e mail virus protection handbook phần 8 docx

In this chapter we will discuss the likely avenues of virus attacks, themyths and realities surrounding virus attacks, and what we have learnedfrom the recent attacks that have plagued E

Figure 9.2The Internet Mail Service.

Figure 9.3Internet Mail Service tab

The Clients support S/MIME signatures check box allows clients toexchange encrypted MIME attachments to ensure security The E-MailDomain button allows us to specify the e-mail domains in which we useattachment encoding This means that if we have more than one maildomain, we can choose MIME encoding for one and UUENCODE foranother

The Connections tab (see Figure 9.4) is another place that we shouldlook to configure the IMS properties

Connections from other servers can be secured on this tab We canspecify that hosts connecting to the server must use authentication and

encryption We can also specify whether the hosts are relay hosts that are

used to get e-mail to our server One of the better-known spamming niques involves using relay hosts to trick e-mail servers into acceptingunsolicited e-mail Through the Specify by Host button, we can accept orblock e-mail from specific hosts that are known relay hosts, thereby stop-ping spam from that avenue Figure 9.5 shows the Specify by Host optionscreen where we enter the TCP/IP address of the host that we wish toblock

tech-We can also block e-mail from specific e-mail addresses, and evenentire domains, by using the Message Filtering button shown in Figure 9.6

Figure 9.4IMS Connections tab

Figure 9.5Specify Hosts to block e-mail delivery.

Figure 9.6Message Filter blocks mail from specific domains and users

Further security can be applied by setting restrictions on which mail isrouted through the Exchange infrastructure Conditions can be applied todetermine if mail should be routed through the network, via the Routingtab and the Routing Restrictions button (see Figures 9.7 and 9.8) Thisserves three purposes: it prevents relaying because only recipients in theExchange Global address book will receive messages; it allows the appro-priate e-mail to be sent to the appropriate party; it also ensures thatInternet e-mail is coming from only one source, making the bridgeheadserver running IMS the single point of contact to the Internet It’s a loteasier to protect one server from Internet attack than it is to protect sev-eral.

Securing the Windows NT/2000 server where the Exchange Serverresides does not guarantee privacy and safety from virus attacks In factthe methods described here should go hand in hand with the methodsused to secure the NT/2000 machine A recent Microsoft white paperwritten on the Melissa virus attack of March 1999 provides some insightinto the true nature of the types of viruses that Windows-based applica-

tions are susceptible to These viruses are known as macro viruses and Trojan horse viruses.

Figure 9.7Routing tab determines whether e-mail is accepted into network

Macro viruses are pieces of code imbedded in macros that replicatewhen the macro they are hidden in is run Macro viruses change how theinfected macro or application work Macro viruses usually infect MicrosoftWord documents or Excel spreadsheets and become active if a user hasmacros enabled in these applications and opens an infected document

A Trojan horse is a malicious bit of code imbedded in an otherwiseuseful program that is also activated when the program is run Trojanhorses do not replicate to other programs as viruses do

Worms like the Love Letter virus infect and replicate by replacingimportant files with replicas of themselves, often renaming the original files

in the process If the infected system is shared, then the worm can infectnew users over a network Worms are the most dangerous threats to datebecause of their ability to totally replace important system files, makingtheir recovery difficult or nearly impossible

Most of today’s macro viruses and Trojan horses that attack based systems are written using Visual Basic for Applications (VBA) andare not visible when you look for the code in the applications by viewingthe macros In order to see them, you have to launch the Visual BasicEditor program

Windows-Figure 9.8Routing Restrictions determine which specific host or networkscan route mail

In this chapter we will discuss the likely avenues of virus attacks, themyths and realities surrounding virus attacks, and what we have learnedfrom the recent attacks that have plagued Exchange mail infrastructures.

We will look at Exchange Server maintenance and tips and tricks used insewing up any security holes on a Microsoft Exchange Server

Exchange and Virus Attacks: Myths and Realities

Microsoft Exchange is an industry-leading e-mail, collaboration, andgroupware application Exchange uses Remote Procedure Calls (RPC) asthe backbone of its communication infrastructure RPCs provide excellentperformance and security in a messaging system However, the security isnot fool proof Exchange, like all other Microsoft products, is susceptible toattack from macro viruses, Trojan horses, and VBScript worms That beingsaid, we will examine some of the misconceptions and truths about

