With yet another high-profile e-mail virus having recently done the rounds, we look at eight mail-server plugins designed to make sure your servers don't take a beating the next time one comes along.
Facing a review of mail server antivirus packages, I feel like the air force guy in the old WWII movies. When his squadron is paraded in front of the head honcho who asks for a single volunteer to take a step forward to run a mission into enemy territory that will almost certainly end in death, everyone else in the line takes one step back and this poor schmuck is the only one who didn't think of doing that and is sent into the battle.
The server-based products in this case are those that scan both incoming and outgoing e-mail messages for an organisation. Nowadays it is a generally accepted fact of business life that many nasties find their way onto corporate networks via the e-mail system. Be it spam, worms, or viruses, each has its own way of potentially consuming and in some cases destroying valuable company resources -- either from the employees' time wasted deleting the unwanted messages through to viruses destroying data, consuming bandwidth, or compromising network security. Don't forget some worms not only self replicate but they can also contain malicious payloads set to launch immediately or lay dormant on your system waiting for specifically programmed trigger points such as application launches or dates to occour before launching.
The advent recently of faster and always-connected Internet links has led to an increase in these e-mail borne pests, enabling them to proliferate and replicate like never before. That combined with the plethora of tools available to download that enable script kiddies to get their hands on a particularly virulent outbreak, deconstruct it, and then reconstruct it with their own payload and release it doesn't help at all.
One of the best steps the humble network administrator can take to prevent this type of overwhelming attack from bringing the company to its knees is to install an antivirus (AV) application. We covered antivirus applications in November, however these were centralised server-based distribution platforms for individual client/server machine protection. The products in this review are more concerned with covering the e-mail server itself as a potential point for receiving and distributing these malicious applications.
So which does a company need: protection on each desktop or protection at the e-mail gateway point? The answer is both. These e-mail antivirus gateway applications are not trying to replace the existing methods of virus detection, quarantine, and removal, they are merely there to enhance the chances of a detection at the border before it enters the network as a whole. And with e-mail being the most economical and widespread
So why scan incoming e-mail if your desktops already have up-to-date AV definitions and applications installed on them?
The main reason for deploying an antivirus e-mail gateway application is that humans will always be humans. No matter how many times users are beaten about the head and threatened with written warnings for non-compliance with the e-mail usage policy, they still insist on opening attachments e-mailed to them from Aunty Lorna. They will still inevitably fall into the trap set that will result in a potential virus or worm outbreak.
Another reason is to allow the network administrators to monitor the potential e-mail virus traffic from a single point and enables them in most cases to quickly create policies/rules that can stop malicious data in its tracks. This is particularly advantageous when a new virus appears and the AV vendors haven't had time to update their definitions. The administrators can rely on their applied rules to assist in the control and containment of the virus and thereby reduce or remove any potential damage at that point.
Why scan outgoing e-mail, then? If not from a common point of courtesy that a company is doing its piece to reduce the spread and distribution of malicious applications, it also potentially saves money in reduced bandwidth by blocking these attachments going out in the first place.
It also enables you to save face as it protects you from being accused of allowing viruses to proliferate from your network to the outside world.
Antivirus applications will never pick up 100 percent of the viruses, worms, and Trojans that are out there, but administrators can make a big impact by being aware of how and why these malicious programs exist and then taking steps to stem the flow by putting in practical procedures to cope with these nasties. It may be as simple as deciding whether or not some employees need to receive executable files via e-mail attachment -- and then create a rule blocking e-mails containing *.exe attachments. Or at the very least stripping the attachment from the e-mail and letting the body go through (always considering the occasional false positive).
Unfortunately mailmarshal's reporting of problems to the sender leaves a lot to be desired. It's reports are amongst the least useful of any mail gateway software on the market, failing to include the headers of the original message, and typically misidentifying or not identifying the sender and recipients.
As someone who sees a lot of bounces from mailing list traffic, I'm sick of not knowing which addresses are supposed to be removed from the list.