How do I stop worms spreading via SMTP?
Many viruses – including worms like Klez – come with their own SMTP server.
This means that they can bypass the mail server (including GMS/GMS Anti-Virus) and
send straight to the Internet. So, if an end user machine is infected, it
could pass infection on even when GMS Anti-Virus is installed.
The rest of this entry explains what is happening in a bit more detail and
highlights the importance of GMS Anti-Virus, GMS Anti-Spam and GMS Webmail. Klez (as an example)
is a mass-mailing worm that arrives as an email attachment. All elements of
the email (i.e. the subject line, the message text and the name of the
attachment) are randomly selected from a predefined set of values, making
it difficult to identify, so just using GMS Anti-Spam to try & block it would be
When the attachment is run, the worm executes, copies itself to the Windows
System directory and adds a registry key to ensure it will execute upon
startup. Finally, it collects email addresses from the Windows address book
and uses its own SMTP engine to send copies of itself to random recipients,
spoofing the sender’s email address.
There are several benefits to using GMS products which will mitigate
the issues raised in the above example:
- None of GMS products use the Windows address book.
Products such as Outlook and Outlook Express, however, do – and so they are
particularly vulnerable. Using GMS Webmail as a mail client therefore
provides added safety.
- An infected file cannot be attached to an email with GMS Webmail. This is
because GMS Anti-Virus scans files even *before* they are attached and so blocks or
disinfects them as appropriate.
- GMS Anti-Virus scans incoming email at the smtp level, so handles these external
- GMS Anti-Spam provides considerable anti-abuse capability and can be used to
block any or all attachments.
- Good system management practice also indicates that outbound port 25
should be firewalled from all internal machines other than their mail
server. That is machines inside your organisation should not be able to
send email directly, but must send it to the mail server to have it posted.
The conclusion is that GMS Anti-Virus, GMS Anti-Spam and GMS Webmail combine as an excellent
defence against virus infection and transmission. Their cost is modest –
even ridiculously cheap, especially when compared with the cost of
infection (or passing on an infection) either as a ‘direct impact’ on the
business, or ‘legal’, via the courts.
Keywords:worms virus spreading SMTP infection security protection