quarantined: e.g. I've ordered
something on-line and didn't get the expected order
confirmation e-mail.
--
Grant Edwards grante Yow! DIDI... is that a
at MARTIAN name, or, are we
visi.com in ISRAEL?
What's "ham"?
I get plenty of commercial mail, but *I* choose to be on their
mailing lists.
I do not accept anonymous mail from anyone. Ever.
>
>>> I've had 2-3 false positives since I started using Postini (6
>>> months?). All of those were rescued from "quarantine" and the
>>> addresses added to my whitelist, but it is something that you
>>> have to keep in mind.
>>
>> The problem is that you have to manually CHECK your quarantine
>> directory. And you always will have to manually check it. I
>> never see mine.
>
> Usually I only check it when I have reason to believe that
> something I want has been quarantined: e.g. I've ordered
> something on-line and didn't get the expected order
> confirmation e-mail.
>
> --
> Grant Edwards grante Yow! DIDI... is that a
> at MARTIAN name, or, are we
> visi.com in ISRAEL?
That's better. But not best :-)
You're not. It's clear that by "effective," Paul means "100% effective."
By "cannot be stopped" (in other messages), he means "cannot be stopped
with 100% certainty." And so on. If you read his messages like this, they
make a certain amount of sense, and Paul certainly has some interesting
speculation about the relationships between spammers and malware authors.
(I've seen similar claims elsewhere, but AFAIK the relationships still
aren't 100% certain, and probably don't exist on all malware.)
Personally, I disagree that 100% effectiveness is necessary for a tool to
be useful. Indeed, applying a 100% success criterion before using a
technology would mean we wouldn't be using any technology at all.
>>> The content needs to include the message that the spammer wants to get
>>> across, in some sort of human-readable form, so that places some limits
>>> on how much it can vary. The actual variance is a lot smaller than it
>>> probably could be, presumably because spammers believe that most people
>>> (especially their target market) are too stupid to filter effectively.
>> That's right, and like for medical, you don't need a 100% kill rate to be
>> effective.
> Manifestly not true. Exactly as with treatments for bacterial infections or
> cancer, 100% effectiveness is a requirement. It is clear you don't
> understand the difference between:
[snip]
> Or, to say it in a more prosaic way, if filtering is so effective, why is
> everyone's inbox full? Answer: they are filled with the offspring of
> whatever worms/virii escaped filtering. Just like bacteria exposed to
> antibiotics -- the only bacteria that survive are those that happen to be
> resistant to the antiboiotic. Result? any antibiotic you can name becomes
> ineffective over time -- a truism proven repeatedly in current medical
> practice.
This assumes that the antibiotic doesn't evolve to keep up with the
bacteria, which is (at least in some cases) untrue.
>>> How would this stack up against Bayesian filtering? I can envision a
>>> particularly sharp ISP offering to do it for the user: "Forward your
>>> spam e-mails to sp...@sharpisp.com, and our SmartSystem will automagically
>>> figure out how to identify and suppress future spam, based on the type of
>>> spam that *you* have been receiving! (You can review the suppressed
>>> messages at http://www.sharpisp.com/yourusername/spam/ - if a legitimate
>>> message is mistakenly identified as spam, then just click on it, and it
>>> will appear in your mailbox as normal. Messages stored here are deleted
>>> after X days.)"
> My neighbor received his Swen copy through Postini (a highly rated filtering
> service). Q. E. D.
Okay, it's not 100% effective. However, how long does it take Postini to
grok Swen and start filtering it out? (Along with all the umpteen million
variants of "I removed the viral payload from this message; here's the
rest of the message, because it *might* not be 100% crap.) Again, today's
solution will only be effective for so long, but the *method* used to
formulate today's solution will last longer.
> In fact, as to spam, US attitudes are the key problem (along with Windows).
> The British have on the table a proposal for an "opt-in" system. Anyone who
> wants to receive spam can tell the spammers of his wish. Any other spam is
> a felony with serious punishments. The US, by contrast, has suggested
> various "opt-out" proposals, in which the recipients must contact each and
> every spammer, expressing a wish not to receive the messages. Guess which
> proposal is favored by spammers and corporate interests in general?
Do the proponents of the opt-in system also have a thorough method of
determining (a) which machine really sent a given spam, and (b) whether
that machine actually belongs to a spammer, or merely belongs to the
unaware victim of a spam-sending virus?
If they don't have (a), then the proposal has no teeth. If they intend
to prosecute felonies regardless of (b)... well, that's going to piss
off a huge number of people. Given the choice between seemingly-random
spam and seemingly-random felony prosecution, I suspect that the opt-in
proposal would be shouted down.
>>> Like I said, the second time an address fails to return the
>>> RAV, they go to /dev/null from then onward. (and I will be
>>> deleting this members of my blocklist on the server soon.)`
>>
>> Doesn't that cause you to loose ham that is generated by
>> automated systems which aren't going to respond to challenges?
>
> What's "ham"?
"ham" is email that shouldn't be thrown away -- contrasted with
"spam" which is what you don't want to keep. I'm sure they
Hormel guys in Austin aren't happy with the terminology, but
it's pretty standardized.
> I get plenty of commercial mail, but *I* choose to be on their
> mailing lists.
The specific problem I'm asking about is:
I initiate some sort of on-line transaction that is going to
generate an automated e-mail to me (that I want to keep).
1) I don't know precisely what the sending address is going to
be, so there's no way I can add it to my white list.
2) The e-mail is generated by an automated system which is not
going to respond to a challange.
I handle this by checking the quarantine area for the expected
email. I don't understand how your system deals with this
problem. This situation often arises when ordering online,
when subscribing to a mailing list via a web page, or when
requesting information from an automated database system.
> I do not accept anonymous mail from anyone. Ever.
OK.
> That's better. But not best :-)
Perhaps, but I don't see how your system deals with the
situation above (which I run into not infrequently).
--
Grant Edwards grante Yow! .. I
at feel... JUGULAR...
visi.com
unfortunately I can not post to newsgroups as long as us T-online without
using my real return address. Until now this has resulted in a small but
steady stream of adds for stature enhancement. Now that is a real problem,
I am looking for a replacement. Using the google groups or equal to me is
not a good solution. I want a normal news reader that does not require the
correct email address for.
Perhaps we can't stop all of them, but we don't have to. We just need to
get nearly all. There are many techniques which would help, none of them
overwhelming in themselves, but together should kill 99+% of unwanted
mail.
Here's a few simple filters which take out 80+% of my spam. Drop
anything containing:
HTML in the body
'unknown' in a received header
'Microsoft' in sender or subject
Other rules are subject to diminishing returns, but I have enough to
reduce the level by more than 95%. I can live with hand-deleting the
rest at the level I get.
SMTP servers could do reverse DNS checking on envelope.
Spam is cheap in the quantities sent today, but what if the cost is
raised to even a few cents per viewing? Given the extremely poor take-up
of spam, this would make sales of almost all products prohibitively
expensive. Those which are still economic should attract the attention
of the law-enforcement agencies.
The same applies to viruses: take the loop gain below unity and there
aren't any epidemics. Microsoft could turn off the Windows entertainment
systems for emails (You want to impress your friends? Do it on your web
page. You want to use fancy stationery for email? Send PDFs.) and kill
almost all viruses overnight.
--
Joe
Got you! I automaticlly passlist any address I send a mail to on the
first contact. Mostly to allow for an auto-response as referred to
above.
The mail also has a line at the top that looks like this:
Please include these lines in any response. Thank You.
-----------------------------------------------------------------
09060322034583209000111114541655014541655014541655
Thats a unique password with the date of issuance at the beginning.
Since including the body of the initial message in any reply is SOP
in the business/org world, this causes no inconvenience and the line
appears first at the top, then at the top of the quoted message, so is
not likely to be missed. I put it back on the top of any replies to
their replies.
So mail with that in the body and/or the original address is accepted
and generates no auto-response.
> I handle this by checking the quarantine area for the expected
> email. I don't understand how your system deals with this
> problem. This situation often arises when ordering online,
> when subscribing to a mailing list via a web page, or when
> requesting information from an automated database system.
>
>> I do not accept anonymous mail from anyone. Ever.
>
> OK.
>
>> That's better. But not best :-)
>
> Perhaps, but I don't see how your system deals with the
> situation above (which I run into not infrequently).
>
> --
> Grant Edwards grante Yow! .. I
> at feel... JUGULAR...
> visi.com
There's my solution. What do you think of it? Haven't had even a hint
of a problem with it.
Excellent point.
>> I initiate some sort of on-line transaction that is going to
>> generate an automated e-mail to me (that I want to keep).
>>
>> 1) I don't know precisely what the sending address is going to
>> be, so there's no way I can add it to my white list.
>>
>> 2) The e-mail is generated by an automated system which is not
>> going to respond to a challange.
>
> Got you! I automaticlly passlist any address I send a mail to
> on the first contact.
In the situation I'm describing above, the first contact isn't
usually e-mail -- it's a form on a web page.
> Mostly to allow for an auto-response as referred to above.
>
> The mail also has a line at the top that looks like this:
>
>
> Please include these lines in any response. Thank You.
> -----------------------------------------------------------------
> 09060322034583209000111114541655014541655014541655
>
> Thats a unique password with the date of issuance at the beginning.
[...]
Yup, that would work fine for transactions you initiate with an
e-mail, but the quarantined ham that I rescue is usually
generated as an auotated response to a request submitted via a
web server.
> There's my solution. What do you think of it? Haven't had even
> a hint of a problem with it.
I still don't see how you deal with automated e-mail reponses
generated by requests submitted via a web site. Perhpaps you
don't run into that, but I do (fairly regularly).
--
Grant Edwards grante Yow! I need "RONDO".
at
visi.com
> On Mon, 22 Sep 2003 09:44:43 -0700, Paul Lutus wrote:
< snip >
>> Or, to say it in a more prosaic way, if filtering is so effective, why is
>> everyone's inbox full? Answer: they are filled with the offspring of
>> whatever worms/virii escaped filtering. Just like bacteria exposed to
>> antibiotics -- the only bacteria that survive are those that happen to be
>> resistant to the antiboiotic. Result? any antibiotic you can name becomes
>> ineffective over time -- a truism proven repeatedly in current medical
>> practice.
>
> This assumes that the antibiotic doesn't evolve to keep up with the
> bacteria, which is (at least in some cases) untrue.
There is an important difference between bacteria and antibiotics: the
bacteria reproduce and are therefore subject to the mechanisms of
evolution. This guarantees that any bacteria will eventually defeat any
antibiotic (something proven repeatedly in medicine). Antibiotics do not
reproduce and evolve, bacteria do.
When you try to compare the efforts of scientists to design more effective
antibiotics to the process of natural evolution, you are not comparing
comparable things. To see my point, name a single antibiotic that hasn't
been rendered ineffective by bacterial evolution.
>
>>>> How would this stack up against Bayesian filtering? I can envision a
>>>> particularly sharp ISP offering to do it for the user: "Forward your
>>>> spam e-mails to sp...@sharpisp.com, and our SmartSystem will
>>>> automagically figure out how to identify and suppress future spam,
>>>> based on the type of
>>>> spam that *you* have been receiving! (You can review the suppressed
>>>> messages at http://www.sharpisp.com/yourusername/spam/ - if a
>>>> legitimate message is mistakenly identified as spam, then just click on
>>>> it, and it
>>>> will appear in your mailbox as normal. Messages stored here are
>>>> deleted after X days.)"
>
>> My neighbor received his Swen copy through Postini (a highly rated
>> filtering service). Q. E. D.
>
> Okay, it's not 100% effective.
And it must be 100% effective. How secure would you feel if your doctor said
"We got 99% of the cancer cells, so you can go home." Did you read the
differential equations in my prior post? Do you fully grasp what the
exponential form means? It means the 1% residue that escapes filtering
becomes tomorrow's full-sized problem.
> However, how long does it take Postini to
> grok Swen and start filtering it out?
Long enough for a lot of computers to be infected and start issuing copies
of Swen. Remember, Postini is only effective in stopping incoming traffic,
not the reverse. And the worm writers are busy creating new variants,
specifically to address filtering issues. There is even evidence of
(efforts to design) worms that can change themselves sufficently to escape
detection, while enroute across the Internet. This, by the way, is why
malaria is so resistant to treatment -- the plasmodium falciparum pathogen
takes so many different forms during the course of the illness that it
seems as though you are treating several different ailments instead of just
one.
And HIV. It turns out there are several variants to that virus also, with
the usual results in treatment and vaccine design.
> (Along with all the umpteen million
> variants of "I removed the viral payload from this message; here's the
> rest of the message, because it *might* not be 100% crap.) Again, today's
> solution will only be effective for so long, but the *method* used to
> formulate today's solution will last longer.
The method is ineffective. The proof? Swen's ubiquity. The reappearance of
tuberculosis, once effectively treated with antibiotics. HIV. Shall I go
on?
To put it bluntly, if filtering worked, it would be working right now. The
virus/worm filter designers (mail and platform) have had many years to say
"let's simply not let executables through any more." But they won'd do
this, for the same reason that burning the building is not a suitable
treatment for an infestation of termites.
< snip >
> Do the proponents of the opt-in system also have a thorough method of
> determining (a) which machine really sent a given spam, and (b) whether
> that machine actually belongs to a spammer, or merely belongs to the
> unaware victim of a spam-sending virus?
You are mixing the premise with the enforcement methods. They are separate.
The former (the premise) is a big step forward, because it requires
spammers to have explicit authorization from each recipient. It won't work
across international boundaries, which is why the UK and US are in
conference right now, mostly to try to change the US position.
> If they don't have (a), then the proposal has no teeth.
Nonsense. As just one suggestion, you arrest the owners of the businesses
whose products and services are advertised in the spam messages, and hold
them (offering them bread and water in a windowless cell) until they reveal
the names of the spammers they hired to disseminate their advertising. They
are, after all, co-conspirators.
The reason this enforcement method isn't being used in the US is because of
the almost religious reverence people have for advertising and marketing in
this country.
> If they intend
> to prosecute felonies regardless of (b)... well, that's going to piss
> off a huge number of people.
Not as much as having no Internet, which is where we are headed right now.
> Given the choice between seemingly-random
> spam and seemingly-random felony prosecution, I suspect that the opt-in
> proposal would be shouted down.
False choice. The presence or absence of opt-in, and the presence or absence
of specific enforcement protocols, are separate issues, because the latter
can and do apply to any system of authorization. They are separate issues.
