Sobig's success prompts calls for secure e-mail

See correction below

Even seasoned antivirus experts hadn't seen anything like the Sobig-F e-mail worm: Within hours of its release on Aug. 19, it created a million copies of itself and was spreading worldwide, shattering speed records set by earlier viruses.

In the wake of the attack, security experts uniformly credited the worm's sophisticated design for much of its success. However, the sheer magnitude of Sobig's attack led to questions about whether the Internet's current e-mail infrastructure is making things too easy for virus writers and spammers.

For systems administrators like Scott Martin at Modular Mining Systems Inc., Sobig-F feels more like a persistent headache than a ravaging infection.

The e-mail worm directs a steady stream of infected messages to the systems of the mine management and control systems maker at a rate of about 200 each day, or more than 2,500 since mid-August, Martin said.

"Just in the last five minutes, we got six more," he said on the phone in early September at the company's offices in Tucson, Arizona.

Like many other organizations, Modular Mining uses antivirus and antispam technology to thwart Sobig-F infections, but the worm is highlighting shortcomings in the system used to deliver mail from one e-mail user to another, experts say.

"I think that the infrastructure usually evolves out of necessity, and viruses and spam have the potential to push the minimum requirements for the mail infrastructure to a new level," said Blake Ramsdell of Brute Squad Labs Inc. in Redmond, Washington.

In question is technology used to route e-mail messages from one Internet user to another, according to Ramsdell and others. The SMTP (Simple Mail Transfer Protocol), for example, was developed in the early 1980s and is still the primary protocol used to send e-mail messages between servers on the Internet.

Designed to provide a reliable and efficient way to relay messages, SMTP's greatest advantage is its ability to transport e-mail between host systems that use different computer hardware and operating systems. Security was not a major concern at the time SMTP was designed, experts said.

Like worms before it, Sobig-F takes advantage of SMTP's flexibility, sporting its own super-efficient SMTP engine to send out virus-laden e-mail messages.

"That 'S' in SMTP stands for 'Simple'," said Paul Hoffman, director of the Internet Mail Consortium, an international organization of e-mail vendors based in Santa Cruz, California. "And it is simple, you're only talking about 10K of code."

Worms like Sobig also exploit SMTP's lack of authentication, which allows anyone who can connect to an SMTP port on an e-mail server to use that server to send out e-mail, supplying valid or fictitious e-mail addresses in the message's "From:" line, according to the CERT Coordination Center in Pittsburgh, Pennsylvania.

Like viruses before it, Sobig-F steals e-mail addresses from the machines it infects and uses them to fake or "spoof" the origin of the e-mail it sends out. That means that e-mail account holders whose computers are not infected by Sobig-F, but whose e-mail addresses are spoofed by the virus, still receive complaint messages from e-mail servers targeted by Sobig-F, resulting in more Sobig headaches.