So at my company of about 100 people, we implemented a new anti-SPAM email policy today. Basically, we created a whitelist of people allowed to email us. If you’re not on the whitelist, you get a notification directing you to a web page where you can add yourself to the whitelist.
The whitelist is working fine, but the president of our company got confused, received an email with a virus attachment, thought the attachment was another email message, and opened it.
Now my phone is ringing off the hook because everyone is getting emails with viruses attached to them. I go to the pres’ office, kill the virus process, run the removal tool, check everything out, and it’s all good.
My boss asks me why we don’t just strip out executable attachments in emails anyway. We tell him we were going to implement that with the whitelist, but he pulled us off before we could to work on a urgent-need project. He says, “Oh”
So then, I get an email from a guy at one of our remote offices stating that he received an email from another employee that has a .pif attachment, but he couldn’t get the attachment, so could I help him get the attachment? This is after I’ve sent a gazillion emails about how spammers can spoof the From: address, so you never know who it’s really from. And I’ve sent a gazillion and one emails about never opening .pif, .scr, .exe, .vbs., .com, etc files because they’re executables and can harm your system.
And you know what’s wierd…99% of the viruses out there are relatively harmless. They may clog up email, but they don’t do any real damage. You know how easy it would be to write a virus that really messes up a computer? Not hard at all. And that’s the scary thing…
stripping executables
Gotta warn you, stripping executables has problems of its own. We worked through them back when I was at the bank, but it meant a lot of pain for us in IT when high-muckety-mucks couldn’t get their (whatever).
What system are you using to handle your whitelisting? I’m about ready to implement TMDA on my private box for certain accounts due to the spam percentage (erm, nearly 100% spam). I’m interested 🙂
—
Matthew P. Barnson
He he, he said stripping
Matt,
I can handle whiny executives a lot easier than idiot ones who open viruses and wonder why I’m unhappy with them 🙂
We use plain ole sendmail with SpamAssasin. We have a *nix guru here who set up the milters and rules for sendmail to utilize the whitelist. We came up with a syntax to allow local users to add people to the whitelist via email, and he wrote a script to parse the emails and update the whitelist.
I love users. We have a feature to allow users to open up an email address to them, or to the whole company. And we also allow users to specify wildcards, ( for example, all .mil addresses ). So one dude thought that no one spams from .edu addresses, so he tried to submit an entry for the entire company for .edu addresses. We caught it and set it just to him, so he can see just how many spams do come from .edu addresses (or spoofed ones).
It actually works quite good right now, since we tag emails that come in that aren’t on the whitelist. We’re debating whether or not to bounce those emails in the future or to just keep mangling them and sending them to the user in some format.
My $.02 Weed
Email Postage
Slightly off topic from Weed’s original post but what do you guys think about postage for email? Bill Gates resurfaced his intent to push for a national email postage rate. I can’t even begin to think of the amount of complications that would arise from implementing this system. It’s an interesting prospect, given that the majority of email, and thus a chunk of ISP operating costs, results from spam.
The intent of adding a $.01 postage is to reduce spam. But what happens when somebody opens a virus and fires off an accidental 1M+ emails out of a company directory?
Personally, I’m all for it if it lowers my cost as a consumer. Especially if the scenario plays out where the reduction in spam results in a decrease in monthly ISP rates. People moan about inboxes filling up with spam but I give that delete button a couple quick flicks of the finger. Less of a pain than sifting through the mounds of coupons in the mailbox.
— Sammy G
Electronic mail postage
In my humble opinion, applying a “postage” metaphor to all electronic mail would be an absolute disaster. I’m on several mailing lists whose membership exceeds 100 people. Assuming there are 10 messages posted per day, that means that the mailing list as a whole costs the group $10 a day. Now consider that I’m on about seven such mailing lists, and you’ll see the cost becomes unweildy.
An alternative solution of which I am fond is the concept of “ransom”. That is, the receiver of an email has a license for use of her mailbox. Upon initial contact, a sender is sent an automated reply, indicating the terms under which the receiver grants the sender access to her mailbox. If the sender agrees, he makes a one-time refundable micropayment (PayPal would love to get a piece of this, I’m sure) into her account. If the email sent is not spam, failure of the recipient to flag it as spam results in the payment being refunded.
Regardless, there are many technical issues to iron out, whatever system is chosen. I object to any system that unfairly taxes active, non-spamming mail users such as myself. I easily send 10-20 emails a day, pay over $50 a month for my ISP bill (DSL plus IP service), and receive over 100 emails a day from various mailing lists where I’m an active participant. Most of my 10-20 emails a day go to those same mailing lists, which means for each mail I send, somewhere between a dozen and a thousand actually get received. It’s a challenging problem. And the worst part of it is the protocol itself: SMTP.
I think there could be a technical answer to spam that dodges the whole “government involvement” thing. That technical answer is to revamp the SMTP (e-mail) protocol. Right now, it’s “push” technology: I address the envelope to whomever, and my mail system delivers it to them, very much like postal mail.
If, instead, this system were reversed, it would immediately solve a great deal of the problem. Think of Instant Messaging systems: someone can’t add you to their “buddy list” (usually) without your consent. In the same way, if SMTP were based on “pull”, a user could be notified, in user-controlled intervals, of the names and subjects of electronic mails others wish to send him/her. He/she could then select which mails are wanted, and which are not. The recipient’s mail server then “pulls” those messages from where they are queued up on another server.
And I just realized how this could be implemented in regular SMTP — or, at least, simulated. Hmm, another project to work on at night…
—
Matthew P. Barnson
But If It’s Cheaper
Like I wrote, I think the notion of postage is interesting if it lowers everyone’s costs, so that you’re not paying $50 a month for basic ISP PLUS micropostage.
I think that a good solution could surface, but it won’t be from a national government act or from a wide-sweeping technology reform. The best change comes from an enterprise (read: business idea) that goes out into the market with a solution and starts signing customers up and making a dent in the consumer landscape.
A business that would offer, $20 unlimited ISP plus micropostage, OR $50 unlimited ISP with new technology that requires receiver-approved email with advanced spambuster ability…would be interesting. Only concern here is whether spam is so annoying that people would quit their current ISP for another. I don’t think it’s so high on the annoying factor to start writing the business plan just yet. 🙂
— Sammy G