Things have changed very quickly in the world of e-mail. In January 2004, MyDoom forever upset the balance in virus management, and many antivirus systems have not yet figured out how to manage. Prior to MyDoom, when you got a virus, it seemed like a neighborly thing to try and deal with it -- maybe clean up the attachment or send a message to the originator of the virus and tell them they had a problem. That was a good strategy – in 2003. But we don't get viruses anymore. We get worms. We
When you get a worm-generated e-mail message with malware in it, you don't want to clean it up and send it on, because there is no message there. It's just a wrapper, and the recipient doesn't want it and doesn't need it. During the early stages of MyDoom, people were getting hundreds of these a day. Nor do you want to return the message or send a notification to the sender, because they probably didn't send the malware. You end up sending a notification of a problem to someone who doesn't have the problem, doesn't know what you're talking about and can't do anything about it but get annoyed at you. I get about one of these notifications a day from MTAs run by e-mail administrators who have not figured out they shouldn't be doing this anymore.
Best practice #2: Segment or delete
If you have the time and energy to keep track of the different viruses and worms, and if you have a well-designed antivirus system, you can try to segment the traffic into two
If you don't have the time to deal with that, and I don't blame you if you don't, then simply delete the virus-infected e-mail. Silently. Log those messages, of course, and perhaps even stick them in quarantine so you can retrieve them if necessary. But that's not going to happen very often. The extraordinarily virulent and aggressive worms such as MyDoom have so sensitized network administrators to the need for virus scanning that real viruses don't have much of a chance to get through anymore.
Of course, as one of the bearers of the "every e-mail is sacred" torch, I am loathe to delete any message that might have useful content. But I'm also aware that if we inundate end users with notifications about viruses that they didn't get from people they don't know, we're making e-mail less useful. I'd prefer to see antivirus and antispam vendors start to do the differentiation for us. Until that happens, we have to make the best of a bad situation.
About the author
Joel Snyder is a senior partner with Opus One, a consulting firm in Tucson, Ariz. He sent his first network e-mail in 1980, and has been designing and implementing enterprise e-mail systems ever since. He is partially to blame for the X.400 messaging standards and has been trying to atone for them ever since.
This was first published in March 2005