Malicious Mail

There were nearly 600 million email users worldwide at the close of 1999, with more than half of them in the U.S.

There were nearly 600 million email users worldwide at the close of 1999, with more than half of them in the U.S., according to industry estimates. Many market watchers expect the number of email accounts to top the 1 billion level by the end of 2001. If each mailbox receives just 20 or 30 messages a day, that's tens of billions of electronic missives flying over the Internet daily.

That's a lot of information to digest and an easy way for bitter pills such as Melissa and I Love You messages to be swallowed. Those two innocent-sounding email subject lines caused havoc by spreading attached viruses throughout scores of unsuspecting corporations.

Email viruses are a fact of corporate life. Triggered by a single email recipient, an attack can quickly flood local workstations and centralized mail servers with destructive traffic. Network operations can grind to a halt with long hours of repair work required to clean up affected systems and restore normal operations.

What makes these mail bombs even more threatening than other viruses is that they're so easy to unleash. Malicious mailers can send thousands of messages via email by using any of the dozens of emailing lists available over the Internet. A short and catchy subject line is bound to trick at least one careless recipient into clicking an attached file that swipes the user's address book, which is then used to continue the email onslaught. And along the way, damage is often done to files on each victim's system.

Joel Deitch has 15 years' experience marketing and writing about technology. Currently a senior marketing manager at an information security management organization, he lives (securely) in Atlanta, Georgia.

Simple but Clever

Corporate servers and networks aren't the real targets of email bomb attacks. Attackers are, in fact, taking aim at information. They want to corrupt the information or simply make it unavailable. At the least, this will cost your company money in terms of productivity and the time needed to fix the problem. An unchecked mail bomb can inflict far more substantial damage.

Viruses rely on our casual acceptance of email. For most email users, ease of use and convenience are paramount, and, too often, security is an afterthought. The I Love You virus was so effective because it used each victim's own address book to send out fresh copies to other unsuspecting users. This falsification process, called spoofing, is a key mail bomb strategy that relies on familiarity and lax security measures.

The most famous email bombs required a recipient to activate a program attached to the message. Because of the telltale .exe or other program file extensions, it didn't take long for users to become wary of these attacks. But virus authors are a clever bunch; they soon ditched the EXE file in favor of a Visual Basic script, a file type and filename extension that most users aren't familiar with.

Attacks Without Attachments
The same tight integration among mail systems, HTML, and operating system-based scripting languages that makes PCs such useful business tools also opens a whole new world of possibilities for devious minds. While most email-borne viruses use attachments to launch their attacks, it's possible to achieve the same damaging results without an attachment. For example, simply opening an HTML-based mail message can place a usage-tracking file (cookie) on a system along with a small script that uses the host's operating system to send information back to the attacker. Or simply clicking a link embedded in the email message will trigger a script that damages data stored on both local and network hard drives.

Look Out, Outlook

Virtually any mail system is vulnerable to an email attack, but the most frequent targets have been Windows-based networks running Outlook or Outlook Express. The reason is simple: Microsoft operating systems and mail applications are more widely used than other similar products. Microsoft's market success also puts it in the sights of attackers looking to make their marks against an industry leader.

Still, it is true that a number of Windows, Outlook, and Exchange features contribute to Windows systems' vulnerability to email bombs. Outlook integrates very tightly with Microsoft Office, Internet Explorer, and Windows. Its code cooperates with these Microsoft sister components in several key ways. Outlook uses the same Visual Basic (VB) scripting language used with other Microsoft Office applications. VB is a powerful macro utility that allows even simple code to work at the operating system level. If an email's VB attachment has free reign to delete files or to execute scripts and programs, it is very difficult for Outlook to recognize that something improper has happened.

Outlook also uses the Windows MAPI function for sending and receiving mail. MAPI is Microsoft's standard mail service and provides email functionality across all Windows email platforms, Microsoft Office, and many third-party products. Any virus clever enough to communicate directly to MAPI can manipulate the local mail system at will.

Internet Explorer integration is another area of potential vulnerability. Web technologies such as HTML, XML, Java, JavaScript, and cookies all present risks for email. In addition, Internet Explorer allows ActiveX applications to install and run directly from the Internet. Outlook's use of Internet Explorer for rendering HTML mail gives malicious attachments a variety of easy and powerful avenues of attack.

