Debate heats up over e-mail quarantine

The widespread outbreak last week of the MyDoom mass-mailer worm, which tricked end users into opening infected files, renewed debate over whether companies should ban or at least quarantine e-mail attachments to safeguard their networks.

The widespread outbreak last week of the MyDoom mass-mailer worm, which tricked end users into opening infected files, renewed debate over whether companies should ban or at least quarantine e-mail attachments to safeguard their networks.

Some say such an effort isn’t practical, but others already do just that for some, if not all, attachments.

Also: Feds to the rescue?

“We do filter out .exe and other executables,” says Bob Ciurylo, manager of IT security at Northeast Utilities, whose 10,000 employees get a combined 80,000 to 100,000 e-mails a day. As news of MyDoom surfaced, Northeast Utilities told employees not to open any unexpected messages, a move Ciurylo says helped minimize damage. For those employees really needing files in a certain format, the company uses a less risky FTP-based system.

Chip designer Ubicom blocks inbound and outbound e-mail attachments using software from Network Associates.

“We don’t want to take the chance on a [worm] infestation,” says Jim Poehlman, IT director at the 75-person company in Mountain View, Calif. “We don’t want to be sending viruses out to the network either.”

As of Friday, the initial version of MyDoom (also called Novarg.A) had infected hundreds of thousands of Windows desktops in its sweep across the Internet and showed no signs of slowing.

After fooling users into opening infected .exe, .cmd and other files, the attachments compromised machines and mailed themselves off again, clogging e-mail servers at large companies such as Boeing and pushing e-mail transmission on the ‘Net up 30% during the worm’s first days.

MyDoom, already rated as one of the worst worms in history, turned computers into spam relays, opened doors for hackers and created platforms set to launch denial-of-service (DoS) attacks against The SCO Group on Feb. 1. SCO’s Web site last week was intermittently up and down, which the company acknowledged was probably a result of MyDoom-generated DoS attacks.

A second variant, which anti-virus firms said has so far been less successful in spreading, blocked user access to anti-virus Web sites and is scheduled to launch a DoS attack on Microsoft tomorrow.

It took anti-virus vendors more than an hour to prepare a signature update for desktop and gateways to stop the two versions, and far longer to prepare tools to eradicate traces of it from desktops.

Gartner last week estimated cleaning up after MyDoom – and the Trojan horses it leaves behind – probably will cost $250 million in lost productivity. That’s five times the estimated cost of last year’s SoBig mass mailer.

Gartner analyst John Pescatore lamented that efforts to educate end users over the past decade not to open suspect attachments “have a very low return on investment. . . . Six weeks after any virus incident, users are back to double-clicking on any and all attachments.”

Pescatore recommends that companies regularly quarantine attachments received via the Internet for an hour or so, and then letting them through if anti-virus alerts aren’t being issued. “The anti-virus vendors are getting much better at having early warning systems,” he says.

Of course anti-virus tools can’t do the job alone, Pescatore says. He suggests using intrusion-prevention systems and desktop firewalls as well.

But some organizations say proactive blocking of e-mail with executables isn’t practical.

Consultancy Itdojo, for instance, scans but does not block messages. Colin Weaver, Itdojo’s president, says some of the company’s customer contact is done exclusively by e-mail and that the firm relies on .pdf, .doc and other file formats for things such as receipts from electronic transactions.

“As part of this communication, we regularly exchange e-mails containing attachments,” Weaver says. “Most of our invoicing is done via e-mail attachment.”

Joe Adams, director of IT for Converdyn, a marketing agency for uranium and nuclear fuels in Denver, says his company is considering quarantining e-mail attachments for two hours to prevent virus outbreaks. But he notes that while quarantining “from the techie point of view sounds great,” to upper management it often doesn’t fly.

In the meantime, Converdyn depends on educating end users about the dangers of attachments – and last week he instructed them via e-mail broadcast to delete any messages they had doubts about in advance of the anti-virus update for MyDoom.