It is unacceptable to block emails simply because they are of a
particular size like "about 150 KB" (Swen sizes seem to vary quite
a bit). Most worms don't fit that size profile
About 95% are, by my logs ... which pretty much dispels that myth.
It is unacceptable [... above ...]
More appropriately, this should read: it's unacceptable to SEND emails
beyond a certain size. E-mail is intended specifically for personal
communications in short ASCII text, like ordinary letters. You
Intended by *WHOM*? I also think I have written, on occasion but
decades ago, handwritten, the equivalent of 150K bytes and sent it
by postal mail to my parents. And I've certainly seen contracts
longer than that. I'd hate to try an argue that sending of huge
spreadsheets is an abuse of resources to the management of my ISP,
because *they* do it all the time, in ways I consider just begging
for viruses. If one gets a virus, soon they'll all have it.
Two people have typical dialup or DSL accounts. Neither has a
static IP. One wants to send a long, complicated *PRIVATE* business
proposal (text) to the other (the recipient is taking bids from
contractors to build a house - that's personal for the recipient,
although a lot of ISPs will object to the suggestion that you can't
do business via email over the Internet (and I'm not talking about
marketing-SPAM, I'm talking about orders, bids, tech support, etc.
between two people who want to talk to each other)).
Describe how this is done, not using email to transport the whole
thing (but short notes "go get this HERE" are OK - right?). Neither
has a FTP server, and although one ISP has a public FTP server,
it's not private at all. It also leaves open the possibility of
one contractor reading the others' bids before dropping off his.
They may have personal web pages, but not necessarily the ability
(server capabilities or configuration may not allow it), skill (to
set a password), or tools (is there a version of htpasswd for Windows
for the customer, if the server runs Apache?) needed to password-protect
pages.
Now, where can I get an account that includes FTP (including the
ability to set up temporary accounts for others to get or put stuff
there) at a price approximating that of a dialup or DSL account?
Incidentally, where's the "abuse of resources" involved with sending
ONE copy of a document to ONE person as an attachment? Yes, the
attachment probably gets about 25% or so bigger, which may not be
worse than the average person's initial failed attempts to use FTP.
The equation becomes MUCH different if you're mass-mailing it to
hundreds or millions of people, most of whom don't even want whatever
it is.
My ISP tries to impose a limit of 1000 messages or 100MB per mailbox;
that seems to imply that they expect 100KB average size. I don't mind
I'm not sure I agree with that conclusion; it's more like they
expect 100KB as the upper end of average size for 95% of their
customers or something like that. I think some stats I ran once
showed that 50% of emails in a large spool directory were under
about 8KB and 50% were above that. That value may have changed a
lot in 5 years, though. A surprising number of messages were under
250 characters plus about 1KB of headers. A fairly large number
of emails I send or receive have a few lines of quoted text followed
by something like "OK, thanks", or "OK, done.".
the occasional large message, as long as the sender knows that the
recipient wants to accept the message and knows that it doesn't cause
problems. Of course I do mind 4000 messages of 150KB.
In the case of the Swen worm, that worm is easily identifiable. I know
The worm is *NOT* easily identifable on *ROUTERS*, where the entire
message is never in the hand of the sender's ISP at any one time
(at most, a router may have a few packets of the message at a time)
unless it's also the recipient's ISP. Modern worms send directly
to the victim's (ISP's) mail server, not through the local ISP mail
server, if at all possible (because if it goes through two different
ISP mail servers, the chances of its getting blocked are much higher).
because I get tons of messages from servers that have identified the
worm and then passed the message on without it; some even encapsulated
it in some way so that if I _wish_ to infect my machine I can do so, so
you _can_ identify them. And any worm or virus can be identified at
least a few days after it starts.
And my ISP _can_ identify all his customers. When I connect to them
through ADSL, they check the phone number that is used, look it up in
the list of phone numbers of paying customers, and if it doesn't match
then they refuse the connection.
You have *DIALUP* DSL? I thought the DSL part was a dedicated line
from one point (customer) to another point (ISP's router) with the
phone number used only for billing. The voice part has the phone number.
Everyone connecting directly through
their modem hardware or ADSL hardware is their customer. If they are not
capable of using that information, that is their problem.
One of the last things an ISP wants to do is to tie all their
services together so that when one of them breaks, everything else
goes down or runs slowly. It's more of a problem with dialup than
static-ip DSL. Who's using a particular IP address can change
quickly (this also applies to cable modems or DSL using DHCP and
dynamic IP addresses). Most mail or web server software has no use
for this information and there's no standard way to get WHICH user
is using this IP, although it's easy to configure "this range of
IP addresses is allowed to relay (where "this range" changes
infrequently)". The last thing an ISP wants is the mail server
pausing a lot because the "who's using this IP" server is down or
unreachable.
