How to stop spam and email viruses

Learn how to protect your enterprise from email viruses and other messaging malware.

#2 Worst practice: Doing anything with viruses besides deleting them

Things have changed very quickly in the world of e-mail. In January 2004, MyDoom forever upset the balance in virus management, and many antivirus systems have not yet figured out how to manage. Prior to MyDoom, when you got a virus, it seemed like a neighborly thing to try and deal with it -- maybe clean up the attachment or send a message to the originator of the virus and tell them they had a problem. That was a good strategy – in 2003. But we don't get viruses anymore. We get worms. We

Security School

Print this article

Webcast: Spam and Virus Mitigation Strategies

Take the accompanying quiz

Talk to the author and your peers in our discussion forum

Security School Home Page

get e-mail that is machine-generated on an infected system with forged sender addresses containing no real content but a lot of malware. Trying to do anything with these messages is a bad idea.

When you get a worm-generated e-mail message with malware in it, you don't want to clean it up and send it on, because there is no message there. It's just a wrapper, and the recipient doesn't want it and doesn't need it. During the early stages of MyDoom, people were getting hundreds of these a day. Nor do you want to return the message or send a notification to the sender, because they probably didn't send the malware. You end up sending a notification of a problem to someone who doesn't have the problem, doesn't know what you're talking about and can't do anything about it but get annoyed at you. I get about one of these notifications a day from MTAs run by e-mail administrators who have not figured out they shouldn't be doing this anymore.

Best practice #2: Segment or delete

If you have the time and energy to keep track of the different viruses and worms, and if you have a well-designed antivirus system, you can try to segment the traffic into two

Words To Know

Click on the word to read the definition.

camps. The worms and malware, which will represent some epsilon short of 100% of your virus traffic, should simply be deleted. The true viruses, ones that attach themselves to an otherwise-legitimate message, can be deleted with a notification to the recipient that they are missing an attachment.

If you don't have the time to deal with that, and I don't blame you if you don't, then simply delete the virus-infected e-mail. Silently. Log those messages, of course, and perhaps even stick them in quarantine so you can retrieve them if necessary. But that's not going to happen very often. The extraordinarily virulent and aggressive worms such as MyDoom have so sensitized network administrators to the need for virus scanning that real viruses don't have much of a chance to get through anymore.

Of course, as one of the bearers of the "every e-mail is sacred" torch, I am loathe to delete any message that might have useful content. But I'm also aware that if we inundate end users with notifications about viruses that they didn't get from people they don't know, we're making e-mail less useful. I'd prefer to see antivirus and antispam vendors start to do the differentiation for us. Until that happens, we have to make the best of a bad situation.

Previous: #1 Worst practice

<< Previous

About the author
Joel Snyder is a senior partner with Opus One, a consulting firm in Tucson, Ariz. He sent his first network e-mail in 1980, and has been designing and implementing enterprise e-mail systems ever since. He is partially to blame for the X.400 messaging standards and has been trying to atone for them ever since.

This was last published in March 2005

Dig Deeper on Emerging cyberattacks and threats