Exchange Server security

The most common misconception is that these viruses are somehowcapable of activating themselves automatically with no user intervention.This would mean that all you would have to do to get a virus is open avirus-infected e-mail message This is not the case In fact, there is novirus yet found that is capable of self-activation without some form of userintervention Most, if not all, viruses must be launched or activated by anend-user opening an attachment, and running a macro or some otherinfected application Furthermore, viruses will not run until a user actuallyopens the attachment A similar myth is that e-mail viruses can exist astext in e-mails This again incorrectly suggests that it is possible to becomeinfected with a virus by simply opening e-mail E-mails have simply

become the new medium for virus attacks because they are ubiquitous

However, it is important to remember that it is the attachment in an e-mailmessage that may pose the threat to your systems and not the e-mailitself, as shown in Figure 9.9

In the past, before e-mail became a worldwide communication medium,the floppy disk was the usual method of virus transfer Now it is mucheasier for someone to start the ball rolling by sending e-mail with a virus-infected attachment

The third misconception we will look at is that a single virus can affectapplications on any operating system This is true in only one instance,that of Microsoft Word macro viruses Viruses are usually operating-systemspecific A virus program written to affect Windows-based systems will notfunction on a Macintosh and vice versa; the virus code that each virus iswritten in means nothing to an operating system other than the one it was

written to attack As Java programming is exploited further, a virus thattranscends operating systems may appear However, the facts about

viruses mentioned here still hold true

Myths about e-mail viruses are most times the greatest damage to e-mailinfrastructures The Internet is replete with one virus hoax after another,similar to the tune of the three misconceptions discussed End-users, in

an attempt to be helpful, often shut down major components of their nizations’ e-mail infrastructure by bombarding their networks with broad-cast e-mails warning of viruses that in the end turn out to be hoaxes Thesheer number of e-mails going to, and coming from servers, often causesthem to lock up and even crash They bring about the same result thatthey were trying to prevent, and e-mail servers have to be shut down.Exchange administrators may think that the only thing they need do toprevent a virus attack is to find good anti-virus software and install it ontheir Exchange Servers This is only one step in ensuring a virus-free e-mailsystem True, most Exchange Server mail systems are connected to theInternet in some way and are thus susceptible to attack from outside.However, there is as much danger of being infected from inside the organi-zation as there is from the outside

orga-Poor security policies, inadequate planning, and under-educated users are significant sources of pain and countless hours of recovery workfor IT departments

end-Figure 9.9E-mail with Love Letter virus-infected attachment

Learning from Recent AttacksEvery day a new virus is created somewhere in the world The fact thatnew virus threats, some of which are capable of shutting down an entireorganization’s mail system, appear daily keeps the major anti-virus compa-nies working around the clock However, their efforts alone cannot ensurethe continued functioning of all the e-mail systems everywhere It is theduty of IT departments to learn from previous virus attacks and developstrategies to prevent further attacks and deal with attacks as they arise.

The March 1999 attack of the Melissa virus found many corporationssurprised by how vulnerable their networks were to the Microsoft Wordmacro virus The Melissa virus had the unusual ability to spread itselfthrough e-mail, forcing companies to disable portions of their e-mail sys-tems to prevent further propagation both inside and outside The virusspread by sending itself as an attachment that it e-mailed to addressesthat it found in personal address books on Microsoft Outlook mail clients.Because of the speed at which the Melissa virus attacked, Microsofthad to react to the threat real-time to find a solution, all the while main-taining communication with field support and customers Other organiza-tions may be faced with the same challenges at some point in the future

To successfully combat virus attacks, IT departments must look at theresults of previous attacks and study the methods that worked for affectedorganizations to see if they can be implemented in their own organizations.The following is an adaptation of a suggested method from the MicrosoftProfessional Support Services practice:

Develop an Escalation Plan The Escalation Plan should include a list of

all parties that must be contacted if a virus has been detected The planshould also include severity levels and action triggers for each level

Severity levels may be defined by potential risk, business description, orvirus type

Early Detection The second most important step in combating a virus is

early detection The sooner your company is aware of a potential attack,the sooner your company can react Unfortunately, the speed at which newviruses are created make it virtually impossible for virus protection soft-ware companies to keep customers updated with new virus protectionand/or even alerts to new viruses Lately, many of the big viruses thathave been created receive global attention via the traditional media, inaddition to anti-virus software Web sites Many companies must accept theburden of researching new viruses and finding out any potential impact totheir infrastructure

Designate a specific team of individuals to deal with the situation The

next phase is to assemble an anti-virus team This team should have resentatives from the following areas: help desk, operations, desktop devel-opment and deployment, messaging development and deployment,

rep-networking support, security, and an authorized executive Each tative needs to have a least one backup and be available 24 hours a day,

represen-7 days a week We realize that not all IT departments are this well staffed,but it is suggested that you cover all these bases with the staff available toyou

