Calling All ISPs: What Are You Doing to Stop Mailer Worms?

By Larry Seltzer  |  Posted 2003-09-08 Print this article Print

There are conscientious ISPs and others who don't seem to care. Security Center Editor Larry Seltzer thinks it's time to hold the irresponsible ISPs responsible for attacks they should be preventing.

Are you still getting SoBig.F messages? I know I am. In the past 24 hours, Ive received 213 of them, 2,830 since August 26. One might wonder how such nonsense can go on. When you get right down to it, there are two base requirements for a SoBig.F infection to fester: an unprotected system and an owner of the system who either doesnt know about infections or doesnt care about protection. You have to be pretty clueless not to know, but not caring is a really bad sign for the community of computer users.

At the same time, theres another party involved: the ISP. And it, too, can either do something about such infections or choose to remain ignorant or careless.
SoBig and other mass-mailers generate a lot of SMTP traffic. Any ISP that pays reasonable attention to its network would notice the vast increase in traffic to Port 25. Even a trivial analysis of that traffic would show it to be characteristic of SoBig or whatever worm is in action, since they all have fairly consistent behaviors. Once the ISP knows this attack is taking place, the responsible thing would be to inform the customer—after blocking their Port 25 access. I can see ISPs not wanting to antagonize customers, but abuse is abuse, even if its unintended by the customer.

However, take a look at the last few SoBig messages I received: one from Singnet (Singapore), two from Broadview Networks, two from Time Warner Telecom, and one from Comcast. I questioned my own ISP,, whether it monitors its networks for such activity and informs users if there is a problem. Here was its response:
  • A communication was sent to all customers on 8/22/03 about the worm and how to secure their machine against it (attached);
  • Speakeasys abuse team is contacting individual customers based on reports and working with them to get their machine secured;
  • As per our policy, we are not releasing statistics tied to customers affected by this or any other virus because it gives unwarranted attention to those individuals behind the attacks.
While this isnt as aggressive as Id like them to be, I have to acknowledge the fact that scans all e-mail messages for viruses. So users of are highly unlikely to be infected.

I asked some other ISPs about their practices, but only Microsoft replied, pointing out that its also scans e-mails for viruses. The recent experiences with worm attack will, I suspect, push more conscientious ISPs to do the same. But for every there are a dozen ISPs with a lackadaisical attitude.

If ISPs arent going to be responsible for responding to outbreaks, perhaps we should start holding them accountable. Besides, cutting down on worm attacks is both the right thing to do and in their best interest, above-and-beyond cutting down on the wasteful use of resources. I dont know if it has happened yet, but I can easily imagine someone whose system was damaged by a worm attack attempting to sue those responsible. With a more thorough study than glance I took above, someone could show which ISPs were the major sources for the traffic. Of course, this is America, and as a business law professor of mine used to say, "Any idiot can sue over anything."

But there is a larger point that I hope will gain some traction in the future. These widespread worm attacks are the electronic equivalent of a public-health problem. When we have a public-health problem, we sometimes take stern measures to put a stop to it. So far, weve been holding individuals responsible for keeping their systems clean, and we havent been all that strict. This is hardly a good long-term strategy.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel