27 Jun 2003 13:03
Junk emailers are spreading viruses that let them send spam anonymously through home computers, according to an email security firm.
The company, MessageLabs, operates servers that block spam and viruses for its clients. Its analysis of data shows that mass distributions of junk email are increasingly coming from the Internet addresses of computers that have in the past sent out viruses as email attachments.
"There is a high correlation," said Matt Sergeant, senior anti-spam technologist for the New York-based company. "About 30,000 machines have both open-proxy software and are responsible for sending viruses."
Open proxies, also known as open relays, are computers that can resend email or other network data, erasing the original address information that could identify the source of the traffic. The 30,000 computers represent about 14 percent of the total open relays from which MessageLabs has registered bulk unsolicited email, otherwise known as spam.
If true, the finding could add momentum to the backlash against spammers. Earlier this month, the Federal Trade Commission (FTC) asked Congress for greater power to pursue and penalise those who send unsolicited bulk email.
In mid-May, the FTC and enforcement agencies from other nations sent warning letters to the operators of 1,000 email servers, urging them to close their relays.
Estimates for the percentage of email traffic due to spam run from 30 percent to as much as 75 percent. Nearly 70 percent of spam messages appear to come from servers classified as open relays, according to MessageLabs.
But the connection between open relays and viruses seems tenuous, said Craig Schmugar, senior anti-virus engineer for Network Associates, a security software firm.
"It is interesting data, to be able to correlate spam relays and virus relays, if you can call them that," he said. "However, it's tough to make the case that these machines are infected."
There are other explanations for the connection, Schmugar said. Computers vulnerable to viruses could be more likely to download a program that turns the system into an open relay, for instance. Schmugar also stressed that a 14 percent correlation isn't conclusive.
MessageLabs maintained that the latest outbreaks of computer viruses may have been deliberately caused by spammers. The company has already pinpointed the recent Sobig virus, and previous variants as probable spammer creations. The programs are likely to have been specifically designed to use home computers as a large pool of open relays for spammers, said MessageLabs' Sergeant.
The company's analysis suggests the virus opens a range of "ports," communication channels through which software applications route data from the network. The latest Sobig.e variant opens a series of five ports through which the virus downloads additional software to turn the infected computer into an open relay. The mechanism could also download other kinds of programs, such as remote-control software and backdoor Trojans.
Sergeant also pointed to the time limit; the fact that each variant of the virus spread only for about three weeks, as another indication that the programs were created with a purpose. Sobig.e, for example, will stop spreading on July 14.
Network Associates' Schmugar confirmed the existence of the series of five ports, but said the company hadn't yet confirmed the software-update mechanism.
However, another email security firm, probably the only kind of Internet company that could correlate virus attacks and spam floods, hasn't been able to confirm the correlation seen by MessageLabs.
Postini, a MessageLabs competitor, sifted through 1.8 billion email transactions logged in the past 40 days and didn't find a significant correlation.
"We haven't seen a smoking gun," said Scott Petry, chief technology officer for the California-based company.
Still, Petry said Postini's data may not go back far enough. Much of MessageLabs' evidence stems from the original Sobig infection that started in January.
Let the editors know what you think in the Mailroom.
Copyright © 1995-2008 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.