Contain/quarantine the infection The team’s first responsibility is to

immediately stop the spread of infection If a messaging system, file

transfer, or a Web site is transporting the virus, these systems need to beidentified and neutralized Neutralizing a system may mean taking thesystem off-line or copying data to a safe location (repository) for furtheranalysis (see Figure 9.10) It is extremely important to understand thevirus Does it destroy data or applications? Can it replicate or copy itself?How is it transported? Almost all of the anti-virus software companies, aswell as other organizations dedicated to defending against viruses, publishdetails about known viruses on their Web sites

E-mail coming in from Internet

Repository server antivirus software

Virus free e-mail internal Exchange servers

Normal e-mail route to internal Exchange servers

In the event of a virus attack e-mail is diverted

to a repository server for scanning

Exchange server running Internet Mail Service connects organization to the Internet

equipped with

transferred to

Figure 9.10Repository Server set up to scan e-mails for viruses during anattack

Communicate with users Once the virus spread has been neutralized,

you must keep regular contact with administrators and end-users

Communication should include a status update, as well as steps that need

to be taken to avoid and remove the virus Having a well-defined cation procedure, such as who to contact, enables your team to communi-cate faster, reducing the spread of the virus

communi-Clean up the system After you have stopped the spread of the virus, it is

time to remove the virus from any system that may be already infected

The first step in accomplishing this is to identify the tools that you haveavailable These tools can be any of the following: standard file-based scan-ning utilities, product-specific utilities, or customer utilities created byvirus protection software vendors Some Exchange experts recommendusing the same anti-virus software brand for your mail systems as you usefor your file and print systems—this gives you uniform expectations fromyour anti-virus software After you identify the proper tools, they need to

be tested and distributed to the proper locations

Review the process and procedures Once the tools have been run, and

the virus has been cleaned up from the system, send additional tion to administrators and the end-user community The communicationshould reiterate the importance of the message, detail any necessary steps,and provide an escalation path Now that the initial threat has been neu-tralized, it is necessary to have a post-mortem meeting with your anti-virusteam to review important items, such as lessons learned, areas for

informa-improvement, documentation of any adjustments or changes to the ating environment, further actions that need to be taken, and reporting

oper-This meeting should take place as soon as possible after the incident toensure knowledge capture

Learning from others’ circumstances allows you to plan better for gencies when they arise Let’s look at a case study and see what we canlearn from it

emer-Case Study: Preparing for Virus Attacks

The IT staff of NAS Inc has been commissioned by the CIO to ensure thattheir network is safe from virus attacks NAS Inc employees dependheavily on Microsoft Exchange Server 5.5 and Outlook for coordinatingtheir daily activities The company strives to maintain a paperless workenvironment Minimum downtime is critical so the plan to protect theorganization should be as complete as possible, covering all areas of con-cern Table 9.1 offers helpful suggestions in developing a contingency planfor preventing and combating virus attacks

In this case, Ed in Accounting has reported a problem with a MicrosoftExcel spreadsheet that he’s been working with His totals are not beingcalculated by the Excel macro set up to perform that function Ed contactsthe desktop support staff and a representative arrives at his desk

After doing some checking, the representative establishes that Ed’sspreadsheet may be infected by a macro virus Ed informs the representa-tive that he got most of the data for this spreadsheet from an e-mail he gotfrom Barbara, a field rep in Sales The representative updates Ed’s virusprotection software and scans Ed’s computer to remove the virus The rep-resentative then alerts the rest of the desktop support staff to ensure thatthe infection has not surfaced somewhere else The rep then calls Barbara

to alert her that she may have passed a virus infection to Ed and to

request that she bring her computer in for scanning The rep also asksBarbara whether she exchanged any e-mails with attachments with anyoneelse at NAS Barbara replies that she sent e-mails to three other people in

Table 9.1Virus Response Procedures

Senior administrators,network support staff

Senior administrators(for example,

Exchange tors) and IT managerSenior administrators,development staff,possibly network support staffAll IT staffAll company staff

administra-Trace virus to source, removevirus from system, and alertother administrators

Scan servers/network accesspoints to locate and identifyvirus, and notify IT manager

IT manager alerts all staff, and implements quarantinestrategy

Determine if virus can beremoved or rendered inactive,and remove/deactivate virus

