June 27, 2003 4:00 AM PDT
Spam may sprout viruses in home PCs
The company, MessageLabs, operates servers that block spam and viruses for its clients. Its analysis of data shows that mass distributions of junk e-mail are increasingly coming from the Internet addresses of computers that have in the past sent out viruses as e-mail attachments.
"There is a high correlation," said Matt Sergeant, senior antispam technologist for the New York-based company. "About 30,000 machines have both open-proxy software and are responsible for sending viruses."
Open proxies, also known as open relays, are computers that can resend e-mail or other network data, erasing the original address information that could identify the source of the traffic. The 30,000 computers represent about 14 percent of the total open relays from which MessageLabs has registered bulk unsolicited e-mail, otherwise known as spam.
If true, the finding could add momentum to the backlash against spammers. Earlier this month, the Federal Trade Commission (FTC) asked Congress for greater power to pursue and penalize those who send unsolicited bulk e-mail.
In mid-May, the FTC and enforcement agencies from other nations sent warning letters to the operators of 1,000 e-mail servers, urging them to close their relays.
Estimates for the percentage of e-mail traffic due to spam run from 30 percent to as much as 75 percent. Nearly 70 percent of spam messages appear to come from servers classified as open relays, according to MessageLabs.
But the connection between open relays and viruses seems tenuous, said Craig Schmugar, senior anti-virus engineer for Network Associates, a security software firm.
"It is interesting data, to be able to correlate spam relays and virus relays, if you can call them that," he said. "However, it's tough to make the case that these machines are infected."
There are other explanations for the connection, Schmugar said. Computers vulnerable to viruses could be more likely to download a program that turns the system into an open relay, for instance. Schmugar also stressed that a 14 percent correlation isn't conclusive.
MessageLabs maintained that the latest outbreaks of computer viruses may have been deliberately caused by spammers. The company has already pinpointed the recent Sobig virus, and previous variants as probable spammer creations. The programs are likely to have been specifically designed to use home computers as a large pool of open relays for spammers, said MessageLabs' Sergeant.
The company's analysis suggests the virus opens a range of "ports," communication channels through which software applications route data from the network. The latest Sobig.E variant opens a series of five ports through which the virus downloads additional software to turn the infected computer into an open relay. The mechanism could also download other kinds of programs, such as remote control software and backdoor Trojans.
Sergeant also pointed to the time limit, the fact that each variant of the virus spread only for about three weeks, as another indication that the programs were created with a purpose. Sobig.E, for example, will stop spreading on July 14.
Network Associates' Schmugar confirmed the existence of the series of five ports, but said the company hadn't yet confirmed the software update mechanism.
However, another e-mail security firm, likely the only kind of Internet company that could correlate virus attacks and spam floods, hasn't been able to confirm the correlation seen by MessageLabs.
Postini, a MessageLabs competitor, sifted through 1.8 billion e-mail transactions logged in the past 40 days and didn't find a significant correlation.
"We haven't seen a smoking gun," said Scott Petry, chief technology officer for the Redwood City, Calif.-based company.
Still, Petry said Postini's data may not go back far enough. Much of MessageLabs' evidence stems from the original Sobig infection that started in January.