Microsoft bashers and loyalists of other operating systems espouse that the blame for e-mail viruses lies squarely on the doorstep in Bellevue, Washington. I submit to you that the e-mail delivery system of the Internet is broken and there are a lot of other vendors to blame.
First a little background on the e-mail delivery system. The software that has the dominant market position in the e-mail server market is not from Microsoft, Lotus/IBM, or Sun; it’s called Sendmail and it was originally written by Eric Allman and the open source version is now lives at The Sendmail Consortium. Eric started Sendmail, Inc. which produces a comercial version of the product. Sendmail from a technology perspective dates back to the pre ARPANET era of the Internet, and it is about as sysadmin friendly as other programs of that era. The following section is paraphrased from Paul Vixie’s Sendmail Theory and Practice.
Why is Sendmail still in use?
Inertia, partly. Sendmail comes free with every modern UNIX system, which makes it a fairly attractive way to solve the average computer
First, it’s Stallman, not Allman.
The nature of Unix is not “one app to do it all”, but more like “one app to do one thing well”.
There ARE many drop-in replacements for sendmail (many people realized long ago..even Stallman has realized that sendmail is old)…the problem is that so many ‘sys admins’ today are taught/learn the point-and-click method of linux administraton and don’t do any research…the default is not always the best method, but they have a “well if it wasn’t good, why would redhat/suse/jobob linux include it?”.
There are multitudes of programs to fight spam that run along side sendmail and its replacements. A good sysadmin will know that, look for it, and install it.
Much like the windows world..if users educated themselves (update that antivirus, don’t open attachemnts unless you know it’s coming – scan it before opening it)and stopped being so dependent on MS to take care of everything.
Sorry Bubba, it’s Allman.
You are wrong on the name. I’ve added a link.
Linux and Unix vendors included it because it works and it’s free.
Why the ‘Nix world gets a pass on viruses is beyond me. Just because they don’t affect ‘nix systems now, doesn’t mean the won’t later. If Unix systems are handling the bulk of the Intenet e-mail any good admin knows that you attack the problem and the server level first then the desktop.
Well, there are things about the standard Unix security model that makes viruses exceedingly difficult to write.
Having said that, clearly, you make a good point, Kevin. Sendmail is a good case of “good enough” being the enemy of “better,” only this time biting the *nix world instead of Microsoft.
The pity here is that you and I basically agree that much of the problem is due to mail admins (whether corporate or ISP-based) who don’t provide virus protection for their users despite its widespread (and, in the case of Linux, completely free) availability. Put a decent virus scanner behind the freemail services and I suspect not a single PC at my university would have been infected with SoBig (since we already have a commercial email scanner on the main campus server).
The culprit for the “don’t protect at the server” attitude may be desktop antivirus software. Before the Internet, the assumption was that infections would be carried by disk–because they were. Hence desktop antivirus software was born in the Windows 3.1 era, and it never went away.
Even with server-side protection, though, desktop protection has to remain for all the morons who blindly click on external links in emails and transmit malware through other channels (like P2P, disks and CD-RWs). Both types of protection are needed.
And as for sendmail, it’s an outdated piece of garbage. Hence why Debian ships with Exim as the default.
Interesting although a geek/0™ like me still has no clue. I suppose I will just continue to depend on my user-side virus protection and my propensity to delete emails from people I do not know while they are still on the server. That is one of the things I like about ICQ. Configured to do email checks, it actually examines the mail residing on the server without downloading it, and allows me to delete it directly on the server.
I draw my mail from my host, which is a Debian Linux operation; they’ve long since dumped sendmail in favor of Postfix, and they’ve got the hooks working properly – they’ve trapped 168 (as of last night) copies of Sobig that were addressed to me, and none have been delivered.
I don’t know why sendmail is getting the blame, when an incompetent admin is dangerous using *any* OS.