IT manager notifies all staffthat virus has been removed

IT staff does follow-up toensure infection does notrecur, and performance is evaluated

the company: Bob in Sales, her manager John, and VP of Marketing Jim,but that the only e-mail she received was from her sister Sue In it therewas a spreadsheet with prices of vacation packages they were considering.The representative thinks that this spreadsheet is possibly the source

of the virus infection and asks other support staff members to performupdates and scans on Barbara’s three e-mail recipients On reaching Jim’soffice, the desktop support staff finds out from him that he just e-mailed aspreadsheet based on data he received from Barbara to the entire com-pany The staff members immediately escalate the matter to the senior ITstaff with the suspected identity of the virus The senior administratorsconfirm the identity of the virus and notify the IT manager The IT managerimmediately sends out a broadcast e-mail asking everyone to not open theprevious e-mail sent by Jim He then confers with his senior staff to findout whether the current anti-virus software implemented is up to date and

if it can handle the virus in question The staff researches the virus andchecks all servers and network access points to ensure that the virus pro-tection is up to date They report to the IT manager that one of the

Exchange servers wasn’t running the most current versions of anti-virussoftware The server is immediately updated and quickly rebooted and isnow secure

Now that the servers are secure, the IT manager schedules the IT staff

to perform manual updates and scans of all employee computers After aweek, all employee computers (including Barbara’s) are running updatedvirus protection and are free from infection The IT department does afollow-up scan of all servers and computers for the next month to ensurethat infection has not recurred

A meeting is scheduled to streamline the response to future incidents.You are present in the meeting What has the recent attack taught you?

Where would you make changes or improvements to the process?

Exchange Maintenance

This section introduces Exchange Server service packs and add-ins thatprovide enhanced scanning and cleaning utilities These utilities work withthe Exchange Server Information Store to detect and remove viruses tokeep infections from spreading

Service PacksLike Windows NT/2000 service packs, Exchange Server service packsupdate and enhance functionality Exchange Server 5.5 Service Pack 3(SP3) is the definitive anti-virus enhancement for Microsoft ExchangeServer

Like other e-mail and groupware applications, Exchange has a etary e-mail storage structure This makes it virtually impossible for con-ventional file-scanning anti-virus software to effectively scan and removeviruses from Exchange Any attempt to scan e-mail attachments must bemade at the Message Transfer Agent (MTA) component of an e-mail system

propri-on the way to or from the mail storage database This not propri-only preventsviruses from spreading to other users within the system, it also preventsinfection of e-mail going out to other users on the Internet However, thisdoes not work for Microsoft Exchange Microsoft has not included a pro-tocol to enable scanning of e-mails at the MTA level How then can e-mail

on an Exchange Server be scanned?

Exchange Server 5.5 (SP3) includes a module, an ApplicationProgramming Interface (API), that works with third-party virus protectionsoftware (see Figures 9.11 and 9.12) to communicate with the ExchangeServer Information Store at a very low level The API provides only thevirus-scanning interface, not an entire virus-scanning solution The SP3module is an efficient way to scan and clean attachments, with the addi-

tional ability to quarantine a message that contains a virus when there is

currently no way to clean the message The message is kept in ExchangeServer and marked as inaccessible until the anti-virus software using theinterface is updated to clean the virus By using this component, anti-virussoftware manufacturers can guarantee Exchange users that e-mail clientswill not be able to read a message before it is scanned The capabilityoffered in the service pack is not guaranteed by anti-virus products forExchange Server

The API works by allowing anti-virus software to work through theExchange Information Store The Exchange Information Store checks theRegistry keys for the API to ensure that it is enabled It also checks theRegistry (see Figure 9.13) for the anti-virus software to ensure that the cor-rect dynamic link library (DLL) for the software is loaded

When either new e-mail with an attachment is created, or an existingattachment is opened, modified, and saved, two processes are started inthe Information Store The first process is a queuing of attachments thathave not been scanned, to be scanned by the anti-virus software Thesecond process is a background scan of all attachments in the InformationStore The attachments are examined to ensure that they have been

scanned Any attachment that was not scanned is submitted for scanning.Once all the attachments have been scanned, this background scan stopsuntil one of the conditions is present or the Information Store is restarted.Popular anti-virus software such as Trend Micro’s ScanMail andSymantec’s Norton Antivirus for Exchange take full advantage of the newanti-virus API module in SP3, much to the relief of administrators Thesepackages enjoy much support worldwide

Figure 9.11ScanMail interacts with Exchange Server 5.5 SP3 API.

