Recently, numerous new mass mailing viruses -- including Beagle.A, Novarg.A, and MyDoom.B -- have been discovered. What makes these viruses so powerful and such great potential sources of infection is that not only do they harvest e-mail addresses from e-mail address books and other files likely to contain e-mail addresses to identify designated message recipients, but they also use harvested addresses to identify the sender as well. For example, MyDoom.B looks in files with these extensions: .adb, .asp, .dbx, .htm, .php, .pl, .sht, .tbb, .txt and .wab.
Why is this significant, you may ask? Because so many antispam and e-mail filtering techniques rely on the use of white lists (that is, lists of sender addresses that are allowed to make their way into your inbox), it's inevitable that some of the harvested addresses that purport to identify the senders of infected messages will be on a white list that lets them into your inbox. In my own experience, within 48 hours of the discovery of the Beagle.A worm, I'd already received half-a-dozen e-mails that claimed to originate from senders whose messages I'd never normally question. I'm sure it's been the same for most e-mail users: SearchSecurity.com published estimates on Jan. 28 that one in every 12 e-mails contained the MyDoom virus.
Fortunately, antivirus software already in place on most desktops is able to catch and block receipt of the infected attachments that permit the virus to spread to other computers. But this situation does illustrate that simple-minded address-checking is not enough to stop all malicious e-mail from making its way into your inbox. Other simple checks, such as for specific subject lines, payload text, or attachment names, will also help to keep unwanted e-mail from arriving in your inbox, even if it claims to originate from some user you would normally trust. This explains why content-oriented e-mail gateways, such as Alladin's eSafe, are gaining more interest and acceptance in the marketplace, since they can screen e-mail not only on the basis of addressing information, but also based on content terms and patterns, attachment types, and so forth. It also explains why it's so important to screen your e-mail, and to keep anti-virus software and signatures absolutely up-to-date!
Thomas Alexander Lancaster IV is a consultant and author with over 10 years experience in the networking industry, focused on Internet infrastructure.
This was first published in February 2004