When I contact a company that I have learned about on a website, I use
mail rather than their forms. (I also kill their cookies the second I
exit their site.)
But if you would post the details of this sort of transaction, then I will work
on a solution.
It could be a server-side solution. There's no reason at all they couldn't
easily add a transaction-password section to any form, asking you to create
a string that will apppear in the headers or body in any response.
If *I* were running that sort of server I would do that.
Great idea. They must make money on it, like the PO does with junkmail, which
subsidizes the regular user accounts, so I don't think it is going to happen.
Spam is just advertising, and in the world of the Internet as well as
newspapers and the like, it keeps the retail cost down.
> --
> Joe
Are you absolutely sure about that? Many servers require that your email
address is in the correct form, a@b.c will usually suffice.
I've come across several people that have misread the error message that
they get when they try to post with a syntactically incorrect address, but
I've never come across an ISP that requires your real address for NNTP.
> SMTP servers could do reverse DNS checking on envelope.
>
They mostly do this already.
It was ineffective enought to begin with, since spammers knew this and
stuck false addresses in the envelopes (i.e., real domain names: just
not their own).
And now that VersSign, in their greed, makes all domain names in .com
and .net legal, this does not work at all anymore.
The nearest thing that works is DNS blacklist testing. See:
http://mail-abuse.org/rbl+/
which I use on my MTA. So far I do not recall any of this Microsoft
virus on my addresses at my MTA.
I do have a MAJOR problem, about 3 to 4 per minute at my account at my
ISP, though I have received none in the last few minutes. I hope I do
not speak too soon.
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ Registered Machine 73926.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 3:15pm up 2 days, 21:17, 2 users, load average: 2.37, 2.25, 2.13
> When I contact a company that I have learned about on a
> website, I use mail rather than their forms. (I also kill their
> cookies the second I exit their site.)
For any of the "big" sites, sending an e-mail instead of
submitting a request via web simply will not work. Either they
have no mechanism to take orders via e-mail, or it will take
weeks instead of seconds because it has to be put in a queue
for a human to deal with.
> But if you would post the details of this sort of transaction,
> then I will work on a solution.
I don't have any details handy. Don't you ever order anything
from web-based vendors and want to see the e-mail it generates?
> It could be a server-side solution. There's no reason at all
> they couldn't easily add a transaction-password section to any
> form, asking you to create a string that will apppear in the
> headers or body in any response.
That would certainly solve the problem, but I just don't see it
happening.
> If *I* were running that sort of server I would do that.
--
Grant Edwards grante Yow! Sometime in 1993
at NANCY SINATRA will lead a
visi.com BLOODLESS COUP on GUAM!!
> In article <3f6f06a9$0$42051$a186...@newsreader.visi.com>,
> gra...@visi.com (Grant Edwards) writes:
>>
>>
>> In article <vmtak1d...@corp.supernews.com>, Paul Lutus wrote:
>>
>>> There are no effective filtering methods.
>>
>> That's simply not true. As of yesterday I'm getting over 100
>> virus-laden e-mails an hour. Only 1-2 per _day_ get through
>> postini, and they're usually caught by SA.
You just proved my point. Some small fraction of a percent leakage is all it
takes to bring us to the present situation. If even one copy of Swen is
activated, it then emits, say, 10,000 copies per hour until the host system
is either cleaned or disconnected from the Internet. Like the school in the
south that did just that over the weekend (described in my prior post).
>> If you don't call that effective, then we're not speaking the
>> same language.
One of us understands the problem and the underlying mathematics. See below.
>
> You're not. It's clear that by "effective," Paul means "100% effective."
> By "cannot be stopped" (in other messages), he means "cannot be stopped
> with 100% certainty." And so on. If you read his messages like this, they
> make a certain amount of sense, and Paul certainly has some interesting
> speculation about the relationships between spammers and malware authors.
> (I've seen similar claims elsewhere, but AFAIK the relationships still
> aren't 100% certain, and probably don't exist on all malware.)
True, but those worm writers who fit my description are certainly the most
dangerous, because they are very skilled and they are being paid.
> Personally, I disagree that 100% effectiveness is necessary for a tool to
> be useful.
Don't confuse tools with pathogens. How comfortable would you be if your
doctor said "We got 99% of those pesky cancer cells, so you can go home
now"? For pathogens that reproduce exponentially (cancer cells, computer
viruses and worms), 100% is a requirement. For the reason, read my post
with the differential equations again, this time more carefully (and see
below).
> Indeed, applying a 100% success criterion before using a
> technology would mean we wouldn't be using any technology at all.
You are making an invalid comparison. A piece of technology like a computer
doesn't have to be 100% reliable because the computer isn't going to react
to a 0.01% probability flaw by filling the room with copies of itself while
your back is turned. A system for filtering worms and viruses must be 100%
effective because the fraction of a percent that escape the filter can
reproduce to fill the communication channels in a few days. Swen has just
proven this.
No amount of rhetoric can escape this equation:
y(t) = a * exp(f * t)
t = time, choose any suitable units.
y = today's population of, say, Swen.
a = yesterday's population of Swen.
f = the fraction of a percent of Swen copies that leak through filtering
methods.
Notice that, to prevent further growth of Swen, you have to set f = 0.
Translated into everyday terms, "f = 0" means "100% effective filtering".
Simplified further, this means that, given enough time, any nonzero positive
value for f will result in the complete clogging of the entire network.
Barring extraordinary measures, like methods other than filtering.
Example. Let's say that a network is receiving 1000 copies of Swen (and
similar worms) per hour, that all but .1% are automatically filtered out,
and some hapless end user activates only one out of 100 copies that slip
through (all very optimistic numbers). That activated copy then proceeds to
emit 1000 copies of itself per hour (just to simplify the math) and the
process repeats. This works out to an overall growth rate per hour of (1000
* .001%) 1%, and a doubling time of:
y = log(2)/log(1 + .01) hours
y = 69.7 hours, or just under three days.
Are we getting this? In a technical discussion, mathematics has it all over
rhetoric, especially when (as in this case) the mathematics can be relied
on to predict outcomes.
Are you absolutely sure about that? Many servers require that your email
>>> That's simply not true. As of yesterday I'm getting over 100
>>> virus-laden e-mails an hour. Only 1-2 per _day_ get through
>>> postini, and they're usually caught by SA.
>
> You just proved my point. Some small fraction of a percent
> leakage is all it takes to bring us to the present situation.
> If even one copy of Swen is activated, it then emits, say,
> 10,000 copies per hour until the host system is either cleaned
> or disconnected from the Internet. Like the school in the south
> that did just that over the weekend (described in my prior
> post).
So you're solution is what? Let 5000 a day through rather than
1-2?
>>> If you don't call that effective, then we're not speaking the
>>> same language.
>
> One of us understands the problem and the underlying
> mathematics. See below.
I simply don't care if 1-2 a day make it to my inbox. They're
not going to harm my computer or cause me any significant
inconvenience. Letting 5000 day hit my inbox would cause
serious problems. By my criteria, the filter is effective.
>> Personally, I disagree that 100% effectiveness is necessary for
>> a tool to be useful.
>
> Don't confuse tools with pathogens. How comfortable would you
> be if your doctor said "We got 99% of those pesky cancer cells,
> so you can go home now"?
I'm afraid you won't even get a guarantee that good from your
oncologist. You going to stop going to the doctor because they
won't provide a guarantee of 100% effectiveness for all
treatments.
--
Grant Edwards grante Yow! Somewhere in Tenafly,
at New Jersey, a chiropractor
visi.com is viewing "Leave it to
Beaver"!
> On Mon, 22 Sep 2003 01:58:06 -0700, Paul Lutus wrote:
< snip >
>>> I would highly suggest zipping them, and/or coming up with a method of
>>> transfer other than e-mail (e.g. FTP).
>>
>> Doesn't address the original issue. Ultimately someone unzips the file
>> and has to decide how to proceed. Just like now.
>
> But you can allow zips while disallowing executables,
No, you cannot. That would be fatal if, as is likely:
1. Clicking on the ZIP file activated an associated unZIP progam, and
2. The unZIP program's dialog listed the contents of the ZIP file in such a
way that the user could click an embedded file, and
3. The true file suffix was concealed, as it is by default in Windows, so a
file named "image.jpg.exe" would appear as "image.jpg".
Conclusion: you can't allow ZIP files through. They can contain anything.
> They are.
Always quote the text you are replying to.
> A few weeks ago I read about spam and spam filtering in IEEE Spectrum
> and they claimed AOL and Hotmail (?) each filtered out 2+ billion
> spam messages on their servers - each day.
Meaning? A thinking person would want to know what percentage of the total
that is, e.g. what percentage of spam messages were rejected, what
percentage of spam slipped through, what percentage of legitimate e-mails
were improperly filtered, and so forth.
Your quote is like saying "ten thousand workers were laid off." What is the
total size of the labor force? Are they likely to be rehired? And so forth.
The raw number conveys no information at all.
This may be true, but it doesn't mean that the problem wouldn't be worse
without the filtering we've got, nor that it wouldn't be better if the
filtering were better. Life isn't perfect, but we aren't talking about a
binary decision; we're talking about HOW bad the problem is.
>> You're not. It's clear that by "effective," Paul means "100% effective."
...
>> Personally, I disagree that 100% effectiveness is necessary for a tool to
>> be useful.
>
> Don't confuse tools with pathogens.
I'm not. We're talking about the effectiveness of spam/malware-fighting
tools. I wasn't describing the effectiveness of the malware, but of the
tool used to fight it.
> How comfortable would you be if your
> doctor said "We got 99% of those pesky cancer cells, so you can go home
> now"? For pathogens that reproduce exponentially (cancer cells, computer
> viruses and worms), 100% is a requirement. For the reason, read my post
> with the differential equations again, this time more carefully (and see
> below).
Computer malware is not the same as biological pathogens. There are
certain similarities, to be sure, but the analogy you've presented isn't
quite 1:1.
Another analogy, which also isn't 1:1 but that may be better, is of
innoculation. If you innoculate 99% of the population against a disease,
they'll be protected from it, even if the remaining 1% runs around
spreading the virus all over the place. In fact, the innoculation of 99%
of the population will help the remaining 1%, because they'll be less
likely to come into contact with an infected individual to begin with.
> No amount of rhetoric can escape this equation:
>
> y(t) = a * exp(f * t)
>
> t = time, choose any suitable units.
> y = today's population of, say, Swen.
> a = yesterday's population of Swen.
> f = the fraction of a percent of Swen copies that leak through filtering
> methods.
...
> Example. Let's say that a network is receiving 1000 copies of Swen (and
> similar worms) per hour, that all but .1% are automatically filtered out,
> and some hapless end user activates only one out of 100 copies that slip
> through (all very optimistic numbers). That activated copy then proceeds to
> emit 1000 copies of itself per hour (just to simplify the math) and the
> process repeats. This works out to an overall growth rate per hour of (1000
> * .001%) 1%, and a doubling time of:
>
> y = log(2)/log(1 + .01) hours
>
> y = 69.7 hours, or just under three days.
>
> Are we getting this? In a technical discussion, mathematics has it all over
> rhetoric, especially when (as in this case) the mathematics can be relied
> on to predict outcomes.
That's true when the mathematics is correct and complete. Yours is
neither. Your equation is notable for its lack of several important
variables, such as the number of potential hosts. Your equation predicts
that the worm will continue to spread without end. For instance, your
equation and example numbers suggest that in about 116 days there'd be 1
trillion (1x10^12) infected computers. Of course, that many Windows
computers don't exist on Earth, so the mathematics is flawed. Your
equation might be reasonably accurate for predicting the early stages of
an epidemic's spread, but sooner or later factors that don't appear in
your equation will start to slow its exponential spread.
As to completeness, the rate of spread can be important in terms of the
extent of the problem. AT ANY GIVEN TIME, one computer spewing Swen (or
whatever) is a lot less of a problem than a thousand computers doing so.
Of course, left unchecked, the one computer will quickly infect a
thousand others, but in the same time, the thousand others in the
1,000-infected case will likely infect many more, so the benefits persist
over time -- at least, until the rate of infection reaches some sort of
equilibrium.
Furthermore, simple observation of past infections tells me that your
mathematical approach is flawed. Even aside from the issue of running out
of computers to infect, your approach suggests no abatement in the spread
of a virus/worm. In fact, previous incidents have been beaten back in
various ways. To be sure, many of these viruses/worms are still around,
but they aren't active enough to do much harm because they have a hard
time finding hosts that can be infected, so their equilibrium points are
low.
I'm not an epidemiologist and so I don't know what equations they use for
these sorts of things, but I'm sure they have a way of predicting the
equilibrium point. Some of those variables are certain to affect just
what that equilibrium point is, too, and that's vitally important in
understanding the impact that an infection will have. If filters can help
bring the equilibrium point down, or slow the spread of the virus/worm so
that other measures can be brought to bear before equilibrium is reached,
the impact of the virus in terms of wasted bandwidth, etc., will be
reduced.
On another note, on an INDIVIDUAL BASIS, filters can do a lot of good. I
haven't personally seen a single Swen message in my mail reader. My
pre-Swen filters blocked them all from getting that far, although they
were chewing up my bandwidth until I started filtering with mailfilter.
Thus, AS AN INDIVIDUAL, I'm not particularly bothered by this outbreak --
not as I would be if I had to delete the thousands of Swen messages that
I know have been directed at me. Of course, this observation doesn't fit
well with the broad view, although it's certainly part of it.
In conclusion, although I agree that mathematics plays an important role
in understanding and predicting the spread of computer viruses and worms,
I don't believe you've used the correct equation to do so, and that fact
invalidates your results. Mathematics is also simply a way to MODEL the
world, and features not in the models can and do play a role in the
world, so mathematics isn't the ONLY tool that should be used in
understanding such things -- at least, not with complex systems like the
Internet.
Because it's not their job.
Their job is to transport the entire internet... not censor it.
--
Copyright 2003 Angela Kahealani. All rights reserved without prejudice;
UCC1-207. All information and transactions are non negotiable and are
private between the parties. http://www.kahealani.com/
> There is an important difference between bacteria and antibiotics: the
> bacteria reproduce and are therefore subject to the mechanisms of
> evolution. This guarantees that any bacteria will eventually defeat any
> antibiotic (something proven repeatedly in medicine). Antibiotics do not
> reproduce and evolve, bacteria do.
