Microsoft, spam, my spleen, and you…
Some days, it just doesn’t pay to turn the old brain on. Trying to make sense of things is the quickest path to insanity. Raging, blubbering, ululating, bloody, squirrel-butchering insanity.
But enough about work…
As a longtime advocate of free software, free operating systems, and (in a pinch) Macs, it occurred to me that I hadn’t been driven into a good lather over Microsoft in almost 5 years. Quite the feat, probably a record for me since I switched from DOS to Unix around 1992-1993. That streak ended today.
As I see it, Microsoft is partly responsible for about 80% of the spam on the Internet. It works roughly this way:
- Microsoft sells desktop OS software with multiple exploitable server programs turned on by default.
- They then encourage people to connect this monstrosity to the Internet.
- Vulnerabilities get exploited, and used to install programs that scan other computers for vulnerable services. As a result, any Internet connected machine will probably get probed by such a program every couple minutes. The usual “time-to-0wnership” given by security researchers is on the order of 15 minutes. Connect to the Internet to download the new service pack? You’ll probably be exploited before it downloads.
- These programs can usually be instructed to act as a proxy, often for sending spam or performing click-through advertising fraud. In theory, they can be instructed to do anything up to and including melting down most of the Internet as we know it, and are often used to steal credit card numbers, passwords, etc. and host phishing sites, but we’ll keep focused on spam here… of which these infected machines send 70-80%.
It gets even scarier. Windows box running slower than usual? It’s probably infected with multiple such programs doing god-knows-what. Anti-virus programs help some, but the malware authors can trivially evade these by re-encrypting their code, so some currently in-the-wild worms can only be cleaned by a format and reinstall, after which the machine is back to its initial, vulnerable state waiting to get reinfected.
Windows is by far the most problematic OS for this sort of thing, but similar programs target UNIX and MacOS X hosts with insecure PHP scripts (e.g. old versions of WordPress [kick me]) or guessable passwords. Unlike these, though, a networked Windows box should probably be treated as suspect a priori.
So, you’re Microsoft, you’ve unleashed this mess on the Internet, there are a few things you can do to help. For example, you could work with anti-spam efforts, and put your considerable weight behind best practices such as port 25 filtering, mail server rate limiting, etc. that take a huge bite out of spam at the source. You could also use your control of practically every PC user’s desktop to include some educational materials, informing them that the Internet is a very dangerous place, and as a result, they will need to explicitly enable and limit access to any services they wish to run.
Or you could engage in plain old PR, organizing useless conferences every year, appropriating a poorly thought-out fad (e.g. SPF) as your own, and trying to force its adoption so it looks like you’re doing something about spam….
To be fair, Microsoft seems to be somewhat involved with the former, but keeps a very low profile. The big push, PR, and Microsoft name are behind “Sender ID”, a Microsoft-rebranded SPF which will do nothing to combat spam, much less the spam zombies Microsoft helped create.
What a waste. Microsoft is powerful enought that if they had put their muscle behind something that worked instead of this (at best) distraction, we might actually have eradicated most spam by now.