In "A Viral Survival Checklist," May 2000, I explained specific steps you can take to prevent or minimize the effect of viruses that enter your organization through email. I predicted there that the virus war will continue to escalate to take advantage of new forms of system automation—and exploit any possible lapse in security—with an ever-growing risk of loss.
In recent months, several viruses have appeared that have active content in the message body instead of in an attachment. This type of attack bypasses conventional email virus scanners, which scan attachments only. To make matters worse, these viruses can cause extensive harm because recent viruses demonstrate the ability to download new code or upgrades from Internet newsgroups. Because of the need to detect, prevent, or contain this type of virus, content management is becoming a popular practice. However, content management can do more than contain the spread of viruses.
This month, I help you answer several questions:
- What is content management?
- Where can I place content management in my organization?
- What solutions are available for Exchange Server 5.5?
- What content-management products are available?
What Is Content Management?
Content management can include filtering for malicious code, much like antivirus scanning. However, content management also includes managing the flow of any other type of email content coming into or circulating within an organization. Your main concern might not be content management for incoming Internet email but offensive messages within your organization such as sexist or racist email that violates your company policy.
Content-management applications break apart an email messages for analysis and inspect each part to compare it against filters that the administrator establishes. People design filters typically to intercept certain words or phrases in an email message to prevent circulation of messages that contain unsolicited advertising or inappropriate material. Content management can also prevent confidential and inappropriate email from leaving your organization. The sidebar "The Risks of Outbound Mail," page 2, explains how screening outbound mail can protect your organization.
Points for Content Management
In most organizations, email messages have multiple entry points and routing destinations—from the primary gateway across bridgehead servers to a mailbox server and finally to the email client. You can perform content management at any of these points.
For example, your main point of entry might be an SMTP server, which routes email to an Exchange mailbox server. I discuss two types of content control that you can perform at the SMTP server: unsolicited commercial email (UCE) prevention and message-body scanning to find offensive content. The Internet Engineering Task Force (IETF) Request for Comments (RFC) 821, which covers SMTP transport mechanisms, defines the first type of SMTP scanning. RFC 822 defines the second type of scanning, which breaks apart a message and inspects the contents based on message-body definitions.
At the next step of the email process, the Exchange mailbox server, content-management depends on the Exchange version you're running. This month, I discuss techniques for Exchange Server 5.5; in a future issue, I'll discuss Exchange 2000 Server.
The last step in the email process is the client. The sidebar "Content Management on the Client" explains how you can use Microsoft Outlook to manage content after mail leaves the server.
Exchange Server 5.5
In an Exchange Server 5.5 organization, the SMTP server is the primary focus for content-management software because vendors haven't designed many content-management applications to run directly on an Exchange Server 5.5 mailbox server. Therefore, for Exchange Server 5.5, you can evaluate content-management solutions based on SMTP mail and entry (or exit) points.
If you want content management solely for an Exchange Server 5.5 organization, you can buy an antivirus product with a content-management plug-in, such as Trend Micro's ScanMail for Microsoft Exchange or Sybari Software's Antigen. For example, ScanMail for Microsoft Exchange has an eManager plug-in that provides both UCE prevention (i.e., the ability to block inbound messages based on information appearing or missing from the message header) and content filtering, as Figure 1 shows. The Trend Micro Web site (http://www.antivirus.com) provides content-filtering rules to block greeting card messages and several known virus types. You import the rules into a policy that also defines what action to take when a message matches the rule.
One of the earliest content-management products for Exchange Server, Baltimore Technologies' (formerly Content Technologies') MAILsweeper 3.0 for Exchange, scans email sent through the Internet Mail Service (IMS). However, the original product had no administrative interface, which made it difficult to use because you had to configure the product by editing text files. The newest version, MAILsweeper 4.2, adds an administrative interface.
Regardless of whether you're running Exchange Server 5.5 or Exchange 2000, you'll want certain features in your solution. Table 1 shows a list of content-management products and Web sites for information about them. All these products have or soon will have SMTP gateway or Exchange 2000 versions; some companies will also have plug-ins for Microsoft Internet Security and Acceleration (ISA) Server. Sue Mosher also maintains a complete list of content-management products at http://www.slipstick.com/addins/content_control.htm. I recommend that you try the products' evaluation CD-ROMs to help you make a purchasing decision. As you evaluate these products, look for these characteristics:
- Windows 2000 compatibility and Active Directory (AD) integration—Even if you're still considering solutions for Exchange Server 5.5, choose a Win2K-compatible product to give you an upgrade path to Win2K and Exchange 2000. Choose a product that's Exchange 2000 aware and that protects all delivery protocols and points of access to the Web Storage System (WSS). Ideally, because Exchange 2000 relies on the Win2K AD, the product should be well integrated into AD and allow centralized management from Microsoft Management Console (MMC). If you don't want the content-management server to be yet another isolated system for you to manage, ask the vendor about Exchange 2000 and Win2K integration.
- Lexical analysis—The best products perform lexical analysis on incoming messages. Lexical analysis lets you filter on complex combinations of words and use Boolean logic (e.g., to filter on words near one another). For example, words such as make, money, and fast are OK when they're scattered throughout an email message, so you want to filter the message only if it contains the phrase "make money fast." However, searching for that exact phrase doesn't work when the offending message says, "Make tons of money real fast." Using a Boolean search for the words near one another can catch this type of phrase. Content-management software can analyze both the content of attachments and the content of the email message body.
- Administrator-definable actions—You can specify an action for filtered email, such as quarantining, deleting, or archiving a copy of the message. You can also configure a customized notification for the sender, recipient, and even other email users. If the content-management product modifies or deletes email messages without delivering them, you can configure a message that states that content management has taken place. Such a message helps you if content control accidentally catches innocent messages (i.e., a false positive). You might need to retrieve false-positive messages from the quarantine directory to avoid losing valuable information. Unfortunately, quarantining messages imposes more work on the administrator, who must periodically check and purge the quarantined messages.
- Streetwise vocabulary—Unless you are creative and aware of every offensive or naughty phrase that can people can include in email, you might want to rely on the product vendor's list of offensive phrases for screening. Content-management vendors such as Baltimore can provide a file for import into their product.
- Support for global languages—Another feature to look for—a feature that English-centric administrators tend to overlook—is support for global languages. Look for a product that can filter based on the additional character sets of other languages. The product might catch an offensive word or phrase only if all the letters match the same character set. The new version of MAILsweeper supports English, French, and Japanese.
- Ability to scan for HTML scripts—Unless you have a business-specific reason for allowing incoming email messages to contain active content in the form of embedded HTML scripts, you can scan for the scripts in the message body. The content-management application looks for the phrase ,