>
> When you try to compare the efforts of scientists to design more effective
> antibiotics to the process of natural evolution, you are not comparing
> comparable things. To see my point, name a single antibiotic that hasn't
> been rendered ineffective by bacterial evolution.
But the scientists *continue* to make an effort. Whenever the bacteria
changes, the scientists change the antibiotic to match. There is no
time T at which the scientists stop and say "we're done forever".
> And it must be 100% effective. How secure would you feel if your doctor said
> "We got 99% of the cancer cells, so you can go home." Did you read the
> differential equations in my prior post? Do you fully grasp what the
> exponential form means? It means the 1% residue that escapes filtering
> becomes tomorrow's full-sized problem.
If my doctor said "We got 99% of the cancer cells, so you can go home
for three months, and then we'll treat you again" - and if I were
confident that this would prevent the cancer cells from ever exceeding
a certain level - then I would consider it acceptable. Not *good*,
really, but acceptable.
> To put it bluntly, if filtering worked, it would be working right now. The
> virus/worm filter designers (mail and platform) have had many years to say
> "let's simply not let executables through any more." But they won'd do
> this, for the same reason that burning the building is not a suitable
> treatment for an infestation of termites.
Filtering is reducing the extent of the problem. You just insist on
restricting "work" to "work 100%", because you note the dynamic design
of viruses/worms but ignore the dynamic design of filters.
>> Do the proponents of the opt-in system also have a thorough method of
>> determining (a) which machine really sent a given spam, and (b) whether
>> that machine actually belongs to a spammer, or merely belongs to the
>> unaware victim of a spam-sending virus?
>
> You are mixing the premise with the enforcement methods. They are separate.
> The former (the premise) is a big step forward, because it requires
> spammers to have explicit authorization from each recipient. It won't work
> across international boundaries, which is why the UK and US are in
> conference right now, mostly to try to change the US position.
Even wrt domestic violators, a requirement doesn't *do* anything useful
unless it can be enforced in at least some cases. If we don't know who
the spam kings are, then the effort going into this proposal would be
better spent finding out who they are. *Then* you can declare their
actions illegal with heavy penalties.
>> If they don't have (a), then the proposal has no teeth.
>
> Nonsense. As just one suggestion, you arrest the owners of the businesses
> whose products and services are advertised in the spam messages, and hold
> them (offering them bread and water in a windowless cell) until they reveal
> the names of the spammers they hired to disseminate their advertising. They
> are, after all, co-conspirators.
Tempting, but tricky. A spam king could gum up the works by framing an
innocent party, by spamvertising that party's business without having been
asked to do so. How do you distinguish the innocent from the guilty? No,
you really have to target the spam kings directly.
>>>> I would highly suggest zipping them, and/or coming up with a method of
>>>> transfer other than e-mail (e.g. FTP).
>>> Doesn't address the original issue. Ultimately someone unzips the file
>>> and has to decide how to proceed. Just like now.
>> But you can allow zips while disallowing executables,
> No, you cannot. That would be fatal if, as is likely:
>
> 1. Clicking on the ZIP file activated an associated unZIP progam, and
>
> 2. The unZIP program's dialog listed the contents of the ZIP file in such a
> way that the user could click an embedded file, and
>
> 3. The true file suffix was concealed, as it is by default in Windows, so a
> file named "image.jpg.exe" would appear as "image.jpg".
>
> Conclusion: you can't allow ZIP files through. They can contain anything.
But it's still significantly *less* likely for a virus-in-a-ZIP to spread,
than for a virus-in-an-EXE to spread.
Combine this strategy with a regularly-updated virus scanner that checks
executables within ZIP files, and you're in fairly good shape, yes?
I get you now.
I do from Amazon and a couple of others. They all include my account number
in the body of the mail, and I egrep for that with procmail.
Otherwise I contact the company and ask them for the addresses that any
mail will be coming from, first. If they won't give it/them to me, I don't
do business with them.
>> It could be a server-side solution. There's no reason at all
>> they couldn't easily add a transaction-password section to any
>> form, asking you to create a string that will apppear in the
>> headers or body in any response.
>
> That would certainly solve the problem, but I just don't see it
> happening.
>
Why not? If the consumers demand it, they will do it.
>> If *I* were running that sort of server I would do that.
>
> --
> Grant Edwards grante Yow! Sometime in 1993
> at NANCY SINATRA will lead a
> visi.com BLOODLESS COUP on GUAM!!
--
Refusing to originate or forward or receive anonymous mail would not impede
the functioning of the Internet, it would IMPROVE it.
No one is obligated to accept anonymous mail. I don't.
>> I don't have any details handy. Don't you ever order anything
>> from web-based vendors and want to see the e-mail it generates?
>
> I get you now.
>
> I do from Amazon and a couple of others. They all include my
> account number in the body of the mail, and I egrep for that
> with procmail.
I could figure out a procmail rule for most of the places I
deal with regularly, but with Chrismas shopping season just
ahead...
> Otherwise I contact the company and ask them for the addresses
> that any mail will be coming from, first. If they won't give
> it/them to me, I don't do business with them.
>>> It could be a server-side solution. There's no reason at all
>>> they couldn't easily add a transaction-password section to any
>>> form, asking you to create a string that will apppear in the
>>> headers or body in any response.
>>
>> That would certainly solve the problem, but I just don't see it
>> happening.
>
> Why not? If the consumers demand it, they will do it.
True, but I don't think enough customer will demand it --
atleast not in the near future.
--
Grant Edwards grante Yow! YOW!!! I am having
at fun!!!
visi.com
> On Mon, 22 Sep 2003 11:49:03 -0700, Paul Lutus wrote:
>
>> There is an important difference between bacteria and antibiotics: the
>> bacteria reproduce and are therefore subject to the mechanisms of
>> evolution. This guarantees that any bacteria will eventually defeat any
>> antibiotic (something proven repeatedly in medicine). Antibiotics do not
>> reproduce and evolve, bacteria do.
>>
>> When you try to compare the efforts of scientists to design more
>> effective antibiotics to the process of natural evolution, you are not
>> comparing comparable things. To see my point, name a single antibiotic
>> that hasn't been rendered ineffective by bacterial evolution.
>
> But the scientists *continue* to make an effort. Whenever the bacteria
> changes, the scientists change the antibiotic to match. There is no
> time T at which the scientists stop and say "we're done forever".
That's really not true (example: there is no antibiotic for the new highly
resistant TB strains, despite great efforts), and in any case you are
missing the point. The bacteria always win. All antibiotics are temporary
fixes, because, once the scientists go home, the process stops. For the
bacteria, the process never stops. They are by definition on the job 24/7,
and they love their work.
>
>> And it must be 100% effective. How secure would you feel if your doctor
>> said "We got 99% of the cancer cells, so you can go home." Did you read
>> the differential equations in my prior post? Do you fully grasp what the
>> exponential form means? It means the 1% residue that escapes filtering
>> becomes tomorrow's full-sized problem.
>
> If my doctor said "We got 99% of the cancer cells, so you can go home
> for three months, and then we'll treat you again" - and if I were
> confident that this would prevent the cancer cells from ever exceeding
> a certain level - then I would consider it acceptable. Not *good*,
> really, but acceptable.
Acceptable to die, when a more thorough treatment would allow you to live?
Now you're arguing just to be arguing. Cancer treatments that do not catch
all the malignant cells are a failure. This is why surgery is followed by
chemotherapy, as unpleasant as that sometimes is. Chemotherapy (when it
works) takes you from 99% to 100%, and 100% is required, because the cancer
cells follow an exponential-increase pattern.
>
>> To put it bluntly, if filtering worked, it would be working right now.
>> The virus/worm filter designers (mail and platform) have had many years
>> to say "let's simply not let executables through any more." But they
>> won'd do this, for the same reason that burning the building is not a
>> suitable treatment for an infestation of termites.
>
> Filtering is reducing the extent of the problem.
For systems governed by exponential increase, filtering doesn't reduce the
extent of the problem, it merely reduces the numbers (a symptomatic change)
and postpones actually addressing the problem in a meaningful way. It's
like not worrying about population increase because some people in some
places are practicing family planning. That's just not good enough.
> You just insist on
> restricting "work" to "work 100%", because you note the dynamic design
> of viruses/worms but ignore the dynamic design of filters.
You really don't understand this issue. The filters are not dynamic in the
slightest. Someone has to explicitly try to make thm 100% effective,
because that is a requirement, but it is also impossible. Filtering doesn't
work. Viruses and worms, by contrast, are dynamic.
Filters don't become more effective by themselves, but a wide selection of
virii/worms with different content and strategies do in fact get better by
themselves (using evolution's highly efficient mechanisms). This is why
filtering doesn't work.
It is very hard to argue persuasively against headlines. Swen has reached
and infected over 700,000 computers in a week.
>
>>> Do the proponents of the opt-in system also have a thorough method of
>>> determining (a) which machine really sent a given spam, and (b) whether
>>> that machine actually belongs to a spammer, or merely belongs to the
>>> unaware victim of a spam-sending virus?
>>
>> You are mixing the premise with the enforcement methods. They are
>> separate. The former (the premise) is a big step forward, because it
>> requires spammers to have explicit authorization from each recipient. It
>> won't work across international boundaries, which is why the UK and US
>> are in conference right now, mostly to try to change the US position.
>
> Even wrt domestic violators, a requirement doesn't *do* anything useful
> unless it can be enforced in at least some cases.
Yes, absolutely, and I explained how -- arrest the owners of businesses that
pay the spammers. Identifying them is child's play -- they are identified
in the spam messages. After a week on bread and water, sharing a cell with
a child molester, I suggest they will roll over on their contractors.
> If we don't know who
> the spam kings are,
Doesn't matter. If owners of businesses are arrested, the spammers will not
get any more money, end of story. Even assuming they (the spammers) are not
identified by their employers and arrested.
It's all about public support for serious measures, which I must say is
entirely absent right now.
> then the effort going into this proposal would be
> better spent finding out who they are. *Then* you can declare their
> actions illegal with heavy penalties.
>
>>> If they don't have (a), then the proposal has no teeth.
>>
>> Nonsense. As just one suggestion, you arrest the owners of the businesses
>> whose products and services are advertised in the spam messages, and hold
>> them (offering them bread and water in a windowless cell) until they
>> reveal the names of the spammers they hired to disseminate their
>> advertising. They are, after all, co-conspirators.
>
> Tempting, but tricky. A spam king could gum up the works by framing an
> innocent party, by spamvertising that party's business without having been
> asked to do so.
True, but a red herring. Spammers can be misidentified or deliberately
smeared, as well as business owners. A spammer might try to falsely smear a
computer owner as a spammer in the way you suggest, but this is apart from
the matter under discussion, because it affects all efforts at enforcement.
> How do you distinguish the innocent from the guilty? No,
> you really have to target the spam kings directly.
Nope. Your argument that led to this was flawed -- in fact, it relied for
its persuasiveness on the idea that law must be 100% effective in filtering
out the true guilty parties, but it cannot do that. Ironically enough.
< snip >
> But it's still significantly *less* likely for a virus-in-a-ZIP to spread,
> than for a virus-in-an-EXE to spread.
If you fully understand the problem posed by an exponential function, you
will see this is grasping at straws.
> Combine this strategy with a regularly-updated virus scanner that checks
> executables within ZIP files, and you're in fairly good shape, yes?
Not really, it simply shifts more of the burden on the filtering methods,
which now would have to unpack the ZIP, then check it for viruses and
worms, for each incoming message. It's more of the same, and it only
dramatizes the impracticality of relying on filtering.
The basic idea of filtering is that senders can do as they please and the
entire burden of coping is placed on recipients. This leaves the Internet
clogged with bogus, nuisance traffic (now over 50% of all content), traffic
that is the sole responsibility of the recipients. It's logically unsound,
and even it that were not so, a simple math teatment shows it cannot
continue without bringing down the entire net.
The increase IS NOT truly exponential; sooner or later, it'll hit a hard
limit -- the number of computers in the world. Even before then, the rate
of increase will slow because some of the systems the virus/worm tries to
infect will already be infected.
> filtering doesn't reduce the
> extent of the problem, it merely reduces the numbers (a symptomatic change)
> and postpones actually addressing the problem in a meaningful way. It's
> like not worrying about population increase because some people in some
> places are practicing family planning. That's just not good enough.
This analogy is flawed. Nobody's saying we should put up filters and
forget about it. A better analogy would be that promoting the use of
filters is like promoting the use of condoms (both to reduce the spread of
HIV and for family planning purposes). Filtering/using condoms won't
eliminate the problem, but it can be part of the solution.
> Filters don't become more effective by themselves, but a wide selection of
> virii/worms with different content and strategies do in fact get better by
> themselves (using evolution's highly efficient mechanisms). This is why
> filtering doesn't work.
Computer viruses and worms also are not dynamic in the evolutionary way
you suggest. To the best of my knowledge, they don't mutate on their own,
as true biological viruses do. The computer variety requires the
intervention of a programmer (or at least a script kiddie) to be
modified, just as filters require the intervention of a programmer or
administrator to be modified.
In fact, it occurs to me that Bayesian spam filters are more dynamic than
are most computer viruses/worms. Some (most? all?) Bayesian filters can be
configured to add new messages to their spam/ham databases automatically
or semi-automatically, which tends to keep them updated with little or no
intervention. That's minor compared to true evolutionary effects, but it's
more dynamic than the typical virus or worm, which attacks in precisely
the same way whether it was released yesterday or a year ago.
This is impossible to obey on newsgroups that are gatewayed to mailing lists
that use challenge-response sender verification for posting.
www.newsguy.com . Normal newsfeed, every group you can imagine, good spam
filtering, excellent support. $40/year.
--
John Hasler
jo...@dhh.gt.org
Dancing Horse Hill
Elmwood, Wisconsin
> For the
> bacteria, the process never stops. They are by definition on the job 24/7,
> and they love their work.
Computer viruses mutate only as specified by their authors, which so far
is a highly limited range, compared to bacteria. Virus authors are not
on the job 24/7.
>> If my doctor said "We got 99% of the cancer cells, so you can go home
>> for three months, and then we'll treat you again" - and if I were
>> confident that this would prevent the cancer cells from ever exceeding
>> a certain level - then I would consider it acceptable. Not *good*,
>> really, but acceptable.
>
> Acceptable to die, when a more thorough treatment would allow you to live?