Figure 9.12Norton AntiVirus for Exchange also uses SP3 API

Figure 9.13Anti-virus software Registry values checked during scan.

Performance Problems

Using an API

Exchange administrators should note that in using the anti-virus API inSP3, performance problems such as inaccessible attachments orincreased latency of replication may arise as a result of the architecture

of the API and its relation to the anti-virus software being used Thespeed at which attachments are scanned depends on the way that theparticular anti-virus software’s scanning DLL is used The actual source

of the performance problem may be difficult to pinpoint because theanti-virus software’s DLL runs in the same process as the ExchangeInformation Store service

For IT Professionals

Plug-ins and Add-onsMicrosoft has published plug-ins and add-on components for Exchangethat help combat the virus infection and ensure system integrity Theseutilities work on the Information Store to access attachments and removeviruses that currently affect the system They do not protect ExchangeServers from becoming infected

The viruses that seem to plague Exchange Server systems the most arethe dreaded Love Letter worm and Melissa macro virus As a result, themost widely used add-ons are the ISSCAN.exe and the I Love You utility forExchange

The ISSCAN utility scans the Exchange Information Store for a infected attachment and removes it The ISSCAN utility targets attach-ments infected by the Melissa virus by default; however, it can beconfigured to search and remove Love-Letter infected attachments as well.The utility is run at the command-line level with strings that either recordresults in a log file, determine whether the Private or Public InformationStore is scanned, allow the sender and recipient to be identified, or deter-mine whether to remove the entire message or just the attachment

The I Love You utility is an even newer utility for removing infected attachments from Exchange This utility is specific to the LoveLetter worm virus and its derivatives The utility accesses the InformationStore and finds and removes virus-infected attachments

virus-Third-party Add-ons

Microsoft Exchange Server is so widely used that many companies maketheir fortunes by creating add-on products for Exchange Most third-partyadd-ons are either anti-virus tools or security tools designed to protect e-mail and the Exchange Server itself Major players in the electronic mes-saging and groupware industry recognize how critical it is for enterprises

to be able to communicate freely within and outside the local area work The tools and utilities they provide are usually developed to conform

net-to the standards of a high-performance messaging platform like MicrosoftExchange Server

Most, if not all, independent software vendors (ISVs) that produce anadd-on for Exchange Server, are tested and certified for use by Microsoft.Although most of the ISVs seem to concentrate on protecting an organiza-tion’s information investment, many of them also offer products that extendthe functionality of Exchange Server A list of third-party software vendorsfor Microsoft Exchange Server 5.5 is available at www.microsoft.com/

Exchange/productinfo/thirdparty

admin-Exchange uses the Mail Transfer Agent (MTA) to store all messageswaiting for delivery, whether they are local to the site or are addressed to arecipient in another organization The MTA is both a database and a servicewithin Exchange Sometimes objects representing messages in the MTAmay become corrupted, which results in messages being delayed or notdelivered at all.

MTACHECK scans the MTA database for corrupt objects and moves theobjects to the exchsrvr\mtadata\mtacheck.out directory where they may

be examined at a later time MTACHECK then rebuilds the MTA database

by removing the messages represented by the corrupt object and refreshingthe order of messages in the queue in an attempt to restore it to an uncor-rupted state MTACHECK is normally used to perform regular performancetesting on the MTA, or to troubleshoot a problem with the MTA Most prob-lems related to the MTA result in slow or non-delivery of e-mail Figure 9.14shows how the MTACHECK utility is run from the command prompt of an

NT server

Figure 9.14The MTACHECK utility run from the command line

The Exchange Information Store is the central repository for all e-mailinformation All Public and Private folders are stored in the InformationStore The ISINTEG utility, much like the MTACHECK, scans for corruptitems in databases In this case the ISINTEG utility scans the InformationStore ISINTEG can scan the Information Store in two modes The first

mode is called test mode This is where the Information Store is scanned to

detect any corruption or errors within the Information Store database Alog file called isinteg.pri or isinteg.pub, based on whether the Private orPublic Information Store was scanned, is then generated The second mode

is called the patch mode and is activated by adding the –fix string to the

test-mode command sequence (see Figure 9.15) In this mode, ISINTEGrepairs the corrupted objects in the Public and Private Information Storesand generates a log file of its completed functions The test-mode scanningcan be performed only on either the Public or Private folders individually

It is incapable of scanning them both simultaneously The patch-modescanning, however, can scan and repair corruption or errors in the entireInformation Store simultaneously

Content Filtering

In most cases, virus-infected e-mail can be detected by tell tale identifiers

in the subject or in the message Content-filtering software can be used toisolate and identify keywords that signal the possibility of virus-infected

e-mails Content filtering deals with what information is allowed into a

Figure 9.15ISINTEG utility run from the command line

network, as opposed to firewalls, which are normally concerned with who

is allowed into the network Corporations must work to not only protectagainst outside hackers breaking into secure networks (access control),they must work to protect the information that comes into the network viae-mail (content control) This is done through content filtering (See

Chapter 11 for in-depth coverage of content filtering.)

