Beyond message blocking

In "A Viral Survival Checklist," May 2000, I explained specific steps you can take to prevent or minimize the effect of viruses that enter your organization through email. I predicted there that the virus war will continue to escalate to take advantage of new forms of system automation—and exploit any possible lapse in security—with an ever-growing risk of loss.

In recent months, several viruses have appeared that have active content in the message body instead of in an attachment. This type of attack bypasses conventional email virus scanners, which scan attachments only. To make matters worse, these viruses can cause extensive harm because recent viruses demonstrate the ability to download new code or upgrades from Internet newsgroups. Because of the need to detect, prevent, or contain this type of virus, content management is becoming a popular practice. However, content management can do more than contain the spread of viruses.

This month, I help you answer several questions:

  • What is content management?
  • Where can I place content management in my organization?
  • What solutions are available for Exchange Server 5.5?
  • What content-management products are available?

What Is Content Management?
Content management can include filtering for malicious code, much like antivirus scanning. However, content management also includes managing the flow of any other type of email content coming into or circulating within an organization. Your main concern might not be content management for incoming Internet email but offensive messages within your organization such as sexist or racist email that violates your company policy.

Content-management applications break apart an email messages for analysis and inspect each part to compare it against filters that the administrator establishes. People design filters typically to intercept certain words or phrases in an email message to prevent circulation of messages that contain unsolicited advertising or inappropriate material. Content management can also prevent confidential and inappropriate email from leaving your organization. The sidebar "The Risks of Outbound Mail," page 2, explains how screening outbound mail can protect your organization.

Points for Content Management
In most organizations, email messages have multiple entry points and routing destinations—from the primary gateway across bridgehead servers to a mailbox server and finally to the email client. You can perform content management at any of these points.

For example, your main point of entry might be an SMTP server, which routes email to an Exchange mailbox server. I discuss two types of content control that you can perform at the SMTP server: unsolicited commercial email (UCE) prevention and message-body scanning to find offensive content. The Internet Engineering Task Force (IETF) Request for Comments (RFC) 821, which covers SMTP transport mechanisms, defines the first type of SMTP scanning. RFC 822 defines the second type of scanning, which breaks apart a message and inspects the contents based on message-body definitions.

At the next step of the email process, the Exchange mailbox server, content-management depends on the Exchange version you're running. This month, I discuss techniques for Exchange Server 5.5; in a future issue, I'll discuss Exchange 2000 Server.

The last step in the email process is the client. The sidebar "Content Management on the Client" explains how you can use Microsoft Outlook to manage content after mail leaves the server.

Exchange Server 5.5
In an Exchange Server 5.5 organization, the SMTP server is the primary focus for content-management software because vendors haven't designed many content-management applications to run directly on an Exchange Server 5.5 mailbox server. Therefore, for Exchange Server 5.5, you can evaluate content-management solutions based on SMTP mail and entry (or exit) points.

If you want content management solely for an Exchange Server 5.5 organization, you can buy an antivirus product with a content-management plug-in, such as Trend Micro's ScanMail for Microsoft Exchange or Sybari Software's Antigen. For example, ScanMail for Microsoft Exchange has an eManager plug-in that provides both UCE prevention (i.e., the ability to block inbound messages based on information appearing or missing from the message header) and content filtering, as Figure 1 shows. The Trend Micro Web site (http://www.antivirus.com) provides content-filtering rules to block greeting card messages and several known virus types. You import the rules into a policy that also defines what action to take when a message matches the rule.

One of the earliest content-management products for Exchange Server, Baltimore Technologies' (formerly Content Technologies') MAILsweeper 3.0 for Exchange, scans email sent through the Internet Mail Service (IMS). However, the original product had no administrative interface, which made it difficult to use because you had to configure the product by editing text files. The newest version, MAILsweeper 4.2, adds an administrative interface.

Content-Management Products
Regardless of whether you're running Exchange Server 5.5 or Exchange 2000, you'll want certain features in your solution. Table 1 shows a list of content-management products and Web sites for information about them. All these products have or soon will have SMTP gateway or Exchange 2000 versions; some companies will also have plug-ins for Microsoft Internet Security and Acceleration (ISA) Server. Sue Mosher also maintains a complete list of content-management products at http://www.slipstick.com/addins/content_control.htm. I recommend that you try the products' evaluation CD-ROMs to help you make a purchasing decision. As you evaluate these products, look for these characteristics:

  • Windows 2000 compatibility and Active Directory (AD) integration—Even if you're still considering solutions for Exchange Server 5.5, choose a Win2K-compatible product to give you an upgrade path to Win2K and Exchange 2000. Choose a product that's Exchange 2000 aware and that protects all delivery protocols and points of access to the Web Storage System (WSS). Ideally, because Exchange 2000 relies on the Win2K AD, the product should be well integrated into AD and allow centralized management from Microsoft Management Console (MMC). If you don't want the content-management server to be yet another isolated system for you to manage, ask the vendor about Exchange 2000 and Win2K integration.


  • Lexical analysis—The best products perform lexical analysis on incoming messages. Lexical analysis lets you filter on complex combinations of words and use Boolean logic (e.g., to filter on words near one another). For example, words such as make, money, and fast are OK when they're scattered throughout an email message, so you want to filter the message only if it contains the phrase "make money fast." However, searching for that exact phrase doesn't work when the offending message says, "Make tons of money real fast." Using a Boolean search for the words near one another can catch this type of phrase. Content-management software can analyze both the content of attachments and the content of the email message body.


