Immunizing Careless Email Users Against Viruses

After Microsoft issued the Outlook Email Security Update last summer, one quip making the rounds suggested that mail administrators should send the patch to everyone as an attached .exe file, assuring that the users who are most prone to opening a dangerous attachment would be protected by installing the patch.

We laughed at the time, but now, 10 months after the LoveLetter virus struck and dozens of Outlook+VBScript viruses later, that idea doesn't seem so farfetched. I recently found a company that uses the concept of giving users a taste of their own carelessness in a product that gently educates users about email-attachment safety.

The company is Verstrada ( ), and the product is The Immunizer. It sends users an innocuous message with a safe .vbs or .exe attachment. A typical message from The Immunizer might have the subject "New Org. Chart" with the message "The new org chart is attached. Please review and call me."

Users who open the attachment receive an immediate warning that the file could have been a virus and, the following day, another mail message providing tips about safe file-attachment practices. After a week, those users who didn't open the attachment get a note commending them for not opening the file and offering the same safe-attachment tips.

After the initial test, The Immunizer automatically sends additional educational messages and runs more attached-file tests at random intervals. Through a client logon at the Verstrada Web site, administrators can get statistics at any time on the percentage of users who opened the test files and see graphics showing the increasing number of users who adopt safe attachment practices. Administrators can also get the names of users who opened the attachments so they can follow up with those individuals.

Verstrada President Chris Welborn says that data from all companies using The Immunizer shows that the percentage of people who opened the initial test attachment hit 47 percent. Figures gathered after the education campaign showed that the average dropped to 11 percent.

One Immunizer client told me that he applied The Immunizer to both a community organization and his company, which deals with Web security issues. No one in his company opened the attachment, he reported, but 15 percent of those in the community group did. Half of those who opened the message thanked him, either by email or in person, for the lesson about attachment safety.

At another company—a tech startup—more than half the employees opened the initial test attachment, but the second round of testing showed that only 10 percent did. The chief technology officer said his company wants employees to change their careless attitudes to protect the company, but many won't until they have experienced opening a file that they should have ignored.

Such an educational campaign, complete with quantifiable results, fits well with other security measures, such as content control and virus scanning on the server and, on the client, combinations of virus scanning, attachment blocking, and other restrictions. The Immunizer's cost, less than a dollar per month per user, compares favorably with the cost of classroom training in email safety. (And if you can't get executives to attend class, you can probably get them to read an email message.)

Back to Links: UPDATE reader Phil Hogan used the tip from my column 2 weeks ago to create a link to an Outlook "sticky note" by selecting a contact and then choosing Actions, Link, Items. He (and I) found out the hard way that Outlook provides no mechanism for removing links on a sticky note. To fill the gap, I wrote a small Outlook VBA routine that clears all the contact links from the currently open item.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.