[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Friday, 12 September, 2003, 10:27 GMT 11:27 UK
Waiting for the next Sobig virus
The system we use for e-mail needs to change if we are to avoid a repetition of the trouble caused by the Sobig virus, argues technology analyst Bill Thompson.

Infected e-mails
Sobig used a variety of subject lines
Farewell then, Sobig-F. The most successful and virulent e-mail virus to date stopped spreading itself on 10 September.

Although infected systems still need to be identified and cleaned up it is no longer e-mailing itself to every address it can find.

The scale of Sobig-F infection was astonishing. From its first appearance on 18 August to the end of its infectious phase, e-mail management firm MessageLabs stopped 16.5 million copies of the virus.

At one time infected e-mails accounted for one in 17 of the messages the company was processing on behalf of customers.

Although it did not consume vast swathes of internet bandwidth as it spread, and did not slow down network access like the Slammer worm at its peak, the economic impact was enormous simply because so many people spent so long identifying and deleting messages from their mailboxes.

Now anti-virus firms, security experts and net users are all waiting for the next Sobig variant, and hoping that they spot it before it is too late.

Biological virus

Sobig-F is generally believed to be part of an experiment in virus development, with the as yet unknown authors trying to find a way to silently infect large numbers of computers with a Trojan Horse program that can be used to distribute spam e-mail.

One reason for thinking this is that Sobig spreads by sending e-mail itself, using the simple mail transfer protocol (SMTP) to find and connect to mail servers around the internet, and giving them false information to persuade them to accept and send fake messages containing the virus.

Bill Thompson
I am as fond of SMTP as anyone other programmer and systems administrator, but I can see that it has to go
Bill Thompson
It is rather like a biological virus, hijacking the DNA or RNA copying machinery of a cell to make copies of itself.

Just as a biological virus relies on the fact that a cell's enzymes will make proteins out of any DNA they are given, the Sobig family of e-mail viruses rely on the fact that SMTP is designed to be reliable and efficient, not secure.

When an e-mail client like Outlook or Eudora connects to a mail server using SMTP, the server typically checks only the domain name and IP address of the sending computer, but does no other authentication.

Since a computer infected with Sobig-F is authorised to send e-mail through its ISP's mail server, there is nothing to stop the virus using SMTP to send out its messages, and that is what it has been doing so successfully for the past three weeks.

Secure messages

Although there are ways to stop this and make e-mail transfer more secure, either by extending SMTP to include some degree of user authentication (ESMTP) or by digitally signing every e-mail and only accepting signed e-mails, they are not in widespread use.

Escape key on keyboard
Time to switch to another e-mail system?
This is because all of the proposals require a significant change in the e-mail systems we all use every day.

They would inevitably reduce the freedom and flexibility which characterises internet e-mail and was one of the reasons why people chose to use the internet rather than any of the commercial, closed computer networks available in the early 1990's.

Even after Sobig-F, however, there seems no groundswell of support for secure e-mail, and few of us are moving to sign all our messages as a way of at least reducing the risk of transmitting viruses.

It may only be after Sobig-G, H or even Z that we get the message: old internet technology cannot adequately protect us against modern threats, and we need to move on.

I am as fond of SMTP as anyone other programmer and systems administrator, but I can see that it has to go. The only question is how much damage there has to be before we accept the inevitable.

Send us your comments:

Your E-mail address:

Disclaimer: The BBC may edit your comments and cannot guarantee that all emails will be published.

Bill Thompson is a regular commentator on the BBC World Service programme Go Digital.


The BBC is not responsible for the content of external internet sites


News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific