To compound the problem, virus writers and spammers are sharing each other's methods. More than half of the top 50 code samples submitted to Symantec through June provided a way for attackers to disseminate spam from infected systems. The security firm also reported the number of active zombie PCs--infected with bots used to control systems, launch denial-of-service attacks and disseminate millions of spam messages--increased 140 percent over the first half of 2004.
Aside from leveraging these zombie networks, spammers and phishers continuously update their messages by randomizing the text and pixels within attached images, says Dave Cole, director at Symantec Security Response.
For McKeachnie, the virtual-machine approach has helped ease his e-mail headaches. The system runs more smoothly, despite the fact that 70 percent of the 50,000 to 100,000 e-mails destined for the college each day are spam, viruses or other unwanted messages. And, except for the occasional valid e-mail that inadvertently gets blocked, spam and viruses no longer pose a problem on campus.
While the blockage of legitimate e-mail is annoying,
it's a small price to pay considering the number of threats launched against e-mail from spammers, fraudsters and virus writers. Coupled with the increasingly stringent state and federal regulations aimed at protecting the availability, confidentiality, privacy and security of protected financial and health information, security managers are paying more attention to e-mail security than ever.
Although anti-virus and antispam technologies thwart the majority of e-mail-borne threats, inboxes need higher levels of protection to block new and rapidly replicating threats such as mass-mailing worms like Zotob.C, which struck in August.
Reputation Filters
Security managers need the equivalent of a security "panic button" when e-mail threats break out, says John Pescatore, a Gartner security analyst.
"That way enterprises can start quarantining all incoming e-mail with attachments until signatures are available."
Mark Pfefferman is one of those managers. As more spam and viruses managed to evade his filters, Pfefferman sought a better defense.
"We knew our first layer of defense was no longer sufficient," he says. As director of distributed computing services, he's responsible for protecting Western & Southern Financial Group, a $2 billion provider of insurance and financial services. For years, he protected the company's 4,200 PCs from viruses and spam with a layered security defense that included blocking proscribed types e-mail attachments and utilizing "hundreds and hundreds of firewall rules."
In October 2004, Western & Southern deployed IronPort's C60 e-mail security appliance, providing reputation and antivirus filters to identify and block spam and viruses. These appliances analyze the sender of the e-mail and quarantine or block e-mails from sources known to spam or transmit viruses.
For Pfefferman, IronPort's Virus Outbreak filters offer an early line of defense by intelligently quarantining suspicious e-mail during the earliest stages of a virus outbreak--before the company's Sophos antivirus signatures have been updated.
Within four months of deployment, the IronPort appliance blocked about 15 million spam e-mails and 3,400 viruses.
"You can watch [the spammers] shoot their 'spam cannons,' with hundreds of thousands of spam messages flying out over the weekend," says Pfefferman. IronPort's advanced virus warning system is also a welcomed pre-emptive defense. "We're alerted several times a month to possible virus outbreaks. Suspicious e-mails are quarantined until virus updates are pushed out."
IronPort's early warning filters can notify companies to quarantine or block certain messages 10 to 12 hours in advance of antivirus signatures, according to Joel Snyder, senior partner at Tucson, Ariz.-based networking and security consulting firm Opus One. These filters could prove helpful at stopping future techniques that spammers will undoubtedly employ to mass-mail their scourge, he adds.