Content filtering is a matter of network and business integrity Contentcontrol is not just about e-mail or virus protection Content filtering willprotect your network from infection by e-mail-borne viruses, network con-gestion from system misuse, as well as loss of network service from spamand spoof attacks When content filtering is implemented within a corpora-tion’s network, loss of information, lost productivity, and exposure to legalliability and confidentiality breaches are minimized, as well as a reduction

in damage to reputation through misuse of company e-mail

Content filtering protects corporations from misuse of e-mail, both frominternal employees sending or receiving inappropriate e-mail and outsiderssending unwanted e-mail to the enterprise A content-filtering tool filtersall e-mail at the server level, before it reaches the intended recipient E-mailcan be filtered based on sender, subject, excessive file size, prohibited con-tent, profanities, corrupted data, and pornographic, racist, or hate e-mails.One of the leading content-filtering tools for Microsoft Exchange is

MIMEsweeper by Content Technologies MIMEsweeper uses a technique

called lexical scanning to read every e-mail.

A content-filtering product works with a compiled database (created byExchange administrators in this case) of keywords that represent a contentsecurity risk When an external e-mail is received, corporations using con-tent-scanning products can reject e-mail that contains words or phrasesthat have been compiled in the database, by directing the e-mails to aquarantine zone Once in the quarantine zone, the e-mail can be furtherdissected to determine the safety and/or validity of the e-mail and its con-tents If it is determined that the e-mail is safe, then it is delivered to theintended recipient If the e-mail is determined to be a security threat or inviolation of corporate policy, the e-mail is discarded

As mentioned earlier, content filtering is widely used as a security sure to protect corporations against secure information being revealed,lawsuits, racist and pornographic material, as well as hate mail, but anadditional benefit to content filtering is the ability to help protect againstvirus attacks When content-filtering software is deployed on an SMTP mailserver, virus attacks can be minimized Such software uses a keywordsearch to determine if an attachment containing VBScript commands arecontained within the e-mail If such an attachment is found, the e-mail will

mea-be sent directly to quarantine to determine content and further navigation

Listed below is one typical path that an e-mail message would follow whenentering a network that uses content-filtering software:

1 E-mail message is received from the host mail system

2 E-mail message is broken down into component parts, such asheader, body, and attachments The header is examined for senderand recipients along with other key values that have been previ-ously determined by the system e-mail administrator The bodyand attachments are recursively disassembled until the data is inraw form

3 Upon breakdown of the body and attachments to raw form, data isexamined to determine the presence of any security threat, contentcontrol, and/or virus attack

4 If security threats, content control, and/or virus attacks are sent, determination is made for disposal of the e-mail message

pre-5 Once the e-mail message has been disposed of, the threat nolonger exists

As mentioned earlier, the body and attachments of e-mails are broken

down to raw form This breakdown, also called recursive container sembly or recursion, provides for high speed and efficient e-mail break-

disas-down, optimizing a corporation’s success rate at attacking viruses beforethey ever reach the intranet Recursion is critical in content security

Recursion separates raw data from the protocol layers (headers, encoding,and compression) from the body and attachments contained within e-mail.Once data has been broken down to its natural state, content analysistools offer the best chance of success This includes any third-party anti-virus tool that is currently on the market Once the body and attachmentshave been broken down, the data is scrutinized for content VBScript com-mands are easily detected at this level Information from the compileddatabase can be used to pull out e-mail and send it to the quarantinearea E-mails may also be rejected if a macro, worm, or Trojan horse virus

is detected

System administrators are able to assign numerous quarantine areas.The quarantine areas can be assigned based on file size, sender name,subject, compiled database keywords, encrypted messages, recursivebreakdown with virus present, or even junk e-mail Once the e-mails havereached quarantine, it is the system administrator’s responsibility to deter-mine further action Protocol standards will have been established prior toe-mail being forwarded to quarantine, to determine best practice In mostcases, all e-mail received in quarantine is disposed of without further hesi-tation Content-filtering software can be configured to add legal disclaimers,

automatically archive e-mail, or generate information messages Thesemessages can be sent to the intended recipient within the network toadvise of quarantined e-mail, or a log file can be created to assist in addingfurther information to the compiled database for future use.