Finally, Outlook has the ability to accept plug-in modules that alter or expand its core functionality. PGP encryption software, Stamps.com Internet Postage, and many other legitimate vendors use this technology, called Component Object Model (COM), to integrate their offerings into the Outlook environment. A virus could be fashioned to masquerade as a COM module, making it look like a normal part of the mail system.

While assaults on Outlook garner the lion's share of publicity, many other vendors' email products are also vulnerable to email attacks. All major mail systems, including POP3, IMAP, Novell NetWare, and Lotus Notes, are potentially susceptible. Regardless of the manufacturer, any email client that features a macro language, HTML mail, or plug-in capability presents a possible risk.

Return to Sender

The first level of defense against email viruses begins with users. Mandatory user education is an effective way to minimize the careless behavior that allows email attacks to flourish. Make sure all email users know to delete anything suspicious that ends up in their mailboxes. This includes messages from unfamiliar senders, messages with odd subject lines, messages with embedded links, and all mail attachments. If anything suspicious shows up, your company's email users should know enough to leave the message or attachment unopened.

 10 Tips for Safe Email
 1. Don't open attachments from unknown senders
 2. Be suspicious of mail with attachments even if you know the sender
 3. Don't open attachments unless absolutely certain of what they contain
 4. Beware of odd subject lines
 5. Be careful of files downloaded from HTML email
 6. Junk mail and chain letters are frequently compromised with viruses
 7. Use an email-capable antivirus package and keep it up-to-date
 8. Check for vendor security patches at regular intervals, and install them
 9. Make frequent system backups for disaster recovery
 10. Use caution even if the sender's name is familiar

The next level of protection involves using antivirus technology to ferret out malicious code before it can do damage. Most users now recognize the need for antivirus measures and run one of several worthy products. These are mature products that recognize and respond to both suspect code and suspicious activity. The best packages, such as Symantec Norton AntiVirus and McAfee VirusScan, even scan email attachments before they enter the mail program.

Some personal firewalls, such as Zone Labs ZoneAlarm, monitor Internet traffic for dangerous attachments. Symantec Security Check is an online security assessment product that checks individual desktops for the presence of active antivirus utilities. Both products are excellent solutions for organizations that have remote workforces using laptops or home computers.

Of course, antivirus software works only when it is kept up-to-date--no small task, since new viruses spring up by the dozens every day. Ensuring that every PC in a company has current antivirus protection is a time-consuming process. But enterprise-level antivirus products can ease the burden because the software is centrally managed.

Enterprise antivirus programs employ three basic strategies. First, they scan incoming and outgoing mail before it can propagate on individual desktops or on the Internet. Second, these packages install a small agent on each workstation. The agents monitor local systems for unusual activities or improper code that may have gained access through infected removable disks, Internet downloads, or other means.

Third, antivirus protection is available for mail servers, including Microsoft Exchange, Unix mail systems, and Novell NetWare. These packages help recognize unusual behavior at the server level. Symantec Norton AntiVirus Enterprise Solution, Trend Micro NeaTSuite, Panda Software Global Virus Insurance 24h-365d, and F-Secure Anti-Virus all provide sound mail server-based solutions.

Server-based or locally installed antivirus software may not always be an appropriate solution. It can be expensive, and effectively deploying this type of technology requires both IT and security expertise. For some businesses, outsourcing email antivirus efforts may be a good alternative. Email redirection services such as Bigfoot or remotely managed antivirus services from security providers such as myCIO are often cost-effective solutions.

Corporations may also want to consider email verification as another means to ensure that email comes from trusted senders and hasn't been altered while in transit. McAfee, InvisiMail, VeriSign, E-Lock, Silanis, and Sigaba are examples of vendors that offer plug-ins for major email clients that allow users to either encrypt emails or test incoming messages and attachments for authenticity.

Ample Antidotes
Email viruses can be controlled. An effective corporate strategy includes vigilance, training, and careful application of technology. But companies must also understand that a well-thought-out and easily implemented antivirus plan is part of an overall information security program.