You didn't pay attention to my second if, did you? *If* this keeps the
cancer cells acceptably low, then it's okay. If it doesn't, then it's
not. This should be blindingly obvious.
> the cancer cells follow an exponential-increase pattern.
But if we reduce the extent of the infection by 99% every X days, then
this is an exponential *decrease*. It is possible for the latter to
match the former.
>> Filtering is reducing the extent of the problem.
>
> For systems governed by exponential increase, filtering doesn't reduce the
> extent of the problem, it merely reduces the numbers (a symptomatic change)
> and postpones actually addressing the problem in a meaningful way. It's
> like not worrying about population increase because some people in some
> places are practicing family planning. That's just not good enough.
See above. It *can* be good enough, *if* filter improvement reduces
the numbers just as fast as viral evolution increases them.
> You really don't understand this issue. The filters are not dynamic in the
> slightest. Someone has to explicitly try to make thm 100% effective,
> because that is a requirement, but it is also impossible. Filtering doesn't
> work. Viruses and worms, by contrast, are dynamic.
Filters are not dynamic? Codswallop! I'm using different filters today
than I was using one week ago, ergo I am a walking counterexample.
> It is very hard to argue persuasively against headlines. Swen has reached
> and infected over 700,000 computers in a week.
And how many of those 700,000 will be disinfected in another week?
Filters evolve because *I* evolve them. A few days ago, I was getting
thousands of junk messages a day. Now I've improved my filters and I
only get a couple dozen a day (and I could probably filter those, too,
but I've been a bit lazy about the last mile).
>> If we don't know who
>> the spam kings are,
>
> Doesn't matter. If owners of businesses are arrested, the spammers will not
> get any more money, end of story. Even assuming they (the spammers) are not
> identified by their employers and arrested.
How many spams does it take before a business owner is arrested? If
the answer is one, then the likely consequences are disastrous: I
compose a spamvertisement for your business, take it to a cybercafe
(and pay them cash), send it from an anonymous account to my real
account, then complain to the government about it. What happens to
you? Multiply by the number of computer-literate assholes in the
country... Better set a higher minimum number of complaints, say one
hundred or even one thousand?
>> But it's still significantly *less* likely for a virus-in-a-ZIP to spread,
>> than for a virus-in-an-EXE to spread.
>
> If you fully understand the problem posed by an exponential function, you
> will see this is grasping at straws.
Then go find the spammers, and sentence them to life without parole
with a 500-pound roommate named Bubba. But until you succeed in
doing so, don't advocate *not* filtering! Don't even appear to
do so! Filtering *greatly* slows down the spread; in my own personal
case, by a factor of around one thousand. If you think that's not
significant, then surely you won't mind me forwarding the insignificant
amount of e-mail to *your* mailbox, instead of to /dev/null ...
> In article <vmujt5a...@corp.supernews.com>,
> Paul Lutus <nos...@nosite.zzz> writes:
>>
>> Rod Smith wrote:
>>
>> Some small fraction of a percent leakage is all it
>> takes to bring us to the present situation. If even one copy of Swen is
>> activated, it then emits, say, 10,000 copies per hour until the host
>> system is either cleaned or disconnected from the Internet.
>
> This may be true, but it doesn't mean that the problem wouldn't be worse
> without the filtering we've got, nor that it wouldn't be better if the
> filtering were better. Life isn't perfect, but we aren't talking about a
> binary decision; we're talking about HOW bad the problem is.
No, we are discussing approaches. Filtering as an approach cannot and does
not work. It doesn't work because:
1. It presumes that senders can do as they please, and the receipients are
solely responsible for dealing with the result. This is incredibly
inefficient overall.
2. The math I have provided here shows it (filtering) cannot work in a
practical sense against worms and viruses, philosophical issues aside.
>
>>> You're not. It's clear that by "effective," Paul means "100% effective."
> ...
>>> Personally, I disagree that 100% effectiveness is necessary for a tool
>>> to be useful.
>>
>> Don't confuse tools with pathogens.
>
> I'm not. We're talking about the effectiveness of spam/malware-fighting
> tools. I wasn't describing the effectiveness of the malware, but of the
> tool used to fight it.
Against a diverse set of worms and viruses that have exponential increase on
their side, such a tool must be 100% effective.
>
>> How comfortable would you be if your
>> doctor said "We got 99% of those pesky cancer cells, so you can go home
>> now"? For pathogens that reproduce exponentially (cancer cells, computer
>> viruses and worms), 100% is a requirement. For the reason, read my post
>> with the differential equations again, this time more carefully (and see
>> below).
>
> Computer malware is not the same as biological pathogens. There are
> certain similarities, to be sure, but the analogy you've presented isn't
> quite 1:1.
Actually, in terms of efficient spread, computer worms and viruses make mere
biological pathogens look like pikers.
>
> Another analogy, which also isn't 1:1 but that may be better, is of
> innoculation. If you innoculate 99% of the population against a disease,
> they'll be protected from it, even if the remaining 1% runs around
> spreading the virus all over the place.
No, that is quite false (and it is spelled "inoculation"). In fact, you must
have 100% coverage for the effort to be worthwhile at all. To see my point,
read the history of the eradication of smallpox. The team responsible for
that effort knew they had to have 100% eradication, or they might as well
not even try. They succeeded, but it was a fantastic effort.
> In fact, the innoculation of 99%
> of the population will help the remaining 1%, because they'll be less
> likely to come into contact with an infected individual to begin with.
This is a common misconception. As to polio, most new cases arise from
contact between an unprotected person and someone recently inoculated with
the Sabin attenuated-virus vaccine. The details are too far from our topic
to dwell on, but in this case also, nothing less than 100% eradication will
ever be effective.
>
>> No amount of rhetoric can escape this equation:
>>
>> y(t) = a * exp(f * t)
>>
>> t = time, choose any suitable units.
>> y = today's population of, say, Swen.
>> a = yesterday's population of Swen.
>> f = the fraction of a percent of Swen copies that leak through filtering
>> methods.
> ...
>> Example. Let's say that a network is receiving 1000 copies of Swen (and
>> similar worms) per hour, that all but .1% are automatically filtered out,
>> and some hapless end user activates only one out of 100 copies that slip
>> through (all very optimistic numbers). That activated copy then proceeds
>> to emit 1000 copies of itself per hour (just to simplify the math) and
>> the process repeats. This works out to an overall growth rate per hour of
>> (1000 * .001%) 1%, and a doubling time of:
>>
>> y = log(2)/log(1 + .01) hours
>>
>> y = 69.7 hours, or just under three days.
>>
>> Are we getting this? In a technical discussion, mathematics has it all
>> over rhetoric, especially when (as in this case) the mathematics can be
>> relied on to predict outcomes.
>
> That's true when the mathematics is correct and complete. Yours is
> neither.
Nonsense. Your failure to post any mathematics to try to bolster your
opinion is noted with dismay.
> Your equation is notable for its lack of several important
> variables, such as the number of potential hosts.
Those issues are true and irrelevant, because they lead to constant terms.
They don't affect the outcome, only its timing, something I already
addressed. Such adjustments don't affect the validity of the example, which
was offered only to show the trend, and the flaw in relying on filtering
that is not 100% effective.
> Your equation predicts
> that the worm will continue to spread without end.
No, it predicts only that filtering methods are ineffective, and it
demonstrates this clearly. That was its sole purpose.
> For instance, your
> equation and example numbers suggest that in about 116 days there'd be 1
> trillion (1x10^12) infected computers.
Not unless you try to go somewhere not intended by the example, in which
case you get to go there alone. As to the number of actual Windows
computers on the planet, that is a sufficient playground for any realistic
application of the equation.
> Of course, that many Windows
> computers don't exist on Earth, so the mathematics is flawed.
What? You put in bogus numbers, get a bogus result, and this means the
underlying mathematical idea is flawed? You need mathematical retraining.
The mathematics is perfectly sound when applied to its clearly stated
purpose. You may or may not be aware that population and biological studies
rely on this equation, and the practitioners understand the notion of
limits, even if some readers do not.
> Your
> equation might be reasonably accurate for predicting the early stages of
> an epidemic's spread, but sooner or later factors that don't appear in
> your equation will start to slow its exponential spread.
Yes, but this is not the matter under discussion. My use of the equation is
solely meant to show the flaw in relying on filtering. The final outcome is
irrelevant -- my example only shows how quickly things get out of control
if reliance is placed on filtering.
>
> As to completeness, the rate of spread can be important in terms of the
> extent of the problem.
The point is that filtering doesn't work, and this equation shows why. Any
one of the wide array of worms and viruses extant at any moment that happen
to escape filtering quickly takes over the entire network. The equation is
meant to alert unsophisticated people to the nature of exponential
increase.
> AT ANY GIVEN TIME, one computer spewing Swen (or
> whatever) is a lot less of a problem than a thousand computers doing so.
Red herring.
> Of course, left unchecked, the one computer will quickly infect a
> thousand others, but in the same time, the thousand others in the
> 1,000-infected case will likely infect many more, so the benefits persist
> over time --
What benefits are you addressing? Benefits of what?
> at least, until the rate of infection reaches some sort of
> equilibrium.
The point at which there are so many worms flying about that there is no
bandwidth left for legitimate uses? It's too late then for examples like
mine. My example's purpose and outcome is clear and valid in its stated
domain.
> Furthermore, simple observation of past infections tells me that your
> mathematical approach is flawed.
No, it shows me that you don't understand it.
> Even aside from the issue of running out
> of computers to infect, your approach suggests no abatement in the spread
> of a virus/worm. In fact, previous incidents have been beaten back in
> various ways.
I already said "Barring extraordinary measures, like methods other than
filtering," which anticipates, and takes the wind out of, your present
argument. It is those non-filtering measures that have halted specific past
infections, but our topic is worms/virii as an ongoing phenomenon.
Obviously if only one worm ever existed, the discussion would be different.
> I'm not an epidemiologist and so I don't know what equations they use for
> these sorts of things,
I do, and I posted it. I didn't expect to have to say "this equation cannot
predict growth patterns without bound." Only mathematically untrained
peopele need to be told that.
> but I'm sure they have a way of predicting the
> equilibrium point.
No, that is rather difficult, in fact. Most such systems have one or more
components that lead to a choatic outcome, so no simple equation such as I
posted can be relied on to predict long-term outcomes. This doesn't reduce
its value as a starting point, or as a predictor in a system such as we are
discussing.
> Some of those variables are certain to affect just
> what that equilibrium point is, too, and that's vitally important in
> understanding the impact that an infection will have. If filters can help
> bring the equilibrium point down,
What? Think about what you are saying. A filter (meaning a method to reduce
the growth rate) can only delay the approach to the equibrium point, it
cannot change its location (total population).
> or slow the spread of the virus/worm so
> that other measures can be brought to bear before equilibrium is reached,
> the impact of the virus in terms of wasted bandwidth, etc., will be
> reduced.
Quite false, again barring the application of methods other than filtering.
Do the math.
> On another note, on an INDIVIDUAL BASIS, filters can do a lot of good.
This is getting ridiculous. Here you mix an individual observation with a
flawed attempt at generalization.
> I
> haven't personally seen a single Swen message in my mail reader.
An observation of no use to those 700,000 infected end users, most of whom
were failed by filtering at some point.
> My
> pre-Swen filters blocked them all from getting that far, although they
> were chewing up my bandwidth until I started filtering with mailfilter.
Here you at least allude to other issues, like the idea that even total
fitering doesn't change the amount of bandwidth wasted in getting the
message to the recipient.
> Thus, AS AN INDIVIDUAL, I'm not particularly bothered by this outbreak --
> not as I would be if I had to delete the thousands of Swen messages that
> I know have been directed at me. Of course, this observation doesn't fit
> well with the broad view, although it's certainly part of it.
In fact it is at right angles to the entire dicussion.
> In conclusion, although I agree that mathematics plays an important role
> in understanding and predicting the spread of computer viruses and worms,
> I don't believe you've used the correct equation to do so,
An opinon that springs from ignorance. In fact, I applied the standard
equation used to predict the growth of populations not facing significant
resource limitations, entirely appropriate to the present problem at its
present stage. It is an equation known to every biologist and population
researcher on the planet.
> and that fact
> invalidates your results.
Try to turn it into a "fact" before going on, and I am glad for your sake
that this NG is not read by trained mathematicians. You would need to know
much more about this topic before you could seque from your uninformed
opinion to "fact."
> Mathematics is also simply a way to MODEL the
> world, and features not in the models can and do play a role in the
> world, so mathematics isn't the ONLY tool that should be used in
> understanding such things -- at least, not with complex systems like the
> Internet.
Did you have some other tool in mind? Since you didn't understand this
application of mathematics, didn't recognize an equation learned by all
biology undergraduates, and didn't see the connection between the equation
and the real world, you aren't in a position to dismiss mathematics as an
aoppropriate tool.
> On Mon, 22 Sep 2003 13:40:10 -0400, Rod Smith
> <rods...@nessus.rodsbooks.com> wrote:
>>
>> Personally, I disagree that 100% effectiveness is necessary for a tool to
>> be useful. Indeed, applying a 100% success criterion before using a
>> technology would mean we wouldn't be using any technology at all.
>
> Excellent point.
>
Yes, an excellent point, but one irrelevant to the discussion. Technology
doesn't have to be 100% effective, in fact it cannot be, and that is why
filtering will not, cannot, work.
> In article <vmujt5a...@corp.supernews.com>, Paul Lutus wrote:
>
>>>> That's simply not true. As of yesterday I'm getting over 100
>>>> virus-laden e-mails an hour. Only 1-2 per _day_ get through
>>>> postini, and they're usually caught by SA.
>>
>> You just proved my point. Some small fraction of a percent
>> leakage is all it takes to bring us to the present situation.
>> If even one copy of Swen is activated, it then emits, say,
>> 10,000 copies per hour until the host system is either cleaned
>> or disconnected from the Internet. Like the school in the south
>> that did just that over the weekend (described in my prior
>> post).
>
> So you're solution is what? Let 5000 a day through rather than
> 1-2?
Did you read and understand the mathematics? The math shows that filtering
only delays the meltdown. Exponential processes have some special
properties, one of which is a relative insensitivity to growth rate when
the final outcome is being evaluated and there is plenty of time to watch
the fireworks.
>
>>>> If you don't call that effective, then we're not speaking the
>>>> same language.