Having said that though, my hosting guy (who uses exim on RH) brought up a good point in an explanatory “why I’m filtering your messages at the server” email. He noted that since he’s filtering messages, to include an attachment, end users have to zip their attachments. Now for people like us, that is trivial, but to teach an end user to not only “attach” email but to zip it beforehand is a hassle.
That’s one of my main points, anyone who got the virus should be pissed that their e-mail host happily stored it for them. I got exactly 0 copies of the virus delivered to me because my hosts took the time to have a virus scanner. I also got 0 copies at work for the same reason. Anyone receiveing copies of SoBig should be looking at their e-mail host and saying “What The Hell?”.
Chris: You’re right we do agree on most counts. The whole point of the excercise for me was; who is flying under the radar on this one? I say that any host that allows the transmission of a known virus is derilict in its duties to its customers.
Dean you are correct, but I would note that Sendmail itself is/was on of the biggest security threats for a long time due to buffer overflows and other exploits. Virus writters are opportunistic and popularity driven. This explains why Outlook is a major traget and the GroupWise mail client is not.
Of course desktop AV is important. The problem is for a long time that has been the first and last line of defense. Maintenace-wise we would all be better off it this was attacked at the server level. Exchange and Notes will never had built in AV because the AV vendors are too powerful (plus Microsoft got burned in the Desktop AV market in DOS 6), but Sendmail is wideopen.
The other interesting point is that the commercial version of Sendmail has McAfee AV technology in it.
BTW – Chris you may be on to something on the desktop AV hypothesis. I recall an exec uttering words to those effect when I recommended a server based AV gateway for his company a few years ago. Fortunatly he was in the minority then, and more so now.
Ironically, my big client let me get them setup with Sybari Antigen for the e-mail gateway, even though they dragged their feet a little at the $1700 cost, but has ignored me about desktop protection on top of it, which would run about $1200 each two years. We’ve been lucky nobody has brought in an infected floppy or done a direct download of something.
Interesting discussion here. Makes sense to me.
In my battles with Sobig fallout, I’ve concluded that more domains do filtering than don’t, but a lot of them have done it badly.
AOL didn’t catch the virus at first, but after the first 10 (!) it stopped passing them on to that box. However I’ve been inundated since with bouncebacks from clueless autoresponders telling me, as if they’re being helpful, that they intercepted the virus I supposedly sent. Since at least a year ago worms have been forging their sender addresses, but really anyone could have seen that coming. I’ve raised the question: What idiot first programmed the notification feature into their e-mail filter (did they know nothing about the fudgability of the medium?), how many other brainless programmers thought it was a good idea, and how many came to the same idea independently?
I’ve been on a mission to tell admins running these clueless filters to turn off the notification “feature”, and others (because regular autoresponders and undeliverable notices still come up) to install filters where they’re not using any. So far I’ve had a success rate running maybe 70%, with some I can’t reach and some just too clueless to ever get it. (Amusingly, the makers of Opera are a big offender on not filtering their e-mail.)
After learning DOS command-line (after CPM), I struggled with the brain-dead 286 and the overwhelmed 386, and found the utility of the 486…
And along the way, I realized that with the abolishing of ‘priesthoods’ in this day, it was the responsibility of end-users everywhere to learn what’s happening behind the curtain.
Windows/Linux moves the gears-and-levers one step up, or away, or deeper… whatever, but using one’s tools is, IMO, ALWAYS indicative of character: Do you think you can ‘drive’ a car, without qualifying to yourself that you mean you can drive it IF its dry, level blacktop OR rainy less-than-1/2inch?
Or do you mean you can ‘drive’ a car, up to 80mph on glare-ice at night in a blizzard?
Same with computers. Can you only deal with first-level, up-and-running concepts OR can you bring in batch-programming concepts and operators and IT-professional use-of-tool requirements such as malware prevention policies, password-protection, intelligent backup and more?
No one behind the curtain except us gnomes, Pal.