A Solution to E-mail Virus Propagation?

Every time we hear about another e-mail virus outbreak, it should

remind us of how easy it is to build software that's easy to use but

horribly insecure. E-mail viruses can be particularly upsetting when a

virus uses your address book to identify its next victims. Currently,

the primary solution for virus problems is some kind of content

scanning, whether it takes the form of an anti-virus or another tool

that inspects the contents of data packets. But this solution works

only as long as your business isn't one of the early victims of the

virus. If you manage to escape infection in the first 24 hours, you're

likely to avoid serious trouble: Most anti-virus products that depend

on pattern recognition will be updated in that time frame, so you can

download the updates.

Unfortunately, content scanning is a totally reactive process. It's

like installing a better lock on the barn door after the horses have

run away. Certainly it prevents future problems, but that's cold

comfort when a virus has already slipped past your defenses. Even

worse, it involves only the inbound traffic to your system, and that's

not enough.

I've wondered for a while if anyone would tackle the problem of

outbound traffic. Unless you work for an event promoter or some other

mass-marketing firm, it's unlikely you send messages to more than a few

dozen people, much less everyone in your address book. Anything else is

something your e-mail tool should bring to your attention, not unlike

the way the Postal Service requires that you bring large envelopes to

the post office counter.

Fortunately, help is on the way. Some really clever people at the

U.K.'s Defence Evaluation and Research Agency (DERA) unveiled at last

month's InfoSec 2001 conference an application called SyBard/Mail that

can alert you to suspicious outbound mail traffic. I can't wait to see

how the commercial version performs when it's available later this year.

By that time, DERA will have split into two parts: a Ministry of

Defence agency that will continue to focus on military requirements;

and a for-profit operation, QinetiQ, which might win my award for

Trickiest Name of the Year. Judging from the information on DERA's Web

site, QinetiQ is going to inherit SyBard/Mail with the rest of DERA's

SyBard Suite in the early summer when the split takes place. According

to reports in The Industry Standard, the price for SyBard/Mail should

run approximately $7 or $8 per seat for a 1,000-user license.

Obviously, the target market for SyBard/Mail is the millions of systems

running Microsoft Windows, because they are the most vulnerable to e-

mail viruses, thanks to holes in Microsoft's MAPI (Messaging API),

office productivity software, and operating systems.

SyBard/Mail will ship in three versions, starting with a lightweight

version that provides a basic check on outgoing mail. The midrange

solution will be a Professional version that will hook into the

advanced security features of Windows NT and Windows 2000 (and

presumably Windows XP) and will also include content-monitoring

capabilities. And for those who must have secure end-to-end

communications, SyBard/Mail's Advanced Security Option provides a

digitally signed control at the firewall. Overall, it should prove a

pretty formidable set of countermeasures.

Besides its welcome security aspect, SyBard/Mail appeals to me because

it essentially asks: "Do you really want to send this e-mail?" It's the

e-mail sent "by accident," which has penetrated pop culture to the

point of becoming the subject of TV commercials. I admit to one or two

e-mails in my career that I'd like to retract, and I imagine that many

of you have similar stories that make you cringe when you recall them.

Whether your concern is e-mail security or job security, SyBard/Mail

and the inevitable "me-too" products could make it a little safer to

use e-mail. Obviously, no product will eliminate the need for end-users

to exercise common sense, as I've discussed previously. But when an e-

mail virus gets through your perimeter, as one eventually will,

wouldn't it be nice to know that it's going to have a much harder time

getting out of the systems that do get infected? If one extra click per

e-mail is all it takes, I'm for it.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies