August 14, 2001, 12:00 AM — Every time we hear about another e-mail virus outbreak, it should
remind us of how easy it is to build software that's easy to use but
horribly insecure. E-mail viruses can be particularly upsetting when a
virus uses your address book to identify its next victims. Currently,
the primary solution for virus problems is some kind of content
scanning, whether it takes the form of an anti-virus or another tool
that inspects the contents of data packets. But this solution works
only as long as your business isn't one of the early victims of the
virus. If you manage to escape infection in the first 24 hours, you're
likely to avoid serious trouble: Most anti-virus products that depend
on pattern recognition will be updated in that time frame, so you can
download the updates.
Unfortunately, content scanning is a totally reactive process. It's
like installing a better lock on the barn door after the horses have
run away. Certainly it prevents future problems, but that's cold
comfort when a virus has already slipped past your defenses. Even
worse, it involves only the inbound traffic to your system, and that's
I've wondered for a while if anyone would tackle the problem of
outbound traffic. Unless you work for an event promoter or some other
mass-marketing firm, it's unlikely you send messages to more than a few
dozen people, much less everyone in your address book. Anything else is
something your e-mail tool should bring to your attention, not unlike
the way the Postal Service requires that you bring large envelopes to
the post office counter.
Fortunately, help is on the way. Some really clever people at the
U.K.'s Defence Evaluation and Research Agency (DERA) unveiled at last
month's InfoSec 2001 conference an application called SyBard/Mail that
can alert you to suspicious outbound mail traffic. I can't wait to see
how the commercial version performs when it's available later this year.
By that time, DERA will have split into two parts: a Ministry of
Defence agency that will continue to focus on military requirements;
and a for-profit operation, QinetiQ, which might win my award for
Trickiest Name of the Year. Judging from the information on DERA's Web
site, QinetiQ is going to inherit SyBard/Mail with the rest of DERA's
SyBard Suite in the early summer when the split takes place. According
to reports in The Industry Standard, the price for SyBard/Mail should
run approximately $7 or $8 per seat for a 1,000-user license.
Obviously, the target market for SyBard/Mail is the millions of systems
running Microsoft Windows, because they are the most vulnerable to e-
mail viruses, thanks to holes in Microsoft's MAPI (Messaging API),
office productivity software, and operating systems.
SyBard/Mail will ship in three versions, starting with a lightweight
version that provides a basic check on outgoing mail.