>>
>> One of us understands the problem and the underlying
>> mathematics. See below.
>
> I simply don't care if 1-2 a day make it to my inbox. They're
> not going to harm my computer or cause me any significant
> inconvenience. Letting 5000 day hit my inbox would cause
> serious problems. By my criteria, the filter is effective.
You don't understsand the system or its matheamtics.
>
>>> Personally, I disagree that 100% effectiveness is necessary for
>>> a tool to be useful.
>>
>> Don't confuse tools with pathogens. How comfortable would you
>> be if your doctor said "We got 99% of those pesky cancer cells,
>> so you can go home now"?
>
> I'm afraid you won't even get a guarantee that good from your
> oncologist. You going to stop going to the doctor because they
> won't provide a guarantee of 100% effectiveness for all
> treatments.
You miss the point. I can't turn in my body for a replacement, but I can
evaluate approaches other than filtering for dealing with worms and
viruses.
> On Mon, 22 Sep 2003 19:24:25 +0100, Joe <j...@jretrading.com> wrote:
>>
>> SMTP servers could do reverse DNS checking on envelope.
>>
>
> Great idea. They must make money on it, like the PO does with junkmail,
> which subsidizes the regular user accounts, so I don't think it is going
> to happen. Spam is just advertising, and in the world of the Internet as
> well as newspapers and the like, it keeps the retail cost down.
No, it's the opposite. Spam, and advertising in general, make costs go up,
not down. Advertising has as its purpose, not making costs go down, but
attracting customers from competitors (and a few other things). Sometimes
the cost of advertising is unbelievably high, such that the goods are
doubled in cost because of promotion. Books and movies are two examples at
random where promotional costs are very high, and the customer obviously
pays those costs.
> In message <vmtak1d...@corp.supernews.com>, Paul Lutus
> <nos...@nosite.zzz> writes
>>
>>Won't matter. There are no effective filtering methods. There are too many
>>messages, each with content that is too plausible for any kind of
>>ecffective filtering. And if a method is created that works for a while,
>>the spammers will think of a way around it. They have to -- they must try
>>to survive, like fruit flies. Some will die, the rest will thrive in the
>>vacuum that remains.
>>
>>It's evolution at work. Survival of the most annoyingly persistent.
>>
>
> Perhaps we can't stop all of them, but we don't have to. We just need to
> get nearly all.
We're discussing worms and viruses, not spam, although spam is a related
issue. Getting almost all of them isn't good enough, because any that get
through reproduce. The math is different.
I see you're discussing a different topic, so I won't persist in trying to
draw you back to the actual one.
> Kegwasher writes:
>> I want a normal news reader that does not require the correct email
>> address for.
>
> www.newsguy.com . Normal newsfeed, every group you can imagine, good spam
> filtering, excellent support. $40/year.
Gee, don't your ISPs have news as a normal service, part of the package? I
thought that was standard.
> On Mon, 22 Sep 2003 15:26:51 -0700, Paul Lutus wrote:
>
>>> But it's still significantly *less* likely for a virus-in-a-ZIP to
>>> spread, than for a virus-in-an-EXE to spread.
>>
>> If you fully understand the problem posed by an exponential function, you
>> will see this is grasping at straws.
>
> Then go find the spammers, and sentence them to life without parole
> with a 500-pound roommate named Bubba. But until you succeed in
> doing so, don't advocate *not* filtering!
Hold on. I am not advocating any such thing. I am saying it doesn't solve
the problem, and proof for that is not hard to find. Its like someone
saying "capital punishment is flawed," an argument that is not remotely
like saying that it should be abolished.
Apropos Winston Churchill' remark, "Democracy is the worst form of
government ... except all the others."
> On Mon, 22 Sep 2003 15:17:43 -0700, Paul Lutus wrote:
>
>> For the
>> bacteria, the process never stops. They are by definition on the job
>> 24/7, and they love their work.
>
> Computer viruses mutate only as specified by their authors, which so far
> is a highly limited range, compared to bacteria.
Yes, but the recent crop of worms has been designed by a much more
sophisticated group of programmers, all covered earlier in the thread.
> Virus authors are not
> on the job 24/7.
But the viruses are, which was my point.
>
>>> If my doctor said "We got 99% of the cancer cells, so you can go home
>>> for three months, and then we'll treat you again" - and if I were
>>> confident that this would prevent the cancer cells from ever exceeding
>>> a certain level - then I would consider it acceptable. Not *good*,
>>> really, but acceptable.
>>
>> Acceptable to die, when a more thorough treatment would allow you to
>> live?
>
> You didn't pay attention to my second if, did you? *If* this keeps the
> cancer cells acceptably low, then it's okay. If it doesn't, then it's
> not. This should be blindingly obvious.
There is no IF when it comes to cancer, and I noted your qualifier.
>
>> the cancer cells follow an exponential-increase pattern.
>
> But if we reduce the extent of the infection by 99% every X days, then
> this is an exponential *decrease*. It is possible for the latter to
> match the former.
No, there may be a decrease, but is not exponential. Right idea, wrong term.
And no, as long as there are any remaining cells, it isn't any kind of
desirable outcome, because cancer treatments are nearly all symptomatic
(e.g. pepetual unless/until 100% success is achieved). Constant effort, no
movement toward a goal.
>
>>> Filtering is reducing the extent of the problem.
>>
>> For systems governed by exponential increase, filtering doesn't reduce
>> the extent of the problem, it merely reduces the numbers (a symptomatic
>> change) and postpones actually addressing the problem in a meaningful
>> way. It's like not worrying about population increase because some people
>> in some places are practicing family planning. That's just not good
>> enough.
>
> See above. It *can* be good enough, *if* filter improvement reduces
> the numbers just as fast as viral evolution increases them.
This cannot be compared to actually addressing the problem.
>> You really don't understand this issue. The filters are not dynamic in
>> the slightest. Someone has to explicitly try to make thm 100% effective,
>> because that is a requirement, but it is also impossible. Filtering
>> doesn't work. Viruses and worms, by contrast, are dynamic.
>
> Filters are not dynamic? Codswallop! I'm using different filters today
> than I was using one week ago, ergo I am a walking counterexample.
We are merely disagreeing about the meaning of "dynamic". You think
"dynamic" means periodically revised by a maintainer. I think it means
evolving, as viruses do. Different definitions.
>
>> It is very hard to argue persuasively against headlines. Swen has reached
>> and infected over 700,000 computers in a week.
>
> And how many of those 700,000 will be disinfected in another week?
Since the numbers are still increasing, it is safe to assume that the
problem is getting worse.
>
> Filters evolve because *I* evolve them.
Okay, now I know you don't know what "evolve" means. Evolution is not
orchestration from outside. It is the extinction of all the failed
experiments, leaving only the successful ones to reproduce, and, as
inefficient as that sounds, it is so effective at deriving useful solutions
that it has become a common computer-science research practice (still being
developed).
> A few days ago, I was getting
> thousands of junk messages a day. Now I've improved my filters and I
> only get a couple dozen a day (and I could probably filter those, too,
> but I've been a bit lazy about the last mile).
This will remain true only if you keep up the effort level. That is not
evolution. Evolution takes place without explicit interference.
>
>>> If we don't know who
>>> the spam kings are,
>>
>> Doesn't matter. If owners of businesses are arrested, the spammers will
>> not get any more money, end of story. Even assuming they (the spammers)
>> are not identified by their employers and arrested.
>
> How many spams does it take before a business owner is arrested? If
> the answer is one, then the likely consequences are disastrous: I
> compose a spamvertisement for your business, take it to a cybercafe
> (and pay them cash), send it from an anonymous account to my real
> account, then complain to the government about it. What happens to
> you? Multiply by the number of computer-literate assholes in the
> country... Better set a higher minimum number of complaints, say one
> hundred or even one thousand?
Why aren't you picketing against the death penalty? Surely you know that
innocent people have been executed. Think it over -- is the death penalty,
with all its flaws, acceptable or not?
JB> Ed Murphy wrote (in part):
JB>
JB> > The content needs to include the message that the spammer wants to
JB> > get across, in some sort of human-readable form, so that places some
JB> > limits on how much it can vary. The actual variance is a lot smaller
JB> > than it probably could be, presumably because spammers believe that
JB> > most people (especially their target market) are too stupid to filter
JB> > effectively.
JB>
JB> In the past, spam filtering looked at the (full) headers exclusively.
JB> Now that no longer works very well. So filters like Spam Assassin must
JB> look at the body of the e-mail. This is *much more costly* of processor
JB> time.
JB> >
JB> > How would this stack up against Bayesian filtering? I can envision a
JB> > particularly sharp ISP offering to do it for the user: "Forward
JB> > your spam e-mails to sp...@sharpisp.com, and our SmartSystem will
JB> > automagically figure out how to identify and suppress future spam,
JB> > based on the type of spam that *you* have been receiving! (You can
JB> > review the suppressed messages at
JB> > http://www.sharpisp.com/yourusername/spam/ - if a legitimate message
JB> > is mistakenly identified as spam, then just click on it, and it will
JB> > appear in your mailbox as normal. Messages stored here are deleted
JB> > after X days.)"
JB>
JB> My ISP offers just such a service with SpamAssassin. There are two
JB> problems I see with this.
JB>
JB> 1.) About 2/3 of the latest crap gets through Spam Assassin.
I set the score for MICROSOFT_EXECUTABLE to 150.0. This killed it all
right off. There is NO legitimate reason for ANYONE to send me a MS
EXE file -- I don't run any flavor of MS O/Ss on any of my computers.
JB>
JB> 2.) When SpamAssassin has about 1000 candidates in the list of possible
JB> spams, it is no longer possible to examine the list as the system just
JB> locks up. So I must look about once an hour (500 or so), or it is too late.
JB> >
JB> > Then again, between the people computer-literate enough to do their
JB> > own reasonably effective filtering, and the people
JB> > computer-illiterate enough to either (a) get by with no filtering at
JB> > all or (b) accept whatever filtering their ISP offers without asking
JB> > questions, how much of a middle ground is there?
JB> >
JB> Since I have a dial-up link to the Internet, it is imperitive for me not
JB> to try downloading these things since they come in faster than I can
JB> download them. I have resorted to logging into my ISP's mail server
JB> every hour or so and running mutt there and deleting 1500 or so at a
JB> time. I can only see the ones that SpamAssassin did not catch. I guess
JB> ISPs will just have to cancel users infected with the virus. Anyone
JB> e-mailing a .exe file, for example, will have to be disconnected from
JB> the internet until this is over. Can you imagine the help desk at an ISP
JB> that does this?
JB>
JB>
JB> --
JB> .~. Jean-David Beyer Registered Linux User 85642.
JB> /V\ Registered Machine 73926.
JB> /( )\ Shrewsbury, New Jersey http://counter.li.org
JB> ^^-^^ 8:35am up 2 days, 14:37, 2 users, load average: 2.12, 2.15, 2.10
JB>
JB>
\/
Robert Heller ||InterNet: hel...@cs.umass.edu
http://vis-www.cs.umass.edu/~heller || hel...@deepsoft.com
http://www.deepsoft.com /\FidoNet: 1:321/153
> In article <vmut8b3...@corp.supernews.com>,
> Paul Lutus <nos...@nosite.zzz> writes:
>>
>> For systems governed by exponential increase,
>
> The increase IS NOT truly exponential;
Not at the limit, but everywhere else, yes. The term remains appropriate.
> sooner or later, it'll hit a hard
> limit -- the number of computers in the world.
Please don't digress. The example is appropriate to its clearly stated
purpose. By the time the math breaks down, the Internet will have long
since broken down in anticipation.
> Even before then, the rate
> of increase will slow because some of the systems the virus/worm tries to
> infect will already be infected.
All true near and at the limit. The example remains valid.
>
>> filtering doesn't reduce the
>> extent of the problem, it merely reduces the numbers (a symptomatic
>> change) and postpones actually addressing the problem in a meaningful
>> way. It's like not worrying about population increase because some people
>> in some places are practicing family planning. That's just not good
>> enough.
>
> This analogy is flawed.
No, it is appropriate, because imperfect filtering is the immediate reason
we are where we are right now. Deeper reasons go beyond this discussion.
> Nobody's saying we should put up filters and
> forget about it. A better analogy would be that promoting the use of
> filters is like promoting the use of condoms (both to reduce the spread of
> HIV and for family planning purposes). Filtering/using condoms won't
> eliminate the problem, but it can be part of the solution.
Speaking of questionable examples? Imagine relying on a condom as a
safeguard when the number of pathogens is increasing exponentially WRT
time. An umbrella in a volcanic eruption.
>
>> Filters don't become more effective by themselves, but a wide selection
>> of virii/worms with different content and strategies do in fact get
>> better by themselves (using evolution's highly efficient mechanisms).
>> This is why filtering doesn't work.
>
> Computer viruses and worms also are not dynamic in the evolutionary way
> you suggest.
Yes, they are. Imagine something that is literally true: hundreds of worm
and virus writers, each vying for fame (or money, or both) by creating a
program that will spread efficiently. Those programs that spread
efficiently do so because they reasonably match the environment's
conditions, something the program's design is meant to discover. That is
both dynamic and evolutionary.
Then someone else will note the success and write a variant, hoping to
capitalize on the earlier success (the young American arrested last week
allegedly did just that with a design originally written by someone else).
In this way, success breeds more success, especially because the
ineffective virii and worms are unceremoniously discarded. And why not?
There are plenty of designs to go around.
> To the best of my knowledge, they don't mutate on their own,
> as true biological viruses do.
This is an idea under development, as I said.
> The computer variety requires the
> intervention of a programmer (or at least a script kiddie) to be
> modified, just as filters require the intervention of a programmer or
> administrator to be modified.
Doesn't change the underlying idea. You are discussing the rate of change,
or mutation if you prefer. Nature has a bunch of ways to make this happen.
And comparing virii to filters is fundamentally flawed. Successful virii
increase their numbers exponentially, successful filters have no comparable
behavior. The result is that a small fitness improvement in a virus has
much greater effect on the overall system than a change in a filter.
> In fact, it occurs to me that Bayesian spam filters are more dynamic than
> are most computer viruses/worms.
Too bad they can't keep up with the exponential increase that reproducing
worms represent. They are probably more effective against most kinds of
conventional spam than they would be against the reproducing kind.
