File scanning - whose responsibility is it?

  • Article

The other day, we saw some spam that was a double-whammy of reputation hijacking.  First of all, we saw spam coming in from one of the four big web mail providers (Google).  Second, the payload was from a file-service-in-the-cloud with a link to malware.

An exploitation of a file-service-in-the-cloud is similar to exploiting a URL compression tool.  With a URL compression tool, you enter in a link that is incredibly long and then it compresses it into a smaller, more manageable link.  Examples are TinyURL or SnipURL.  Unfortunately, what spammers started doing was creating spam links (like in regular spam) and then using these compression tool services, and then start sending out spam with these links in the spam payloads.  Of course, when you clicked on the compressed link, you were redirected to the spam landing page.  The idea was that spam filters couldn't block these outright because no one would put a global ban on a URL compression service.

A file-service-in-the-cloud is kind of similar.  Rather than sending somebody a large file via email, you upload it to this service.  Next, you enter in the recipient's email address and they are sent an email that says "Dear So-and-so, you have been sent a file from your friend <user @ example.com>.  Click here to download it."  Rather than sending over email and clogging up your inbox, you can download it at your leisure.  It's actually a good idea since my inbox regularly fills up with large files.

However, who is responsible for avoiding the uploading of malware?  For example, a spammer can upload a virus, send you spam notifying you of a file you should download and you could then potentially infect your machine.  Who should validate the integrity of the contents of the file?

Should you verify it while downloading it?  For sure, you should have antimalware software running on your system.  But if you get an email "from" a friend, you could be tricked into thinking it is a legitimate file.  Still, anything you download should have its contents verified for the integrity of the data.

But the file-service-in-the-cloud should similarly verify that the files that they are storing and uploading are not malware.  The fact of the matter is that sometimes people will resort to abusive behavior; these services should not be a conduit malware.  Hotmail and Google have to worry about botnets signing up for their service -- an unintended consequence of providing a free service -- and these free file-sending services should similarly make sure that they are not providing spammers a free mechanism for storing and sending malware.  There is too much abuse out there to push the responsibility onto someone else.

I have a saying and I shall trot it out again - if you give something away for free, people will abuse it.