If a mail or web server needs this info, it may be several minutes
before that information can be gotten out of possibly
telephone-company-owned terminal servers (yes, sometimes the phone
company, not the ISP, owns the modems you dial up to) to somewhere
it can be used. (The RADIUS protocol has this thing called
accounting-delay-time, which represents the delay between the user
logging in and the accounting record getting sent. Obviously a
known issue. Also, some records get lost when a certain phone
company cycles power on the box or takes it down for maintenance.
Some users are still shown as logged in on boxes taken out of service
years ago since logout records were never generated. Oh, yes, if
the phone company DOES power-cycle the box, we may not be told for
hours, if ever). Would you want to have to wait several minutes
AFTER connecting to do anything?
Oh, yes, there's also this nasty issue of clock synchronization.
A number of bank customers have been nailed wrongly because the
time on the ATM and the time on the camera don't match (for, say,
using the stolen ATM card of a mugging/murder victim). This is
also an issue for nailing customers of ISPs for sending worms, port
scanning, making death threats to the President, mailing SPAM,
sharing music, etc. The recent RIAA lawsuit against some computer
user supposedly sharing music with Kazaa on his Mac (Kazaa doesn't
run on Macs) may be an example of this. For those servers that can
run it (UNIX, Windows, etc.), NTP (Network Time Protocol) is a
solution. However, things like Livingston Portmasters used with
dialup modems can't run it. Some routers can't either. It gets
especially bad when it (whatever it is) can't run NTP but does
generate logs.
(Related example: Your bank presumably has some method of preventing
you and your wife from each withdrawing $500 from your joint account
that has $800 in it on the same day. Can they stop you from doing
it in the same *MILLISECOND*, you in New York and her in San Francisco
(bank offices in New York)? Maybe, but there's this pesky problem
with the speed of light, and a system responding that fast is
expensive. Also, their ATM network tends to go down nationwide if
it needs maintenance, since they don't trust anyone to withdraw
cash without the system up. It's cheaper to risk this happening
occasionally and then charge overlimit fees and hope they can
collect. Similarly, traffic to authenticate who's sending possible
worms may far exceed the traffic from worms.)
If the authentication server(s) go down or are unreachable for 10
minutes (RADIUS lets you have a backup server, but things run slower
if only the backup is up), nobody can log in, but those currently
logged in can still use the Internet. That's bad. If one terminal
server (presumably one of many) goes down, it gives out busy signals
and maybe disconnects a few hundred customers, that's bad, but they
can try to re-dial. If having the authentication server (or RADIUS
accounting server) down causes NOBODY to be able to send mail or
surf the web because they can't identify the customer, that's a
catastrophe. Remember that many ISPs have enough computers that
things like hard drive failures, power supply failures, and CPU fan
failures are fairly common somewhere in their network. For the same
reason, they often use RAID disk setups and multiple servers.
And I think it is quite likely that there is a paragraph in their terms
of usage that allows them to cut out customers who are using infected
machines that try to spread worms. Stopping everything over 150KB is
overly simplistic, but stopping everything containing worms is not. And
Detecting worms with a *ROUTER* is far from simple. Detecting worms
in general, not just a specific one, on a mail server is also not
that simple, and it's something that antivirus companies spend a
lot of time on.
I know I had better not try to block a complaint to the abuse address
of my ISP containing a copy of a worm allegedly sent from there
(even if the sender fell for the fake sender address). Refusing
abuse complaints, which tend to contain copies of worms or SPAM,
gets your ISP on all sorts of real-time black lists.
forcing your customers to do something about infected machines is doing
them a service.
It's funny how they often don't agree with that. I'm not against
forcing customers to disinfect their machines (my comments about
"axe through the phone line and/or power cord" are often considered
a bit harsh) but hijacking a web browser is not a good way to do
it.
Customers are often burned out on worm warnings thanks to some idiot
virus scanners which send a warning about the virus to the purported
sender of the virus, EVEN WHEN THE SCANNER KNOWS THE TYPE OF THE
WORM IS ONE THAT FAKES RETURN ADDRESSES. Therefore, most customers
are pelted with bogus "disinfect your machine" warnings so they
tend to disregard real ones. Hint to virus scanner writers: do
not "clean" the virus from the email. DELETE THE WHOLE DAMN EMAIL!
Warn the sender only if there is a high probability that their
machine is the one infected, which is not the case with modern
worms.
What Gordon Burditt also missed is the fact that sending me thousands of
150KB emails _does_ block legitimate emails out, because my ISP deletes
the oldest mails once my mailbox reaches 100 MB. If I had been on
holiday for a week, all my legitimate email would have been lost.
Yes, but the person whose email was wrongly blocked probably has a
stronger lawsuit against the ISP than the person who had all his
legitimate email expired because the ISP let the worms through.
There are also some annoying legal precedents that if you (ISP)
filter by content, you're responsible for the stuff you let through,
but if you let it all through, you're not responsible for any of
it.
Gordon L. Burditt