> Some (most? all?) Bayesian filters can be
> configured to add new messages to their spam/ham databases automatically
> or semi-automatically, which tends to keep them updated with little or no
> intervention. That's minor compared to true evolutionary effects, but it's
> more dynamic than the typical virus or worm, which attacks in precisely
> the same way whether it was released yesterday or a year ago.
The effectiveness of such a filter cannot increase exponentially, but the
population attacking the filter is doing just that. As a result, it is once
again an exponential increase in threat against an arithmetical (probably
linear) change in effectiveness, with a predictable outcome.
It would be impossible if I'd written "Don't give a real address",
but I didn't, I wrote "Don't give a real and VALUABLE address"
I would use some kind of dedicated disposable address for the purpose.
> Kegwasher writes:
>> I want a normal news reader that does not require the correct email
>> address for.
> www.newsguy.com . Normal newsfeed, every group you can imagine, good
> spam filtering, excellent support. $40/year.
Let me second all points. Plus, you get 50mb ad-free webspace, and two
email addresses, each with an alias. And all *very* reliable. Been
with 'em for a few years, as a customer -- no other affiliation.
I dunno if this is relevant to the OP's quest *as stated*...but what the
heck. :)
--
Blinky Linux RU 297263
Nixon's secretary now at MS? http://snurl.com/rosemary
> John Hasler wrote:
Mine does, and I still use Newsguy. I tested my last two ISPs against
it, and the ISP feeds failed to stack up well on propagation (some posts
didn't get out, some took hours or more) and retention. I can't say
that the "conventional wisdom" that ISP news usually sucks because such
a small percentage of the online community uses newsgroups so ISPs don't
put any emphasis on quality, there, is true; but my own experience with
them hasn't shown them to be very hot. Ironically, Newsguy *now* offers
accecss, as well -- but when I started with them, they were just a
dedicated (and good, and inexpensive) news feed.
Actually, that is an excellent case in point of there being both high
variations in usefulness as well as "objective usefulness."
Condoms are by no means 100% effective at preventing all the possible
things that can "spread," but this does not prevent them from being
highly effective, even in the wake of your evident worship of
exponential functions.
NO therapy needs necessarily to totally eliminate the spread of the
infection that it affects in order to be useful.
Diminishing the rate of spread of infection by one means may combine
with other therapies, none of which might be "sufficient" alone.
Which demonstrates the flip side, which is that therapies can multiply
together to provide their own corresponding "exponential" effect to
make the spread of infection fall to a non-fatal level.
The story I hear about the Black Plague, many moons ago, is that it
was spread to humans from rats by fleas by virtue of the fleas jumping
from rat onto peoples' beds.
The possibly apocryphal part of this is that the fleas had the
capability to jump a few inches without assistance. People who had
beds that were low to the ground would find their beds infested with
fleas, thus increasing the rate of fatality.
But correspondingly, if you were to put your town's beds on bricks,
lifting them an extra few inches, this would diminish the number of
fleas making it over to the human population. Those with "stylish"
high beds were thus _much_ more likely to survive.
None of this asserts that lifting the bed is a _perfect_ prevention of
Black Death; people with beds high and low all had some chance of not
surviving. But the height of the bed might make the difference
between a town losing 10% of its population and losing 90%.
Cleaning out 40% of the spam by one technique may not totally solve
the problem. But if I can use that technique *EASILY AND CHEAPLY*,
then it is surely worthwhile to consider using that technique. If it
keeps mail servers from crumbling, then it's worth doing it, perfect
or not. Throw on a few more techniques and they may multiply to
exponentially reduce the problem.
--
output = reverse("moc.enworbbc" "@" "enworbbc")
http://cbbrowne.com/info/multiplexor.html
"Intel engineering seem to have misheard Intel marketing strategy. The
phrase was ``Divide and conquer'' not ``Divide and cock up''"
-- <iia...@www.linux.org.uk> Alan Cox
I certainly wouldn't phrase it this way, but there is a grain of
something with which I agree here. From an ethical point of view,
recipients shouldn't need to be bothered with filtering or taking other
measures against worms. As a practical matter, though, users do have to
be concerned with such matters. My position is that filters can *HELP*.
I've never said that filtering should be the *ONLY* action taken to stem
the tide.
>> Another analogy, which also isn't 1:1 but that may be better, is of
>> innoculation. If you innoculate 99% of the population against a disease,
>> they'll be protected from it, even if the remaining 1% runs around
>> spreading the virus all over the place.
>
> No, that is quite false (and it is spelled "inoculation"). In fact, you must
> have 100% coverage for the effort to be worthwhile at all.
If your goal is the 100% eradication of the disease, then I'm willing to
accept that 100% inoculation is necessary. Nobody here is claiming that
filters will eradicate a piece of computer malware, though; the claim is
that they can reduce the speed of the spread and perhaps lower the
carrying capacity of the Internet as a whole for the targeted malware.
>>> No amount of rhetoric can escape this equation:
>>>
>>> y(t) = a * exp(f * t)
>>>
>>> t = time, choose any suitable units.
>>> y = today's population of, say, Swen.
>>> a = yesterday's population of Swen.
>>> f = the fraction of a percent of Swen copies that leak through filtering
>>> methods.
...
>>> Are we getting this? In a technical discussion, mathematics has it all
>>> over rhetoric, especially when (as in this case) the mathematics can be
>>> relied on to predict outcomes.
>>
>> That's true when the mathematics is correct and complete. Yours is
>> neither.
>
> Nonsense. Your failure to post any mathematics to try to bolster your
> opinion is noted with dismay.
Try this, then, the equation for a logistic growth curve:
dN/dt = rN(1 - N/K)
r = growth rate
N = population size
K = carrying capacity
From http://marine.geol.sc.edu/BIOL/Courses/BIOL301/Wethey/Outline09.html:
: Exponential population growth is only appropriate for describing the
: initial colonization of empty habitats.
...
: The Logistic equation is a much more reasonable model than the
: exponential growth equation, because we know that populations must have
: an upper limit to growth. There is not enough matter in the universe to
: support exponential populations forever.
The logistic equation levels out at the carrying capacity. As somebody
who claims to be an epidemiologist, I'd expect you to know this. Why then
present the wrong equation? Why defend it when called on the matter?
>> For instance, your
>> equation and example numbers suggest that in about 116 days there'd be 1
>> trillion (1x10^12) infected computers.
>
> Not unless you try to go somewhere not intended by the example, in which
> case you get to go there alone.
In other words, the equation is not the correct one; it's just a rough
approximation, and you didn't bother to specify its limits.
>> Of course, that many Windows
>> computers don't exist on Earth, so the mathematics is flawed.
>
> What? You put in bogus numbers, get a bogus result, and this means the
> underlying mathematical idea is flawed?
No, I entered numbers that are mathematically valid. You didn't specify
any limits on the use of the equation. What I did is called reductio ad
absurdum: "a method of proof which proceeds by stating a proposition and
then showing that it results in a contradiction, thus demonstrating the
proposition to be false."
(http://mathworld.wolfram.com/ReductioadAbsurdum.html)
> My use of the equation is
> solely meant to show the flaw in relying on filtering. The final outcome is
> irrelevant -- my example only shows how quickly things get out of control
> if reliance is placed on filtering.
Filtering can SLOW the spread, perhaps substantially. For instance, using
the exponential equation (my calculus is a bit rusty), using a starting
population of 1,000 and time units of hours, the results of varying
filter effectiveness (as measured by f) at ten hours are:
f y(10)
--- ----------
0.1 2,718
0.5 148,413
1.0 22,026,466
Of course, depending upon the carrying capacity, the values using the
logistic growth equation would be lower. Even 2,718 infections is a lot,
but it's a lot easier to bring other methods to bear at hour ten in this
scenario in order to control the situation if you've got 2,718 infected
systems than if you've got 22,026,466 infected systems.
>> Furthermore, simple observation of past infections tells me that your
>> mathematical approach is flawed.
>
> No, it shows me that you don't understand it.
I understand it just fine. Put succinctly, and in a way we can both agree
on: The spread of malware can be very quick. You did, though, present an
equation that's only used as the starting point for deriving the real
equation. When called on that fact, you screamed that I was applying it
inappropriately. Well, yes, in that it's not *MEANT* to be applied in the
real world; it's a mathematical abstraction that makes preposterous
predictions when fed data beyond a very limited point.
If you're going to present equations in an effort to be impressive, you
might want to consider presenting the correct ones and explicitly stating
the boundaries past which they aren't meant to be applied.
>> Even aside from the issue of running out
>> of computers to infect, your approach suggests no abatement in the spread
>> of a virus/worm. In fact, previous incidents have been beaten back in
>> various ways.
>
> I already said "Barring extraordinary measures, like methods other than
> filtering," which anticipates, and takes the wind out of, your present
> argument. It is those non-filtering measures that have halted specific past
> infections, but our topic is worms/virii as an ongoing phenomenon.
> Obviously if only one worm ever existed, the discussion would be different.
Ultimately, I think we may be agreeing on a lot more than our exchanges
suggest. I never meant to imply that filtering alone could do anything
more than slow the spread of a worm and lower the carrying capacity.
Where we seem to disagree is in the utility of filters in that role.
Filters CAN help slow the spread of these things, and that slowing CAN
help get them under control.
>> Some of those variables are certain to affect just
>> what that equilibrium point is, too, and that's vitally important in
>> understanding the impact that an infection will have. If filters can help
>> bring the equilibrium point down,
>
> What? Think about what you are saying. A filter (meaning a method to reduce
> the growth rate) can only delay the approach to the equibrium point, it
> cannot change its location (total population).
Sure it can. Consider two scenarios:
1) An internet of 10,000 desktop computers and assorted routers and mail
servers. All the 10,000 desktops are running the same version of
Windows, and all are configured identically. Users have an average of
ten other users in their address books. Introduce an e-mail worm that
can spread between the Windows systems in this environment, using the
users' address books to obtain addresses. Chances are the carrying
capacity will be pretty darned close to 10,000. (A few systems might
escape infection if they aren't on anybody's e-mail address book,
though.)
2) The same as #1, but half the systems use mail servers that have some
effective means of blocking the worm. In this environment, the carrying
capacity will be a lot closer to 5,000 systems, because few or none of
the protected systems will become infected.
Of course, this is a very artificial scenario, and even as described, it
only applies to a single worm -- the next worm to come along might get
past the filter used on network #2. In the real world, some allegedly
protected systems may become infected via other vectors (using an
unauthorized and unprotected outside mail server, say, or if the worm can
propagate in ways other than e-mail). Nonetheless, the point is that
filters, even if they are imperfect as a class, remove some systems from
the environment for the malware to spread, hence lowering the carrying
capacity of the environment as a whole. In the real world, I don't know
how effective this would be, but it seems likely that SOME systems would
be indefinitely protected from infection from any given threat by this
mechanism.
[Increasingly insulting replies deleted]
My problem with your position is this: Deriding filters as being
completely useless, as your messages at least seem to imply, is incorrect
and potentially dangerous. I don't know of ANY method of fighting these
things that's 100% effective, short of completely disconnecting from the
Internet. Your posts come across as saying that anything short of 100%
effective is useless. I don't know if that's your intent, but that's how
they read from where I sit. If people read your posts, take away that
message, throw up their hands and say "well, we're going to get clobbered
anyhow," and don't do anything, you'll have contributed to the problem.
Filtering won't completely solve the problem, but it can *HELP* to at
least keep the problem manageable.
> Yes, but the recent crop of worms has been designed by a much more
> sophisticated group of programmers, all covered earlier in the thread.
They're not *that* good. Upwards of 95% of them still involve an
attachment well-known to be a Windows executable, combined with one
or more of the following:
From: contains Microsoft
Body contains Cumulative Update
Subject contains Undeliver(ed|able) (to|mail to|message to)
>>> the cancer cells follow an exponential-increase pattern.
>>
>> But if we reduce the extent of the infection by 99% every X days, then
>> this is an exponential *decrease*. It is possible for the latter to
>> match the former.
>
> No, there may be a decrease, but is not exponential. Right idea, wrong term.
99% every X days == (1/100)^(T/X) which is damn well exponential. I do
have a math degree, you know. If you intend to argue that 99% every X
days doesn't actually happen, then say so!
> And no, as long as there are any remaining cells, it isn't any kind of
> desirable outcome, because cancer treatments are nearly all symptomatic
> (e.g. pepetual unless/until 100% success is achieved). Constant effort, no
> movement toward a goal.
*Any* change is "movement toward a goal". If you intend to argue that
the movement will eventually be insufficient, then say so! (Which you
do, but it's buried.)
The problem is that you seem to be arguing that non-100% solutions
should not be applied at all, or perhaps you're presenting that
appearance in hopes of getting the other side of the debate to
over-extend so you can pounce on its faults. I am arguing that
non-100% solutions *should* be applied because they *do* achieve
significant (at least in the short term) improvements.
Can the spammers / virus authors eventually overcome all filtering
attempts by volume and ingenuity? Theoretically, it's plausible
that they could. Practically, it's hard to say, because it depends
on just *how* motivated they are. It took them this many years to
do more than slightly annoy the power users (i.e. people who regularly
get more than a couple dozen hams per day, and have at least a vague
clue how to implement simple filter / sort mechanisms).
> We are merely disagreeing about the meaning of "dynamic". You think
> "dynamic" means periodically revised by a maintainer. I think it means
> evolving, as viruses do. Different definitions.
I'll ask again: Can Bayesian filtering (which *does* evolve, as you
alert it of its misses) keep up with the evolution of unwanted mail?
Come to think of it, there's really two separate things going on
here: (a) variation of content and (b) increase in volume. It's
probably worthwhile to consider these as separate points first,
then analyze how they interact. IMO (b) is much more important;
the volume of unwanted mail has been noticeably increasing over
the past several months, but it jumped upward a *lot* when Swen
started generating unwanted mail by the metric buttload.
>>> It is very hard to argue persuasively against headlines. Swen has reached
>>> and infected over 700,000 computers in a week.
>>
>> And how many of those 700,000 will be disinfected in another week?
>
> Since the numbers are still increasing, it is safe to assume that the
> problem is getting worse.
http://www.dilbert.com/comics/dilbert/archive/dilbert-20030918.html
"Did you order the plastic
casings I need?"
"They take two weeks for delivery."
"I see that you've cleverly
avoided my actual question
in favor of an imaginary one
involving delivery times."
Pay *attention* to my question! I didn't ask what the trend is *now*,
I asked what it's *going* to be in several days! If you have a reason
why the trend won't reverse during that time, then tell us what it is!