When content-filtering software is used, e-mail liability is reduced.Corporations take a more relaxed view toward the type of e-mail that isbeing received into and out of the network This affords obvious benefits toevery company At the lowest level, content filtering protects against

unwanted e-mails being distributed to employees from external sources.Junk e-mail is minimized, to the point of almost non-existence, whichreduces slow response time within the intranet Content filtering allows e-mails to be sent to quarantine based on sender, subject, and file size.Content filtering uses recursive breakdown to protect against embeddedvirus attacks Content filtering protects against secure company informa-tion being sent out via company e-mail The same compiled database ofkeywords may be used to filter outgoing e-mail for company sensitive infor-mation

It is important to note that content filtering is used not only as an e-mailapplication but as a Web-based application within corporations as well.The most obvious use is to prevent certain Web sites from being accessedthrough the company intranet A compiled database of keywords is listed,and any sites searched under those words are not accessible Keyword listsare most often used in the case of pornographic Web sites and hate Websites Content filtering can be taken to an even more invasive level, by

using packet sniffers Packet sniffers are programs that listen to network

activity and produce reports for network administrators with such detailedinformation as what, where, when, how, and by whom data is being trans-ferred to and from the Internet

As you can see, content filtering is a necessary component for e-mailsecurity Because most undesirable e-mail is revealed within either theheader or body, it is easy to filter it out Recursive breakdown helps tominimize virus attacks by finding embedded VBScript viruses within

attachments and additional body material of e-mails

Now let’s look at a case study in content scanning

Case Study: Content Scanning

Amen Inc., a service provider for religious organizations, has recently beenthe subject of a massive hate mail campaign The IT staff is trying to pre-vent further attacks from occurring The Amen Inc messaging platform isMicrosoft Exchange Server 5.5 The staff comes up with the idea to imple-ment content filtering to weed out the hate mail

The department understands that the perpetrators are most likelyusing SMTP relay hosts on the Internet to hide their true location, and forthe time being they are simply concentrating on blocking the messages Atsome later time, once the true source of the messages can be determined,the staff plans to block e-mail from that source by having them blacklisted.The department purchases and installs a popular content-filtering soft-ware on their bridgehead server that is connected to the Internet and con-figures it to scan for keywords that are indicative of the kinds of hate mailthey’ve been receiving The software detects and forwards the e-mail con-taining these keywords to a separate Exchange Server that is set up as arepository for virus-infected and unsolicited mail so that the senders don’treceive a non-delivery report The e-mail collected is later dissected andexamined by consultants brought in for their expertise in this matter

The source of the e-mails is eventually discovered and their ISP is fied The ISP discontinues the account and the guilty parties are black-listed Security is tightened on the bridgehead server to reject mail sentfrom a list of untrustworthy hosts

noti-Attachment Scanning

As discussed in the Content Filtering section, attachment scanning is

nec-essary in the protection against virus attacks Most newly created virusesappear as an attachment For third-party virus protection software to havethe greatest chance of success, the attachments must be broken down andscanned Using available scanning software, e-mail attachments can bescanned in a matter of seconds, causing no delay of delivery for secure e-mails Of course, all employees should use basic e-mail common sense.The following steps should be made known to all employees when dealingwith e-mails with attachments:

■ Never open an attachment from an unknown source

■ Never open files attached to an e-mail unless you know what thefile is Even a file from a friend or family member could pose avirus threat to the network

■ Never open any files contained in e-mail if the subject line is tionable or suspect

ques-■ Delete (without opening) all chain e-mails and junk e-mail

■ Never download files from strangers

■ Always use caution when downloading files from the Internet

■ Ensure that end-users update their anti-virus software regularly

■ Back up your files regularly.

■ Always err on the side of caution

Following these standard policies will help minimize virus attacks.When attachment-scanning is performed, e-mail is received into thenetwork, and is immediately scanned, based on standard protocol Onestandard protocol could be that all e-mails received with attachments must

be scanned to protect the network This protocol should be in effect withinall organizations, as attachments are the number one source of virusattacks within a network The attachment is decoded and decompressed ifnecessary and then scanned for viruses (see Figure 9.16) If the attach-ment is clean, the e-mail is sent directly to the intended recipient If avirus is detected, the e-mail is either moved to quarantine or destroyed.Standard protocol can be used to notify the intended recipient that a virus-infected e-mail was received and to contact the original sender for a cleanattachment

Attachment scanning of e-mails received from outside the company network is an effective anti-virus method Any e-mail with attachments isscanned and further delivery of e-mail is halted if a virus has been detected

If that same virus-infected e-mail is received from within the network and

Figure 9.16Attachment scanning options in ScanMail

a virus is present, the original sender’s machine must be scanned andanti-virus software must be updated It is likely that a virus attack willspread more quickly from internal sources than from an outside source.

