MessageLabs: Filtering your email sewage

... be sold on, according to MessageLabs. Unlike the majority of spam, these emails have no grammatical or syntactical errors, and the code is spot on, says Maksym Schipka, anti-virus technical architect. Attacks are also increasingly blended to target both instant-messaging and the web.

Monitoring botnets
Botnets are another growing problem. They comprise of PCs that have been hijacked by hackers to send spam or other code, Botnets can be traced by looking at specific patterns of behaviour according to MessageLabs. If different machines are sending the same spam, it's likely they will use the same IRC channels. MessageLabs have ways of monitoring the compromised server. If a new bot is seen that contains the address of the IRC server, MessageLabs can follow the link through a command-and-control channel.

The current threat from bots is spam carrying malware, and the installation of spyware to steal sensitive information. This is very much financially motivated, with botmasters charging 6 US cents per install. "Some spyware code is particularly interesting as it activates itself half an hour after someone has visited a site, to disassociate itself from that site," says Shipp.

Monitoring MessageLabs' infrastructure
The Network Operations Centre (NOC) scans all mail destined for a client, before deciding whether that mail is spam or contains malware. MessageLabs has over 100 server towers dealing with managed mail services for customers. Within a tower are between 14 and 36 mail servers in a cluster. A new client is given a host name through which to route its mail and all the towers take on mail for that customer. Altogether, one billion emails a week are processed by the towers, says MessageLabs.

---

For more, see the rest of our special report:

Inside Symantec's nuclear bunker

Sophos: Protecting the world from The Pentagon

---

The arrangement of the towers makes the service more flexible —   if one of the servers crashes, others can pick up the slack and continue delivering mail. "This gives greater resilience within a cluster. If one of the servers crashes, or there's another issue with a third-party datacentre that affects it as a bandwidth provider, cutomers won't see a delay in their mailflow," says Andy Davies, NOC infrastructure support team leader.

MessageLabs also has a monitoring tool to monitor the bandwidth from its various third party datacentres. Graphics related to each server are displayed on a system called 'Big Brother'. Graphs on the left hand side of Big Brother represent the different towers. Each bar on a graph represents a server. If the colour of the bar is red, that's a warning that the server has crashed and needs rebooting, or that the mail queue has been delayed because the scanner has crashed. If the bar is yellow, it means the server is approaching its spec threshold, based on the mail flow within the tower.

Mail is funnelled through split directories. If the mail gets stuck, it is copied to a central location. All mail is scanned and if a particular mail has been identified as containing a virus that MessageLabs has not previously seen, the NOC personnel can start the process of writing the antivirus program or signature.