>> Filters evolve because *I* evolve them.
>
> Okay, now I know you don't know what "evolve" means. Evolution is not
> orchestration from outside. It is the extinction of all the failed
> experiments, leaving only the successful ones to reproduce, and, as
> inefficient as that sounds, it is so effective at deriving useful solutions
> that it has become a common computer-science research practice (still being
> developed).
Not all evolution is natural. Anyway, does Bayesian filtering meet your
definition of (natural) evolution?
>> How many spams does it take before a business owner is arrested? If
>> the answer is one, then the likely consequences are disastrous: I
>> compose a spamvertisement for your business, take it to a cybercafe
>> (and pay them cash), send it from an anonymous account to my real
>> account, then complain to the government about it. What happens to
>> you? Multiply by the number of computer-literate assholes in the
>> country... Better set a higher minimum number of complaints, say one
>> hundred or even one thousand?
>
> Why aren't you picketing against the death penalty? Surely you know that
> innocent people have been executed. Think it over -- is the death penalty,
> with all its flaws, acceptable or not?
Ooh, that's a whole different bucket of worms, so let's not get into
it. I'll simply point out that - until you include measures to prevent
this sort of thing - a system that mandates 10 to 15 years for one spam
is *worse* than a system that mandates 10 to 15 years for (say) assault
and battery - because framing someone for assault and battery is fairly
difficult to get away with, whereas framing someone for spamming *could*
be nauseatingly simple. *If* the law is poorly written. I'm just saying
that you can't just slap *any* anti-spam law into place and expect
community improvement; you must do a reasonable amount of bulletproofing.
(Should I change my middle name to Aloysius?)
>> Then go find the spammers, and sentence them to life without parole
>> with a 500-pound roommate named Bubba. But until you succeed in
>> doing so, don't advocate *not* filtering!
> Hold on. I am not advocating any such thing. I am saying it doesn't solve
> the problem, and proof for that is not hard to find. Its like someone
> saying "capital punishment is flawed," an argument that is not remotely
> like saying that it should be abolished.
>
> Apropos Winston Churchill' remark, "Democracy is the worst form of
> government ... except all the others."
Oh, good, now we've got that out of the way. One of my other newsgroups
had a weeks-long thread that involved (among other things) a similar
misconception. (It pertained to age-of-consent laws.)
I point out the following:
(a) "It doesn't solve the problem" is easily misinterpreted as "it isn't
worth doing". Yes, it's a misinterpretation, but that *is* how it
tends to be interpreted.
(b) "It isn't enough to solve the long-term problem" gets your point
across, without the risk of misinterpretation noted above.
So yeah, some of us will work on the short-term issue (filtering) and
some on the long-term issue (nipping spammers / virus authors in the
bud). That's a smart division of resources, I think.
I'm not convinced that we're within the exponential growth period of
Swen. Most people have been reporting the rates at which they're seeing
the thing have levelled off or are now dropping. (I'm an exception; I've
seen more today than yesterday.) My impression is that most computer
malware is like this, at least today -- it explodes to prominence in a
day or two, hangs around at a steady state for a few days, and then
slowly fades away as various counter-measures kick in. I've not studied
these patterns in any detail, though.
>>> filtering doesn't reduce the
>>> extent of the problem, it merely reduces the numbers (a symptomatic
>>> change) and postpones actually addressing the problem in a meaningful
>>> way. It's like not worrying about population increase because some people
>>> in some places are practicing family planning. That's just not good
>>> enough.
>>
>> This analogy is flawed.
>
> No, it is appropriate, because imperfect filtering is the immediate reason
> we are where we are right now. Deeper reasons go beyond this discussion.
All analogies are flawed in one way or another. My point is that yours
doesn't track on several important ways. Most importantly, your analogy,
carried over to computer malware, suggests that those taking an opposing
view to you are "not worrying" about the malware if filters are in place.
That's a straw man argument; nobody's made that claim. Hence, the analogy
is flawed -- so flawed that it's useless.
>> Nobody's saying we should put up filters and
>> forget about it. A better analogy would be that promoting the use of
>> filters is like promoting the use of condoms (both to reduce the spread of
>> HIV and for family planning purposes). Filtering/using condoms won't
>> eliminate the problem, but it can be part of the solution.
>
> Speaking of questionable examples? Imagine relying on a condom as a
> safeguard when the number of pathogens is increasing exponentially WRT
> time. An umbrella in a volcanic eruption.
Like I said, all analogies are flawed, and that's a flaw in mine. Mine was
intended to address the flaw in yours.
>>> Filters don't become more effective by themselves, but a wide selection
>>> of virii/worms with different content and strategies do in fact get
>>> better by themselves (using evolution's highly efficient mechanisms).
>>> This is why filtering doesn't work.
>>
>> Computer viruses and worms also are not dynamic in the evolutionary way
>> you suggest.
>
> Yes, they are.
No, they aren't.
> Imagine something that is literally true: hundreds of worm
> and virus writers, each vying for fame (or money, or both) by creating a
> program that will spread efficiently. Those programs that spread
> efficiently do so because they reasonably match the environment's
> conditions, something the program's design is meant to discover. That is
> both dynamic and evolutionary.
Only in a human-driven way. The counter-process (filters, anti-virus
tools, etc.) is also driven by humans and human motivations. The benefit
of biological evolution comes from the random mutations that drive the
process and make a quickly reproducing population one that can at least
potentially adapt quickly. The same benefits do not apply to computer
malware, which must still be created by humans, and then reproduce
statically.
> Then someone else will note the success and write a variant, hoping to
> capitalize on the earlier success (the young American arrested last week
> allegedly did just that with a design originally written by someone else).
> In this way, success breeds more success, especially because the
> ineffective virii and worms are unceremoniously discarded. And why not?
> There are plenty of designs to go around.
Precisely the same mechanisms work on computer malware countermeasures.
> And comparing virii to filters is fundamentally flawed. Successful virii
> increase their numbers exponentially, successful filters have no comparable
> behavior. The result is that a small fitness improvement in a virus has
> much greater effect on the overall system than a change in a filter.
I think the biological analogies break down here, because the forces
driving change are so different in the biological and computer realms. I
can certainly see how a computer virus or worm that can reproduce better
can spread more rapidly, but when the counter-measures are brought out,
they'll be able to counter it. The virus/worm benefit will be a temporary
blip.
> You are making an invalid comparison. A piece of technology like a
> computer doesn't have to be 100% reliable because the computer isn't going
> to react to a 0.01% probability flaw by filling the room with copies of
> itself while your back is turned. A system for filtering worms and viruses
> must be 100% effective because the fraction of a percent that escape the
> filter can reproduce to fill the communication channels in a few days.
> Swen has just proven this.
>
> No amount of rhetoric can escape this equation:
>
> y(t) = a * exp(f * t)
>
> t = time, choose any suitable units.
> y = today's population of, say, Swen.
> a = yesterday's population of Swen.
> f = the fraction of a percent of Swen copies that leak through filtering
> methods.
>
> Notice that, to prevent further growth of Swen, you have to set f = 0.
> Translated into everyday terms, "f = 0" means "100% effective filtering".
>
> Simplified further, this means that, given enough time, any nonzero
> positive value for f will result in the complete clogging of the entire
> network. Barring extraordinary measures, like methods other than
> filtering.
>
> Example. Let's say that a network is receiving 1000 copies of Swen (and
> similar worms) per hour, that all but .1% are automatically filtered out,
> and some hapless end user activates only one out of 100 copies that slip
> through (all very optimistic numbers). That activated copy then proceeds
> to emit 1000 copies of itself per hour (just to simplify the math) and the
> process repeats. This works out to an overall growth rate per hour of
> (1000 * .001%) 1%, and a doubling time of:
>
> y = log(2)/log(1 + .01) hours
>
> y = 69.7 hours, or just under three days.
>
> Are we getting this? In a technical discussion, mathematics has it all
> over rhetoric, especially when (as in this case) the mathematics can be
> relied on to predict outcomes.
If you remove the filtering from your numbers above, the doubling time
becomes (if I've done this right)
y = log(2)/log(1+10) = .289 hours = 17 min 20 secs.
so there would be 69.7/.289=241 doubling periods in (roughly) 3 days, and so
after 3 days there would be 2^241=3.5*(10^72) times as many copies, instead
of only twice as many copies.
I agree that if you're looking for a system that will stop these viruses
entirely by itself, this difference in timing is not so important, but what
will be happening during these three days, and the following three days, is
people figuring out either individually or on the behalf of users of their
filtering software how to target this specific virus. So it's better that
by the time they have done this, there are only twice as many viruses to
remove, and twice as much harm to the rest of the net, as 2^241 times as
much/many.
andy.
--
remove ' n - u - l - l ' to email me.
Please don't send me html mail or un-notified attachments. These will be
automatically filed under 'probable spam' unless I'm expecting an email
which hasn't come.
If you do need to send an attachment or html mail, put [attachment] or
[html] in the subject line.
Thanks, andy.
> Problem 1: desperate spammers. Problem 2: desperate programmers. Are you
> getting this? They've formed an alliance and are now creating virii and
> worms of unprecedented sophistication. The purpose? To take over as many
> *individual* Windows machines as possible, where they silently await a
> signal to begin spamming. The present crop of virii and worms are written
> very cleverly and are regularly updated to evade the filtering methods
> used by the anti-virus companies. This means that existing virus filtering
> methods *cannot* *possibly* *succeed*.
<snip>
>
> Don't you understand this is not a nuisance, it is a war? It will not stop
> until the spammers begin to take heavy casualties.
Or until the broader social/political/economic climate changes so that the
sort of causes you've suggested don't apply so much. At a slight tangent -
users in general may for example start to get a bit more aware of the risks
of trusting a company who operates like this to help them enlarge their
gentalia. This could be like one of those situations where a biological
virus spreads to a new human population that is not resistant to it,
causing a great deal of death and suffering, but after a while they do
develop resistance and the rate of infection drops.
> Wake up and smell the capuccino. Once there is a death penalty for
> spammers and virus writers, the problem will begin to abate, *BUT* *NOT*
> *BEFORE*.
>
> Go ahead and laugh. Then start counting the days until such a seemingly
> ludicrous, off-the-wall suggestion begins to seem reasonable.
This is obviously ridiculous, and not even worth laughing at.
> As I write this, over half of the Internet's bandwidth is taken up
> distributing either viruses or spam messages.
Is this statistic a result of actual research or somebody's 'hazard a
guess'?
That depends entirely on how you define "work".
If my goal is to reduce to spam/viruses/junk I seen in my INBOX,
then, yes, filtering does work. It may take several different
types of filter working in sequence, but they can do the job.
No, these filters cannot be static; they will require tweaking,
whether automatically or manually. But they can "work" according
to the above definition.
If you define "work" as "getting rid of the problem", then no,
they don't work; they are an analgesic, not an antibiotic.
--
Chris F.A. Johnson http://cfaj.freeshell.org
===================================================================
My code (if any) in this post is copyright 2003, Chris F.A. Johnson
and may be copied under the terms of the GNU General Public License
> Schn Martin wrote:
>
> > They are.
>
> Always quote the text you are replying to.
I did.
The Subject states a question and I aswered it.
For further information on the subject please read:
"Saving Private E-mail" by Steven J. Vaughan-Nichols in IEEE Spectrum,
August 2003, pp 40-44.
Cheers,
--
========================================================================
Martin Schöön <Martin...@ericsson.com>
"Problems worthy of attack
prove their worth by hitting back"
Piet Hein
========================================================================
> Paul Lutus <nos...@nosite.zzz> writes:
>
>> Schn Martin wrote:
>>
>> > They are.
>>
>> Always quote the text you are replying to.
>
> I did.
No, you did not. Here is thew entire message body of your prior message:
"They are.
A few weeks ago I read about spam and spam filtering in IEEE Spectrum
and they claimed AOL and Hotmail (?) each filtered out 2+ billion
spam messages on their servers - each day."
No quoted text. I said so. End of story.
< snip >
>>> Another analogy, which also isn't 1:1 but that may be better, is of
>>> innoculation. If you innoculate 99% of the population against a disease,
>>> they'll be protected from it, even if the remaining 1% runs around
>>> spreading the virus all over the place.
>>
>> No, that is quite false (and it is spelled "inoculation"). In fact, you
>> must have 100% coverage for the effort to be worthwhile at all.
>
> If your goal is the 100% eradication of the disease, then I'm willing to
> accept that 100% inoculation is necessary.
No, you missed the point, again. Smallpox would have remained a scourge, a
periodic epidemic, until and unless it was eradicated 100%. History proves
this. Same with computer virii and worms.
> Nobody here is claiming that
> filters will eradicate a piece of computer malware, though; the claim is
> that they can reduce the speed of the spread and perhaps lower the
> carrying capacity of the Internet as a whole for the targeted malware.
Your quoted equation below proves this notion to be false, if only you
understood it. It shows that as the carrying capacity is reached, the rate
at which it was approached is irrelevant to the outcome. The time to
meltdown is all that changes. The meltdown is exactly the same. There is no
final outcome in which filtering produces a greater remaining capacity than
no filtering. This is what the logistical equation teaches us. I can't
believe you posted it without realizing this.
>
>>>> No amount of rhetoric can escape this equation:
>>>>
>>>> y(t) = a * exp(f * t)
>>>>
>>>> t = time, choose any suitable units.
>>>> y = today's population of, say, Swen.
>>>> a = yesterday's population of Swen.
>>>> f = the fraction of a percent of Swen copies that leak through
>>>> filtering methods.
> ...
>>>> Are we getting this? In a technical discussion, mathematics has it all
>>>> over rhetoric, especially when (as in this case) the mathematics can be
>>>> relied on to predict outcomes.
>>>
>>> That's true when the mathematics is correct and complete. Yours is
>>> neither.
>>
>> Nonsense. Your failure to post any mathematics to try to bolster your
>> opinion is noted with dismay.
>
> Try this, then, the equation for a logistic growth curve:
>
> dN/dt = rN(1 - N/K)
>
> r = growth rate
> N = population size
> K = carrying capacity
Yes, and this approach agrees (must agree) with my equation until limits are
reached, which was my point. Surely you know this. If not, it's time you
learned.
Here, by the way, is the closed form of the logistical equation:
n(t) = (a exp(r t) k) / (-a + a exp(r t) + k)
Notice the required additional term "a" (initial population at time 0), an
essential term left out of the simplified undergraduate page you quoted.
