By Mike Mullins
In mid January, 2004, the MyDoom e-mail worm (also known as Novarg, Shimg, or Mimail.R) swept across the Internet in epic proportions. This worm arrives with the executable extensions of .pif, .scr, .exe, .cmd, .bat, or .zip.
With the exception of the .zip file extension, you should have all of these extensions blocked at your mail server. So why did the virus spread so quickly?
There are three main causes for this failure in e-mail security. Let's explore these reasons and discuss the future of e-mail security.
It's just not working! Social engineering defeats user education, and it doesn't play favorites with operating systems.
It doesn't matter whether your users are running Windows, Linux, or any of a hundred other operating systems. E-mail is addictive, and users will open messages that they find interesting.
We can train and threaten users not to open
unexpected attachments until the end of time. But authenticated
users are the greatest threat to network security
—because they'll always be susceptible to a good, socially engineered attack.
The solution to this dilemma is to prevent users from directly receiving attachments. But this approach is severe, and it adds a huge burden on the people that would review, scan, and release attachments to users.
You can also attribute this worm's success to the failure of your antivirus vendor to provide the necessary definitions to detect and remove this worm. However, vendors must first see the worm, decode it, and design a mechanism to defeat it. This takes time, and the speed of the Internet will always defeat your antivirus vendor.
Virus protection only works for old viruses—not new ones. As long as you allow e-mail attachments to enter your networks, you'll have to live with the threat and patch security holes as they appear.
The industry is reviewing SMTP authentication as a means to combat the global spam problem. Modifying the SMTP protocol to allow e-mail servers to confirm that a message arriving from somecompany.com actually came from the somecompany.com mail server would practically eliminate worms and viruses transmitted via e-mail.
The reasoning is simple. The most successful e-mail worms use their own SMTP servers as a reliable and fast method for distribution.
Worm authors spoof addresses of legitimate servers to avoid detection and prosecution. If SMTP servers authenticated the traffic, they would easily reject spoofed traffic and log a visible trail right back to the author.
Four issues remain an obstacle to true e-mail security:
Some of these factors may improve, but others will likely never change. In the meantime, companies must remain diligent in the fight against e-mail worms and viruses, continuing to educate users and update systems.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.