[Dshield] Trapped in the Email Box

James C. Slora Jr. Jim.Slora at phra.com
Wed Mar 3 15:49:48 GMT 2004

Are there any worthy alternatives to email for business communication?

Spam has been rampant for a couple of years now. Phishing is on the rise.
Email viruses have become a significant portion of inbound mail. Various
protective strategies implemented by mail admins have reduced the
reliability of messages arriving intact in a reasonable amount of time.

At some point, any given email message will be more likely to cause a
problem than to serve the business interests of the recipient. The overhead
of ensuring message delivery and integrity is constantly growing. So at what
point do we declare the vehicle itself to be the problem?

Viruses are coming in at a sustained rate over 100 times faster than at this
time last year in my organization. Each day we block about one virus for
every two users. We also block several copies per day of viruses for which
AV definitions have not yet been released, even with 3 separate engines
updated hourly and with 3rd-party screening.

As a courtesy, I contact clients and business partners who send us
infections, but this has helped only minimally. Otherwise competent system
admins have been very slow to respond to infections, and have sometimes been
skeptical about the existence of the infection - even when IP addresses in
the message headers have positively proven the source.
- Many admins think that email gateway protection prevents email viruses
from leaving their network.
- Many admins think that email gateway protection prevents email viruses
from entering their network.
- Some admins are baffled when they see their Internet gateway address as
the source of an infection.

We're staying protected pretty well right now but there are always dozens of
scenarios in which this could change very quickly. There are many ways to
mitigate the risks, and we are continuously increasing the depth of our
protection. Application whitelisting can go a long way in preventing
internal infections. 3rd-party screening options are getting better. But
email is looking less and less useful as a business communication vehicle
all the time.

The viruses that are in common circulation right now use very traditional
vehicles - plain old attachments with various executable extensions,
sometimes inside a Zip archive. Their social engineering has been wildly
successful, even to the point of getting users to actively type a password
in order to become infected. What happens when a less filterable virus uses
equally good social engineering? Several potentially executable attachment
types are commonly allowed through email gateways. There are many tricky
methods of putting a virus in an email message without showing an
attachment, and users have repeatedly shown their vulnerability to hostile
website links.

At the same time as the massive increase in viral activity, we have lost
most of our ability to anticipate threat levels.

MessageLabs - formerly a great site for realtime email virus intelligence.
Statistics have been outdated for over a month, and have appeared completely
dead for about a week. Virus volumes in the millions per day appear to be
the problem - they have repeatedly overwhelmed the counters.
Direct AV vendors - virus descriptions and some virus detections appear to
lag by around 12 hours. I guess they have had to raise the bar on what
constitutes an emergency, so their techs can get some sleep once every few

Many AV web sites have given very slow response for me over the past few
days, and definition updates have periodically failed. MyDoom.G, if it
becomes widespread, may add to these problems by DoSing Symantec.

Virus alerts to end users have lost most of their impact because of the
sustained volume of new viruses that have taken hold over the past weeks.
The names, characteristics, and consequences of the viruses are repetitious
and are of little value to anyone except for forensic purposes.

The only email virus alerts worth conveying to users at this point are
really completely generic:
- Email viruses are rampant beyond what we have ever seen before, and this
is likely to be a permanent condition.
- Common viruses are using too many possible subject and message body
combinations to memorize.
- Attachments are often not what they appear to be.
- Many past email viruses could infect without any visible attachment, and
we may see this again.

Recommendations to email users:
- Do be skeptical of all unexpected email from any source.
- Do contact senders and recipients by phone to confirm potentially
important messages.
- Do contact IT when there is still doubt.
- Do disconnect from the Internet and the LAN if you suspect infection, and
contact IT.
- Don't open email unless you have high confidence it is legitimate -
confirm with the sender whenever there is a question.
- Don't open attachments unless they can be confirmed by the sender.
- Don't open "delivery failed" messages. Contact the intended recipient to
confirm delivery.
- Don't feel safe just because you run current anti-virus software.
- Don't be sure your outgoing messages are received and read, or that their
attachments arrived intact. Confirm with the recipient (this does not mean
return-receipt requests).

In my organization our policies allow some additional recommendations:
- Do minimize non-business email communication at work.
- Don't access personal email accounts from the company network.

Here is a rough breakdown of our incoming email, before any filtering:
70% spam
10% non-business personal email
7% newsletters, etc
6% business email
5% virus-generated mail
2% NDRs and bogus virus rejections

Of course we filter heavily so end users don't see these percentages in
their inboxes.

Two years ago we used filtering to remove the garbage from the gold. Now we
are digging through a garbage dump trying to find anything that might be
worth keeping.

Any ideas outside the email box?

More information about the list mailing list