In full:
t = time, any convenient, consistent units
n(t) = population at time t
a = population at time 0
k = carrying capacity
r = growth rate in terms of t
> The logistic equation levels out at the carrying capacity.
Yes, always, ironically an idea you argue against several times in your
post.
> As somebody
> who claims to be an epidemiologist,
What? Are you going to make anything else up? Supply the quote where I made
this claim.
> I'd expect you to know this. Why then
> present the wrong equation?
I presented the right equation. In the domain of interest, my equation is
correct, as is this one -- they agree, as they must, and as you should
know. In fact, becasuse of its limited range of applicability, my equation
doesn't dismantle your argument as quickly as the one you found. I see you
don't grasp this yet.
> Why defend it when called on the matter?
Because my equation is correct. It is obvious you have no experience with
this sort of thing, so you apparently don't know that the standard
exponential equation, and the logistical equation, agree (and must agree)
before limits are reached (and as clearly shown in the graphs in the
original page).
>>> For instance, your
>>> equation and example numbers suggest that in about 116 days there'd be 1
>>> trillion (1x10^12) infected computers.
It does nothing of the kind. Your idiotic remark is like railing against the
use of a square root function because you cannot get a real result for a
negative argument. The square root function (an algorithm behind the
scenes), like all functions, has a range of validity, and is perfeclty
valid within its range.
>>
>> Not unless you try to go somewhere not intended by the example, in which
>> case you get to go there alone.
>
> In other words, the equation is not the correct one; it's just a rough
> approximation, and you didn't bother to specify its limits.
Utterly false, it is entirely appropriate in its domain. You do not
understand this topic.
>
>>> Of course, that many Windows
>>> computers don't exist on Earth, so the mathematics is flawed.
>>
>> What? You put in bogus numbers, get a bogus result, and this means the
>> underlying mathematical idea is flawed?
>
> No, I entered numbers that are mathematically valid.
False in context. -1 is mathematically valid in isolation, but not if you
desire a real result from a square root function.
> You didn't specify
> any limits on the use of the equation.
No need among people who are educated, any more than it would be needed for
a square root.
> What I did is called reductio ad
> absurdum: "a method of proof which proceeds by stating a proposition and
> then showing that it results in a contradiction, thus demonstrating the
> proposition to be false."
Congratulations! You just "proved" that all mathematics is bogus. For each
and every equation, there is a limited range of validity. You can come up
with a ridiculous numerical argument for any equation to "prove" its
inappropriateness, just as you come up with ridiculous lexical arguments,
same intent, same outcome.
> (http://mathworld.wolfram.com/ReductioadAbsurdum.html)
>
>> My use of the equation is
>> solely meant to show the flaw in relying on filtering. The final outcome
>> is irrelevant -- my example only shows how quickly things get out of
>> control if reliance is placed on filtering.
>
> Filtering can SLOW the spread, perhaps substantially.
Doesn't matter after a few days. We just learned this WRT Swen. Well, some
of us did.
> For instance, using
> the exponential equation (my calculus is a bit rusty), using a starting
> population of 1,000 and time units of hours, the results of varying
> filter effectiveness (as measured by f) at ten hours are:
>
> f y(10)
> --- ----------
> 0.1 2,718
> 0.5 148,413
> 1.0 22,026,466
>
> Of course, depending upon the carrying capacity, the values using the
> logistic growth equation would be lower.
In fact, using the equation you chose to introduce, all the outcomes are the
same, given a reasonable time interval. This is because the carrying
capacity idea means the populations level off eventually at the same point,
all that changes is the time of arrival at the saturation point.
> Even 2,718 infections is a lot,
> but it's a lot easier to bring other methods to bear at hour ten in this
> scenario in order to control the situation if you've got 2,718 infected
> systems than if you've got 22,026,466 infected systems.
>
>>> Furthermore, simple observation of past infections tells me that your
>>> mathematical approach is flawed.
>>
>> No, it shows me that you don't understand it.
>
> I understand it just fine. Put succinctly, and in a way we can both agree
> on: The spread of malware can be very quick. You did, though, present an
> equation that's only used as the starting point for deriving the real
> equation. When called on that fact, you screamed that I was applying it
> inappropriately.
You were doing just that, and no one screamed.
> Well, yes, in that it's not *MEANT* to be applied in the
> real world; it's a mathematical abstraction that makes preposterous
> predictions when fed data beyond a very limited point.
The irony here is that you are arguing for the use of the logistical
equation, even though it undermines your entire thesis. Given the notion of
limits, all the growth rates converge on the same limit - the carrying
capacity of the system. Your argument above is that filtering prevents this
(allows a greater remaining capacity if filtering is applied and time
passes), but the equation you posted shows this to be false. This tells me
you didn't really grasp the meaning of the equation you posted.
> If you're going to present equations in an effort to be impressive,
Hold on. I posted a simpler equation than the one you found a reference to
(and didn't derive properly). Further, the equation you found undermines
your argument in a way that mine does not. You should be thanking me for my
restraint.
> you
> might want to consider presenting the correct ones and explicitly stating
> the boundaries past which they aren't meant to be applied.
I posted the correct equation, and I stated the premise. Since you clearly
do not understand the implications of the equation you posted, it is you
who needs this advice.
< snip >
>>> Some of those variables are certain to affect just
>>> what that equilibrium point is, too, and that's vitally important in
>>> understanding the impact that an infection will have. If filters can
>>> help bring the equilibrium point down,
>>
>> What? Think about what you are saying. A filter (meaning a method to
>> reduce the growth rate) can only delay the approach to the equibrium
>> point, it cannot change its location (total population).
>
> Sure it can.
This shows you do not understand the logistical equation and its
implications. My remark above is correct, and if you ran some examples
through the equation you chose to introduce into the discussion, you would
know this. But to have done that, you would have had to reduce it to a
practical form, as I did above. Then you would have had to run some example
scenarios. You didn'd do any of this necessary homework, as a result you
are posting misstatements about the system it represents. Example:
> Consider two scenarios:
>
> 1) An internet of 10,000 desktop computers and assorted routers and mail
> servers. All the 10,000 desktops are running the same version of
> Windows, and all are configured identically. Users have an average of
> ten other users in their address books. Introduce an e-mail worm that
> can spread between the Windows systems in this environment, using the
> users' address books to obtain addresses. Chances are the carrying
> capacity will be pretty darned close to 10,000. (A few systems might
> escape infection if they aren't on anybody's e-mail address book,
> though.)
> 2) The same as #1, but half the systems use mail servers that have some
> effective means of blocking the worm. In this environment, the carrying
> capacity will be a lot closer to 5,000 systems, because few or none of
> the protected systems will become infected.
No, this is quite false. The carrying capacity is the same in both cases,
and that same limit is reached in both cases (at different times). You
really should have run some tests with the equation you chose to introduce.
To summarize, unless the filtering is 100% effective, and given a variety of
attacks, all the systems eventually become infected and the saturation
point is reached. When are you going to get this? This means the meltdown
point is reached in all such scenarios where filtering is less than
perfect. The equation you chose to post proves this, for all but the case
of 100% filtering effectiveness. You may recall that was my original
position.
> My problem with your position is this: Deriding filters as being
> completely useless,
Look, I don't want to to argue with someone who invents so much. Find the
quote where I made the claim "completely useless," or even an
approximation.
> I'm not convinced that we're within the exponential growth period of
> Swen. Most people have been reporting the rates at which they're seeing
> the thing have levelled off or are now dropping. (I'm an exception; I've
> seen more today than yesterday.) My impression is that most computer
> malware is like this, at least today -- it explodes to prominence in a
> day or two, hangs around at a steady state for a few days, and then
> slowly fades away as various counter-measures kick in. I've not studied
> these patterns in any detail, though.
>
I hope it is tapering off. My worst day was Friday when I got about 7500
of the things (that were not caught by SpamAssassin at my ISP). That is
slightly more than 5/minute. Since then I have not counted for an entire
24-hour period, but when I do count, the rate seems to have dropped to a
little over 4/minute. From midnight until 6AM I got about 1700 (a little
over, but there were 6 e-mails I actually wanted in there), which I
guess is 4.7/minute. I am not sure if that is much of a drop.
Now if all ISPs had the courage to delete all e-mails over 100,000
bytes, this would stop pretty fast. But they would have to get their
clients to agree. After 5 days of this, I imagine quite a lot of them
would. I have done this to my private MTA (sendmail 8.12.10), and it has
deleted only one e-mail I might have wanted.
--
.~. Jean-David Beyer Registered Linux User 85642.
/V\ Registered Machine 73926.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 7:30am up 3 days, 13:32, 2 users, load average: 2.11, 2.15, 2.11
> Until now this has resulted in a small but
> steady stream of adds for stature enhancement. Now that is a real problem,
> I am looking for a replacement.
If you are looking for a replacement, you must -really- need
"stature enhancement"!.
Dale
> >>> Another analogy, which also isn't 1:1 but that may be better, is of
> >>> innoculation. If you innoculate 99% of the population against a disease,
> >>> they'll be protected from it, even if the remaining 1% runs around
> >>> spreading the virus all over the place.
> >>
> >> No, that is quite false (and it is spelled "inoculation"). In fact, you
> >> must have 100% coverage for the effort to be worthwhile at all.
> >
> Rod Smith wrote:
> > If your goal is the 100% eradication of the disease, then I'm willing to
> > accept that 100% inoculation is necessary.
>
Paul Lutus <nos...@nosite.zzz> writes:
> No, you missed the point, again. Smallpox would have remained a scourge, a
> periodic epidemic, until and unless it was eradicated 100%. History proves
> this. Same with computer virii and worms.
Actually, to eradicate a disease you don't need to vaccinate 100% of
the population. The `basic reproduction number' R_0 for a disease is
the number of secondary cases caused by a single primary case in a
fully susceptible population. Under assumptions of random mixing, the
threshold level of vaccination for eradication can be shown to be
(1-1/R_0) [reference: Anderson and May, Infectious Diseases in
Humans]. When vaccination is above this threshold, each case causes
less than one additional secondary case on average, the total number
of subsequent cases is finite (convergent geometric series), and the
disease peters out.
Eradication of smallpox was possible because of its low value of R_0,
requiring 70-80% vaccination. By contrast, measles would require
90-95%, and achieving this level of coverage developing countries is
unfeasible.
Getting back to computer viruses (not virii, by the way), having an
imperfect filter doesn't remove the possibility of further infection,
but it nevertheless reduces the exposure of `susceptibles' to
infection and therefore the number of secondary `cases' caused by each
infected computer. If filtering is good enough, the virus will die
out.
Of course, this will only work if infected machines are cleansed - if
the `infectious period' is infinite, then so is the basic reproduction
number.
--
Stephen Cornell cor...@zoo.cam.ac.uk Tel/fax +44-1223-336644
University of Cambridge, Zoology Department, Downing Street, CAMBRIDGE CB2 3EJ
> Rod Smith wrote (in part):
>
>> I'm not convinced that we're within the exponential growth period of
>> Swen. Most people have been reporting the rates at which they're seeing
>> the thing have levelled off or are now dropping. (I'm an exception; I've
>> seen more today than yesterday.) My impression is that most computer
>> malware is like this, at least today -- it explodes to prominence in a
>> day or two, hangs around at a steady state for a few days, and then
>> slowly fades away as various counter-measures kick in. I've not studied
>> these patterns in any detail, though.
>>
> I hope it is tapering off. My worst day was Friday when I got about 7500
> of the things (that were not caught by SpamAssassin at my ISP). That is
> slightly more than 5/minute. Since then I have not counted for an entire
> 24-hour period, but when I do count, the rate seems to have dropped to a
> little over 4/minute. From midnight until 6AM I got about 1700 (a little
> over, but there were 6 e-mails I actually wanted in there), which I
> guess is 4.7/minute. I am not sure if that is much of a drop.
>
> Now if all ISPs had the courage to delete all e-mails over 100,000
> bytes, this would stop pretty fast. But they would have to get their
> clients to agree. After 5 days of this, I imagine quite a lot of them
> would. I have done this to my private MTA (sendmail 8.12.10), and it has
> deleted only one e-mail I might have wanted.
E-mail would be useless if you couldn't send large PDF or doc files. A
rule that kills anything over 100K without qualification is the wrong
approach. The best thing to do is to kill any e-mail that contains a
Microsoft executable regardless of size. If you really needed to send a .exe
to someone you could always zip it.
>> Nobody here is claiming that
>> filters will eradicate a piece of computer malware, though; the claim is
>> that they can reduce the speed of the spread and perhaps lower the
>> carrying capacity of the Internet as a whole for the targeted malware.
> Your quoted equation below proves this notion to be false, if only you
> understood it. It shows that as the carrying capacity is reached, the rate
> at which it was approached is irrelevant to the outcome. The time to
> meltdown is all that changes. The meltdown is exactly the same. There is no
> final outcome in which filtering produces a greater remaining capacity than
> no filtering. This is what the logistical equation teaches us. I can't
> believe you posted it without realizing this.
Pay *attention* to what he wrote! "Lower the carrying capacity". If you
intend to say that malware will evolve such that the carrying capacity
increases to its previous levels, then say so!
[snip lots of argument over functions being valid if and only if you
remain within their limits. He has a point-- you would have done
better to point out the limits explicitly from the beginning.]
>> 1) An internet of 10,000 desktop computers and assorted routers and mail
>> servers. All the 10,000 desktops are running the same version of
>> Windows, and all are configured identically. Users have an average of
>> ten other users in their address books. Introduce an e-mail worm that
>> can spread between the Windows systems in this environment, using the
>> users' address books to obtain addresses. Chances are the carrying
>> capacity will be pretty darned close to 10,000. (A few systems might
>> escape infection if they aren't on anybody's e-mail address book,
>> though.)
>> 2) The same as #1, but half the systems use mail servers that have some
>> effective means of blocking the worm. In this environment, the carrying
>> capacity will be a lot closer to 5,000 systems, because few or none of
>> the protected systems will become infected.
> No, this is quite false. The carrying capacity is the same in both cases,
> and that same limit is reached in both cases (at different times). You
> really should have run some tests with the equation you chose to introduce.
How will the carrying capacity increase from 5,000 to 10,000? You can't
just hand-wave that it will do so-- you must explain how. What rule do
you assume the block is using? How do you believe the virus will evolve
to defeat this block?