E-mail gateway works too well

Whenever a new virus appears, I worry that it will be clever, elegant -- and a headline on the nightly news. That combination means that everyone in management will want to know what's going on before we know ourselves. That happened before with SQL Slammer. But with the recent Mydoom virus outbreak, our own protective systems became the publicity machine that created a companywide panic.

You know a virus is fast-spreading when it goes by many names. Mydoom spread so quickly that the antivirus companies didn't have time to communicate with one another, so they all worked in parallel to analyze it and publish fixes. This virus was dubbed Mimail.R and Novarg before the Mydoom.A moniker finally stuck.

For the first few hours after the attack began, I remained blissfully unaware, as I slept while our team in the first time zone dealt with it. But I could tell something was up when I awoke and fired up my BlackBerry, which buzzed with e-mails and status updates.

The Mydoom virus isn't particularly clever; it spreads by sending executable files via an e-mail message that asks the recipient to run the code attachment. Once run, the virus copies itself to everyone on the user's e-mail address list. It also disables access to various Web sites you might use to clean up the infection and infects other files using the Kazaa file-sharing program.

But its only clever tactic is pretending to be a system-generated error message. Administrators can't block such messages as a group because the legitimate ones carry important information. Mydoom uses a normal .exe, .scr or .pif file to spread and is sometimes hidden within a .zip file. I'd expect this kind of file to be held by any company's e-mail gateway. It was by ours, and we expected this to be another storm we'd weather easily. Not so.

Friendly Fire

We're part of a wider group of financial services companies, and one of our sister companies suffered a major infection while I was sleeping. Due to the size of every user's e-mail message stores and the myriad places that an infected e-mail can hide, virus issues can keep flaring back up well after we think they're under control.

Someone in the other company apparently added a second e-mail route that delivered the virus to other internal users, bypassing the normal antivirus checks. Once these users opened their messages, the virus e-mailed users on their network -- and ours. Then, of course, some recipients on the other company's network opened it, causing another cascade of infections.

Fortunately, we were saved by my predecessor's paranoia. He had arranged to route all e-mail -- even from sister companies -- through our antivirus gateways. The reports flooding in from the Internet showed this was the fastest-spreading e-mail infection ever, with over 1.2 million infected machines in the first 12 hours, yet we had dodged the bullet with zero infected machines on our network.

But we didn't come away entirely unscathed. As the gateways intercepted each infected e-mail, they issued warning messages and routed them to the intended recipients. We do this because some file or macro viruses infect legitimate files from a sender. We let the recipient know that we intercepted the message so they can alert the sender. Otherwise, the sender might keep repeating the same action.

With the millions of messages flying around the Internet, we had tens of thousands of infected e-mails coming into our network each day, and individual users were receiving hundreds of notifications.

It would be better to warn users of blocked messages only when the suspected virus is known to infect real files. Sadly, although viruses like Mydoom don't infect real user data, we can't turn off alerts for just one virus.

We pushed out a warning on our intranet saying that these messages could be ignored, but we still received a flood of calls. People all wanted to know the same thing: "This message you sent that says you stopped the virus, does that mean that you stopped the virus?" As soon as we answered one call, the phone would ring again.

Although our message was clear, users were worried because of all the negative publicity from our servers. As the day wore on, more and more people came into their offices across the world, saw the pile of warning messages from the e-mail antivirus gateway and immediately called us.

Soon, we couldn't cope with the volume of calls, and we didn't have an automated system to answer common queries. The calls kept coming. "But I don't know the person who sent me this," users said. "That's right, the e-mail source and destination are spoofed by the virus," we stated over and over.

In the end, we weren't doomed by the virus, and our protections saved us from the ravages of the infections. But those normally useful warning messages condemned us to providing long-winded explanations to all of our users. It was almost enough to make me miss the buzz of fighting a fast-moving infection.

At this point, we need to go back to the drawing board on how we generate alert e-mails. We don't want staff to miss vital alerts, but we don't have the resources or the patience to explain them to hundreds -- or thousands -- of users who call in. And our users don't want to be bothered by unnecessary, worrying e-mails.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email Computerworld
• Follow Computerworld on twitter

• Share
  Share this article

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark