[Dshield] MyDoom-A/B: What is Free Email Service Anyway?

John Holmblad jholmblad at aol.com
Wed Feb 4 15:37:44 GMT 2004


Jayjwa,

your points are well taken. My comments relate to and build on your 
remarks regarding  free email service and though on this list they can 
be construed as "preaching to the choir" I wanted to share my own 
perspective on what "free" really implies.

Free email service is not the same thing as no cost email service. The 
cost to to the user of such free services just appears in a different  
form, that typically includes a higher risk of  receiving malware 
infected email, higher exposure to spam, and  the need to endure 
embedded advertising. And then there is the cost to the larger community 
(i.e. the non-customers of that free service) who may eventually be 
affected by the in-action or slow action of the free service provider to 
mitigate their risks. My experience over the last few years is with 
AOL's fee based email service, and I can say that, with respect to 
Mydoom, they must have been all over it like a cheap suit because I  and 
the other members of my family have yet to receive a single instance of 
that nasty, and I get ~75-100 emails per day. That means I can spend a 
bit less time (and in the end what is more valuable than our time?)  
trying to teach a young family member about some of the subtleties of 
what we discuss on this distribution list with respect to socially 
engineered email messages. It occurs to me that a good quality metric 
for an email service provider would be how many hours it takes on 
average for that provider to neutralize the effect on its subscribers of 
each particular malware "event" once it appears in the wild. The 
existence of this discussion list in and of itself is obviously useful 
toward the goal of faster propagation of information that these service 
providers can use to improve their performance with respect to such a 
metric.

My perspective  is that because of the loose coupling of the loss of 
so-called "reputational" equity caused by a poorly performing email 
service (lower reputational equity eventually results in higher customer 
churn and an erosion of the customer base)  to the bottom line of a 
"free" email service provider, such providers are therefore more likely 
to skimp on anti-malware/anti-spam measures than a service provider that 
charges its customers for email service.  I worked for the company 
Telenet,  that launched one of the first successful commercial e-mail 
services in the US if not the world, in 1980, called Telemail which was 
eventually renamed Sprintmail some years after we merged with United 
Telecom to form Sprint. We became successful with that service because 
we were able to charge businesses, academic institutions, and government 
agencies what was, at that time, an acceptable price for the service and 
to use the profits from the service to continue to invest in its 
development, which we did aggressively. A cornerstone attribute of that 
service was its reliability and availability which was achieved at a 
significant R&D as well as engineering, operational support,  and 
capital  cost  in the form of high availability and scalable computer 
systems from Tandem. At that time of course we did not have to contend 
with malware and spam but, the fact that we charged a competition 
driven, market price for the service, gave our customers the right  to 
demand and required us to deliver a quality service.

With the ascendance and proliferation of the technologies associated 
with the Internet, the paradigm for email became: get it free or do it 
yourself. I have lost track of the Sprintmail service (perhaps it is 
still offered, I don't know) but I know from experience that the fact 
that it wasn't free to our customers, and that we soon had competitors 
offering similar services (e.g. Compuserve, the Source, etc.) gave us 
plenty of incentive to offer high quality.  In the early days of this 
service we even changed out  executives who  were accountable for but 
did not achieve satisfactory service quality as well as profits for the 
service.  An indication of the quality of this service was that by the 
mid 1990's the service was reliable enough that our email server and 
service in Russia cold be used by the Russian Central Bank  to conduct 
financial clearing transactions. In fact our service  was the most 
reliable commercial communications service in that country at the time. 
The point in bringing this up here is to reinforce  the fact that,  
today, achieving email service quality still takes a significant and 
ongoing investment in tools, processes, and people to counter the 
quality diminishing effects of the real world. The difference is that 
today the real world threats to email service quality in the broad sense 
of that word come mostly from spam and malware. 

My experience suggests that while it is tempting now for small 
businesses (medium and large businesses long ago pulled email in-house)  
to  either a) put up their own deceptively simple email servers and to 
try to administer those systems  on their own, or b) to utilize free 
email services to minimize service costs, the environment we, 
collectively, are now in.  with the constant bombardment of malware and 
spam email, suggests that such cost saving alternatives may be short 
sighted and lead to higher costs in the end, especially if high 
availability email service (say 99.99% or better) is required for the 
business to compete successfully. These businesses would be better off, 
I think, getting their service from a trusted email service provider, 
whomever that may be as long as the provider makes a point of backing up 
its assertions of service quality with actual performance.  A viable 
intermediate business strategy might be to in-source the equipment and 
software but outsource the management of the service to an organization 
that understands the subtitles of email/malware/spam, etc. Either 
approach  would also of course serve to diminish the aforementioned 
bombardment because there would be fewer mis-configured email servers 
and  networks to serve as unwitting attack vectors.

-- 

Best Regards,

 

John Holmblad

 

Televerage International

 

(H) 703 620 0672

(M) 703 407 2278

(F) 703 620 5388

 

www page:                      www.vtext.com/users/jholmblad

primary email address: jholmblad at aol.com

backup email address:  jholmblad at verizon.net

 

text email address:         jholmblad at vtext.com




More information about the list mailing list