Obviously, stopping e-mail attachments from being sent is not a sible solution, but scanning e-mail attachments is critical in securing yournetwork from virus attacks This can seem a daunting task, as no companyhas control over who sends e-mail messages into the network (althoughcontent-filtering software can be used to eliminate e-mail messages fromknown unwanted sources) Sharing messages between customers and ven-dors is a necessary part of today’s business management, so e-mail attach-ments have to be secured for network safety

fea-Additionally, the major concern was once about executable programsthat were attached to e-mails That is no longer the case, since macroviruses are now the number one source of virus attacks, and the numberone method for these attacks is via e-mail

RecoveryPerforming a recovery operation of any kind on an Exchange Server canbecome quite a headache if the server hasn’t been properly configured

Typically, recovering data, whether it be mailboxes or e-mails, involveshaving a good backup copy of the Information Store and Directory Servicedatabases However, unless your server crashes, there are ways to makeExchange correct some of the mistakes we might make

All e-mail and other documents are stored in the Information Storedatabase in either the Private Information Store or the Public InformationStore Sometimes end-users or administrators may accidentally delete e-mail One way of restoring the deleted e-mail is to restore from a backuptape However, an easier and quicker method is to enable the recovery ofdeleted items in the Information Store database as shown in Figure 9.17

We can set a period within which deleted items in a mailbox can berestored We can also set the recovery period so that the deleted item is notpurged until it has been backed up An end-user can use the RecoverDeleted Items function to restore the deleted messages from their mailbox.This can be set up on both the Private and Public Information Store Infact, item recovery options can be configured down to the mailbox level

In the event of a true disaster, such as an Exchange Server crash, it isonly good operating procedure to have a disaster recovery plan The planwould allow an administrator to assemble and implement all strategies andbackups to ensure the restoration of service Typical components of a dis-aster recovery plan include a good backup strategy, a written procedure ofthe steps to take in the event of an emergency, power protection for yourservers, spare hard disks, and possibly a backup Exchange Server ready tocome online

Doing as much as possible to prevent disasters is as much a part of anadministrator’s job as is recovering from a disaster Some things that helpprevent disasters from occurring are checking NT event logs for any majorerrors, implementing and enforcing mailbox quotas, ensuring that yourExchange Server has enough disk space and memory for its different com-ponents, implementing power protection for your Exchange Server byinstalling uninterruptible power supplies (UPS), and backing up all mail-boxes before deleting them There are many other precautions we couldtake, and these are just a few of the important ones that should be inplace at the bare minimum Having all of these contingencies in place doesnothing unless we can be sure that they work The effectiveness of theplan can be confirmed only by carrying it out periodically.

Figure 9.17Private Information Store properties showing Item

Recovery settings

backup software packages as well as the Microsoft proprietary backup ware, NTBackup In fact, NT/2000 Backup comes with a built-in interfacefor Microsoft Exchange Server (see Figure 9.18) In this interface, theExchange directory database and the Information Store can be backed up

soft-to tape and ressoft-tored soft-to any other server on the network

There are two ways to perform a backup on Microsoft Exchange Server:offline backup and online backup

An offline backup is basically a file copy procedure The Exchange

server and its services are stopped and the system files are backed up to

tape or other media (see Figure 9.19) Online backups are considerably

better than offline backups for a number of reasons The most important isthat the Exchange Server does not have to be shut down to perform thebackup This means that users can still be connected and communicatingwhile the Information Store and Directory Service databases are beingbacked up

Backups should be done via the incremental or differential rotationstrategy where a full backup is performed at the beginning and the end ofthe cycle, and incremental or differential backups are performed in

between This ensures that the most up-to-date copy of the server is able When performing backups using this strategy, the circular loggingfeature in Exchange should be disabled Circular logging is the feature inExchange that minimizes the amount of disk space used by the transac-tion logs of the activity in the Information Store and Directory Servicedatabases It is usually a good idea to disable this feature (see Figure 9.20)

avail-Figure 9.18NT Backup Microsoft Exchange interface