How do I stop worms spreading via SMTP?

  1. Home
  2. Knowledge Base
  3. GMS
  4. How do I stop worms spreading via SMTP?

Question

Many viruses – including worms like Klez – come with their own SMTP server.
This means that they can bypass the mail server (including GMS/GMS Anti-Virus) and
send straight to the Internet. So, if an end user machine is infected, it
could pass infection on even when GMS Anti-Virus is installed.

The rest of this entry explains what is happening in a bit more detail and
highlights the importance of GMS Anti-Virus, GMS Anti-Spam and GMS Webmail. Klez (as an example)
is a mass-mailing worm that arrives as an email attachment. All elements of
the email (i.e. the subject line, the message text and the name of the
attachment) are randomly selected from a predefined set of values, making
it difficult to identify, so just using GMS Anti-Spam to try & block it would be
tricky.

When the attachment is run, the worm executes, copies itself to the Windows
System directory and adds a registry key to ensure it will execute upon
startup. Finally, it collects email addresses from the Windows address book
and uses its own SMTP engine to send copies of itself to random recipients,
spoofing the sender’s email address.

Answer

There are several benefits to using GMS products which will mitigate
the issues raised in the above example:

  1. None of GMS products use the Windows address book.
    Products such as Outlook and Outlook Express, however, do – and so they are
    particularly vulnerable. Using GMS Webmail as a mail client therefore
    provides added safety.

  2. An infected file cannot be attached to an email with GMS Webmail. This is
    because GMS Anti-Virus scans files even *before* they are attached and so blocks or
    disinfects them as appropriate.

  3. GMS Anti-Virus scans incoming email at the smtp level, so handles these external
    threats.

  4. GMS Anti-Spam provides considerable anti-abuse capability and can be used to
    block any or all attachments.

  5. Good system management practice also indicates that outbound port 25
    should be firewalled from all internal machines other than their mail
    server. That is machines inside your organisation should not be able to
    send email directly, but must send it to the mail server to have it posted.

The conclusion is that GMS Anti-Virus, GMS Anti-Spam and GMS Webmail combine as an excellent
defence against virus infection and transmission. Their cost is modest –
even ridiculously cheap, especially when compared with the cost of
infection (or passing on an infection) either as a ‘direct impact’ on the
business, or ‘legal’, via the courts.

See Also:

Keywords:worms virus spreading SMTP infection security protection

Was this article helpful?

Related Articles