As I write this column, the W32/Mydoom@MM worm (which is actually a variant of the Mimail worm) is busily spreading all over the Internet. How do I know? I've gotten infected messages from fellow mailing-list subscribers, friends from church, and a variety of people I don't even know. Isn't technology wonderful?
The continuing spread of worms such as Mydoom and Bagle (aka Beagle or Bagel) proves that not every administrator knows what to do when an outbreak like this one hits, and as I sit here watching Outlook's "Caught by scanner" folder fill up, I'm inspired to write about how you can help prevent an infection. 1. Buy a gateway antivirus scanner. By "gateway scanner," I mean a method of scanning inbound SMTP mail before it gets to your Exchange Server Store. If you have only one server, an Exchange-aware antivirus product is fine, as long as it can scan SMTP mail.
2. Consider supplementing the gateway scanner with a tool that can inspect, filter, and block attachments according to type or content. Many antivirus products can do so, as can most antispam tools. For example, NetIQ's MailMarshal has done a yeoman's job of blocking Mydoom-infected messages from my network.
3. Protect your desktops. Most people I know already have deployed a desktop antivirus program to their users, and many use the Outlook Security Update to restrict user access to executable attachments. Either measure can help slow the spread of executable worms; using both helps even more.
What can you do if you do get hit? Better still, what can you do when you know of an active outbreak to reduce your chances of falling prey?
1. As soon as you see the first copy of an inbound worm or hear about a new outbreak, prevent inbound SMTP mail from reaching your Exchange server. Doing so gives you time to update your scanners and to research the outbreak's scope and threat.
2. Use, but don't be enslaved by, your vendor's automatic update tools. Know how to manually download updates. During an outbreak, you might find that the automatic download system becomes overwhelmed, in which case you'll need to download updates through FTP or some other manual method.
3. Be able to quickly turn off outbound SMTP mail. If you become infected, you'll want to be able to pull the plug before your systems start sending out infected messages to customers, partners, and other recipients.
Microsoft is continuing to tighten down security flaws in Windows, but in the meantime, we all must stay vigilant to keep our own corner of the email world clean and healthy. These steps will help. If you've got other tips, I'd love to hear them!
Register
Greg February 01, 2004