  • Administrator-definable actions—You can specify an action for filtered email, such as quarantining, deleting, or archiving a copy of the message. You can also configure a customized notification for the sender, recipient, and even other email users. If the content-management product modifies or deletes email messages without delivering them, you can configure a message that states that content management has taken place. Such a message helps you if content control accidentally catches innocent messages (i.e., a false positive). You might need to retrieve false-positive messages from the quarantine directory to avoid losing valuable information. Unfortunately, quarantining messages imposes more work on the administrator, who must periodically check and purge the quarantined messages.


  • Streetwise vocabulary—Unless you are creative and aware of every offensive or naughty phrase that can people can include in email, you might want to rely on the product vendor's list of offensive phrases for screening. Content-management vendors such as Baltimore can provide a file for import into their product.


  • Support for global languages—Another feature to look for—a feature that English-centric administrators tend to overlook—is support for global languages. Look for a product that can filter based on the additional character sets of other languages. The product might catch an offensive word or phrase only if all the letters match the same character set. The new version of MAILsweeper supports English, French, and Japanese.


  • Ability to scan for HTML scripts—Unless you have a business-specific reason for allowing incoming email messages to contain active content in the form of embedded HTML scripts, you can scan for the scripts in the message body. The content-management application looks for the phrase , in the message body and takes the action that you specify (e.g., quarantining the message, rerouting the message to an administrator, removing the HTML script and sending the message along to the intended recipient). Products such as ScanMail and GFI's Mail essentials can detect and remove an HTML script before the message reaches the recipient. Unless your organization's activities can justify active email content, you're leaving your organization open to the next wave of viral attacks by allowing scripts. Antivirus product vendors have been scrambling to implement this feature in their latest products. For example, Sybari has added this feature to its Antigen product for Exchange 2000.

Additional Features
Some content-management software includes other protection features. For example, Marshal Software's MailMarshal content-management software can check the size of an email message before accepting it at the gateway. The software can also slow the rate of receipt by refusing additional connections from a particular host when messages containing multiple errors or other suspicious conditions are met, signaling a possible attack.

For example, if you have two remote sites that accept delivery of large files (e.g., graphics files), you might not want those files consuming bandwidth during peak business hours. Trend Micro's InterScan VirusWall's eManager plug-in lets you postpone delivery of large email messages. Alternatively, you can automatically block the message and reply with a friendly message instructing the sender to use the public FTP server—be sure to include the server's location—to transfer files larger than 5MB.

One shortfall of many virus-scanning products is their inability to scan encrypted information (e.g., a simple password-protected .zip file that uses the supplied password as an encryption key). Content-management software can prevent the leaking of confidential or unauthorized information to and from the organization by blocking or quarantining any encrypted messages or attachments.

A Content-Management Scenario
Let's look at how content-management applications handle incoming email. I've tried to consistently use the term content management rather than content filtering to emphasize that you can use content-management software applications for more than just blocking unwanted email. Content-management software operates according to a series of rules or profiles arranged in a hierarchy so that processing can branch or stop at any desired point rather than having to process the entire set before the next stage. For example, suppose two incoming messages arrive at your primary SMTP gateway for processing. The software drops one of the messages at the gateway because its examination of the message headers reveals that the message has no recognized sender. The other message passes the message-header screening criteria and moves on to the content-analysis phase. (All this activity takes place in microseconds.)

The second message in this example is addressed to the SMTP address support@yourcompany.com. The software examines the subject line and matches two key words—help and bananaphone product—from the content-management keyword database. A product such as MAILsweeper performs this administrative duty at one console and distributes the database to the other processing servers, eliminating the need to duplicate this task at each server. The software routes the message to a public folder created for the bananaphone product support team. (Public folders are invaluable for this type of business function because a message in a public folder is available to any of the support personnel.) The content-management software stamps the message with an identification number, which identifies which support staff member will be responsible for resolving the problem and responding to the customer. The public folder retains a copy of the reply and notes that the support personnel make (e.g., a request for advice from senior support personnel).

Now, say that the junior Help desk person makes his or her first mistake on the job. He or she finds a support document in the internal corporate knowledge base, attaches it to the message reply, and sends the message, failing to notice the bold header in all caps CORPORATE CONFIDENTIAL, DO NOT DISTRIBUTE. The document is relevant to the customer's problem and states that the problem is the result of a known issue with the bananaphone. However, the document also explains the part of the bananaphone's internal circuitry (which cost millions to develop), and a competitor has been dying to get its hands on this information to resolve a challenge with building a mangophone. The message is sent to the outbound SMTP gateway server, and the content-management software breaks apart the message body to scan the attached document. The software detects the phrase bananaphone, as Figure 2 shows, and reroutes the message to an administrator in the bananaphone support group. The content-management software has just earned its keep: It generated a high Return on Investment (ROI) by costing only thousands to deploy but saving millions by protecting the development secrets of the bananaphone.

Beyond Mail Blocking
Who knows what evil lurks within your organization's email content? As you move forward with implementing email content management, keep these points in mind. First, consider your system's architecture and where you can place the variety of products and solutions I've discussed here. Products can perform email content management at more mail routing and entry points than just on the Exchange server.

Second, don't just block mail. Enable new abilities within your organization by taking advantage of email routing and decision making. Email content management is more than just filtering out. It's an opportunity to control the flow of information to, from, and within your organization.

In a future issue, I'll show you how to use ISA Server 2000 to control email. I'll also show you what type of functionality Exchange 2000 Server provides natively for content management.