I am a bystander in the war between spammers and virus writers on the one side, and Microsoft and the antivirus companies on the other. I have never in my life read or sent an e-mail message using Microsoft Outlook, I spend, perhaps 4 hours/year using the Windows operating system (mostly helping other people with computer problems), and I never read e-mail or browse the web as root, so I should live in a fairly safe area, far from the battlefield. Nevertheless, I lost e-mail services for my whole domain this morning because of Outlook viruses on other people’s systems, and it will take at least a few hours before I can receive e-mail here again.
In fact, I’ve been hit by a lot of collateral damage over the years. I had to shut down my old e-mail account at this domain,
david, when the volume of messages passed 1,000 per hour; even now, the
megginson.com domain can receive as over 30,000 messages a day — it’s a day-to-day challenge to keep the domain working at all, involving frequent changes of ISP.
What happened? Because my old e-mail address was well known, it ended up in a lot of people’s Outlook address books; then, predictably, some of those systems got infected, so their Outlook installations started sending out virus messages with my return address forged, and those messages infected more systems, which started sending out more, and so on. Those didn’t affect me directly (aside from writing the occasional polite reply to an irate message asking why I was mailing viruses), but then the warnings from the antivirus software at other people’s sites started pouring in. The antivirus makers know perfectly well that the return addresses on virus attacks are nearly always forged, but still cannot resist a marketing opportunity by warning me that my non-existant Outlook installation is infected with a virus.
I don’t know how many more direct hits I’ll be able to withstand at
megginson.com — I’ll never know, of course, how much business I’ve lost over the past couple of years because of these e-mail problems, and sometimes I’m tempted just to abandon the domain, or at least, any attempt at using it for e-mail.
If there’s a moral to this, it’s that sloppy design hurts more people than the immediate users — simply choosing not to use bad software does not protect you from its flaws. Security holes in Outlook hurt me, though I’ve never used the program; virus-warning spam from antivirus software makers repeatedly shut me down, though I’ve never bought their products. If we mess up too badly designing our next generation of XML-based systems (blogs, REST, Web Services, or what-have-you), it’s hard to predict how many people we’ll hurt beyond our immediate user base.