Calling All ISPs: What Are You Doing to Stop Mailer Worms?

There are conscientious ISPs and others who don't seem to care. Security Center Editor Larry Seltzer thinks it's time to hold the irresponsible ISPs responsible for attacks they should be preventing.

Are you still getting SoBig.F messages? I know I am. In the past 24 hours, Ive received 213 of them, 2,830 since August 26. One might wonder how such nonsense can go on.

When you get right down to it, there are two base requirements for a SoBig.F infection to fester: an unprotected system and an owner of the system who either doesnt know about infections or doesnt care about protection. You have to be pretty clueless not to know, but not caring is a really bad sign for the community of computer users.

At the same time, theres another party involved: the ISP. And it, too, can either do something about such infections or choose to remain ignorant or careless.

SoBig and other mass-mailers generate a lot of SMTP traffic. Any ISP that pays reasonable attention to its network would notice the vast increase in traffic to Port 25. Even a trivial analysis of that traffic would show it to be characteristic of SoBig or whatever worm is in action, since they all have fairly consistent behaviors. Once the ISP knows this attack is taking place, the responsible thing would be to inform the customer—after blocking their Port 25 access. I can see ISPs not wanting to antagonize customers, but abuse is abuse, even if its unintended by the customer.

However, take a look at the last few SoBig messages I received: one from Singnet (Singapore), two from Broadview Networks, two from Time Warner Telecom, and one from Comcast.

I questioned my own ISP,, whether it monitors its networks for such activity and informs users if there is a problem. Here was its response:

  • A communication was sent to all customers on 8/22/03 about the worm and how to secure their machine against it (attached);
  • Speakeasys abuse team is contacting individual customers based on reports and working with them to get their machine secured;
  • As per our policy, we are not releasing statistics tied to customers affected by this or any other virus because it gives unwarranted attention to those individuals behind the attacks.

While this isnt as aggressive as Id like them to be, I have to acknowledge the fact that scans all e-mail messages for viruses. So users of are highly unlikely to be infected.

I asked some other ISPs about their practices, but only Microsoft replied, pointing out that its also scans e-mails for viruses. The recent experiences with worm attack will, I suspect, push more conscientious ISPs to do the same. But for every there are a dozen ISPs with a lackadaisical attitude.

If ISPs arent going to be responsible for responding to outbreaks, perhaps we should start holding them accountable. Besides, cutting down on worm attacks is both the right thing to do and in their best interest, above-and-beyond cutting down on the wasteful use of resources.

I dont know if it has happened yet, but I can easily imagine someone whose system was damaged by a worm attack attempting to sue those responsible. With a more thorough study than glance I took above, someone could show which ISPs were the major sources for the traffic. Of course, this is America, and as a business law professor of mine used to say, "Any idiot can sue over anything."

But there is a larger point that I hope will gain some traction in the future. These widespread worm attacks are the electronic equivalent of a public-health problem. When we have a public-health problem, we sometimes take stern measures to put a stop to it. So far, weve been holding individuals responsible for keeping their systems clean, and we havent been all that strict. This is hardly a good long-term strategy.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer