Keep Out: Spam and Viruses

Good security requires defense in depth—that is, layers of protection at every level of your network. Although small-to-midsized businesses (SMBs) might not have much in common with enterprises when it comes to budget, staff, resources, or requirements, their overall security needs are pretty similar to those of large businesses. I want to talk about two specific defensive security measures—antispam and antivirus protection—and how SMBs can deploy them in multiple layers of protection. I start with some concepts that are common to both measures, then branch out and provide specific strategies to maximize the amount of protection per dollar that you get for your network resources.

Distinguishing Good and Bad Content
Antivirus and antispam software share a common underlying function: they test messages, files, or other objects to determine whether they're "good" or "bad." I put those words in quotes because items that are bad according to one set of security rules might be good under another set. For example, at my company we develop software, so our staff members often mail scripts to one another. The same VBScript attachment that's good when sent between two internal users might be flagged as bad if it were received from an external sender.

The process of testing objects against a predetermined set of rules is basically the same for both antispam and antivirus tools, and both types of software can generally delete suspect content (with or without notifying the sender, recipient, or file owner), quarantine it for further inspection, or mark it with a tag that indicates why it's suspicious. The differences between these two classes of tools mostly involve how the tests are performed and what rules are applied.

Applying Multiple Defensive Layers
Most administrators think of defense in depth as multiple, overlapping protective measures for your network. These measures can provide multiple layers of protection against one threat, or they can provide protection against several different threats. With both antispam and antivirus protection, you can apply defensive layers at three primary locations:

By combining multiple types of antivirus or antispam protection, you can gain a higher degree of protection. In fact, conventional wisdom says that you should implement antispam and antivirus protection at all three locations and use a different scanning tool at each location. However, for most SMBs, two layers of antivirus protection—the perimeter and client layers can be combined to provide adequate antivirus security at a reasonable cost.

Why not use a server-based scanner too? Simple: If you have client-side protection, your clients won't be able to put infected files or messages on the servers. And your messaging servers will get protection from the perimeter scanner, which should keep out most infections from the outside world.

It's still a good idea to use a variety of vendor products for different layers when you can. Different products use different scanning engines, increasing the chances that at least one product will catch the undesirable content. However, most antivirus and antispam vendors offer discounts when you license their desktop, server, and client products together, so using products from a combination of vendors might cost more.

Spam Filtering
Spam filtering can be boiled down to one simple objective: Prevent spam from ending up in a user's Inbox. The hard part of actually achieving this objective lies in determining whether a message is spam or ham (a term I use to refer to legitimate messages). Separating spam from ham can be done according to several criteria. Most filtering software uses a combination of criteria to calculate a score and compare it to a threshold value. Messages that score higher than the threshold are considered spam, whereas those with lower scores are treated as ham.

In a 2004 study of 82 Fortune 500 companies, Nucleus Research estimated that spam was costing those companies an average of $1934 per employee per year. Although it might be possible to quibble with the exact amount, it's certainly true that poor spam filtering results in lost productivity and wasted time.

However, the problem with spam filtering is that if your filter is too aggressive, you'll lose (or at least delay) legitimate mail from customers, partners, and employees. For example, a pharmaceutical distributor would obviously not be well served by the typical filtering systems that look for the names of popular drugs and use them to distinguish spam. For that reason, one accepted best practice is to run a new spam filtering solution for a test period. During that test period, you shouldn't allow the antispam product to delete any messages, but you would use its logs and quarantine mechanism to check for mislabeled ham.

Some filtering systems use a technique known as Bayesian analysis to perform statistical checks on the message content. After you've "trained" the filter by feeding it both spam and ham messages (and identifying them as such), the filter will attempt to classify incoming messages based on the result of these checks. Properly trained Bayesian filters do a good job of blocking spam, but they are insufficient by themselves. For that reason, most filters also calculate spam scores based on these criteria:

Collaborative filters greatly increase filtering accuracy. By consolidating reports of spam messages, they enable every user of the collaborative filtering system to benefit from other users' input. Although collaborative filtering alone isn't a perfect solution, it's a strong adjunct to other types of filtering.

After a filter identifies a message as spam, the filter might block it, accept the message but delete it, tag it as spam but allow it through, or treat it as valid email. The effects of each action differ according to where the filter is placed. For example, a perimeter filter that blocks spam will keep it out of your servers, but a client filter that deletes spam after it's received does nothing to lessen the load on your servers. Being able to configure which actions the filter takes is important, as one of the biggest complaints about spam filters is their occasional penchant for mistaking ham for spam.

In my experience, solutions that let users control their own filter settings actually exacerbate this problem. Users will adjust their settings to get what they think is better filtering, but the changes will often catch more legitimate messages than the original settings. Spam filters that allow per-user quarantining help solve this problem by letting users mark their messages as spam or ham and feeding that information back to the filtering engine.

Virus Filtering
How to implement antivirus protection has been the topic of entire books (one example being Peter Szor's excellent The Art of Computer Virus Research and Defense, Addison-Wesley Professional, 2005). Obviously I can't go into similar detail in one article. However, I can point out a few concepts worth knowing.

Antivirus tools work by scanning objects (e.g., files, messages, executable programs, IM messages) and comparing their contents to sets of signatures that represent known viruses or derivatives thereof. The actual process of scanning for signatures is quite complex, since many viruses use encryption or self-modifying code to attempt to evade detection. For our purposes, it's more interesting to consider what can be scanned.

Client- and server-based scanners can typically scan both executable and data files when they're opened or while they're sitting on disk. Perimeter scanners, depending on how they're implemented, usually watch streams of data, such as SMTP or IM traffic, for virus signatures. Of course, just scanning files doesn't help much with applications that don't use conventional files, which is why messaging server-based scanners, such as those for use with Microsoft Exchange or IBM Lotus Notes, scan messages for content using APIs provided by the messaging vendor. One of the first things new Exchange administrators have to learn is what happens when a virus scanner decides that an Exchange transaction log file contains a suspicious data block and tries to clean it: The transaction log gets corrupted and causes problems when you dismount or remount the database. Other types of products, such as Microsoft Office SharePoint Portal Server and Live Communications Server, also have purpose-built virus scanners from a variety of vendors.

As with spam filtering, what happens when an item is flagged as suspicious varies according to the antivirus software's location and configuration. Perimeter filters typically either block or quarantine suspect items, while server- and client-based filters can quarantine or delete tagged items or attempt to clean them (with varying degrees of success). Notification is important, too, so administrators will know when a virus is detected. (Less useful are those alerts that purport to tell the sender of a message that it was infected. Because attackers often forge their sender information, the alert frequently goes to an innocent person, adding to his or her load of unsolicited email.)

Choosing an Antivirus Solution
The market for antivirus software is fairly well established and stable, with a few big-name vendors, such as Computer Associates, McAfee, and Symantec, dominating the business market. Because viruses have been a problem since the early 1980s, and because techniques for catching infected items are well understood, the big differences in antivirus products tend to be in ancillary features and pricing, not in basic capability.

The key to effective prevention of virus infection lies in two areas: getting rapid signature updates and being able to quickly scan on demand during an outbreak. You should also consider the following factors:

Choosing an Antispam Solution
Compared to the market for antivirus software, the antispam market is like the Wild West, full of newcomers and established vendors alike, all offering a dizzying array of gateway, server, and client filtering options. Many even combine those products. Most claim their technology has an edge in accuracy or speed.

Just remember, one of the most important aspects of spam filtering is flexibility. Spammers have proven to be more adaptable than cockroaches. Filtering technology that you can't easily adjust yourself—or that lacks regular updates from the vendor—is likely to prove unsatisfactory. However, there's definitely a trade-off between flexibility and the time you spend setting up and managing your antispam solution. A tool that has few default settings or requires extensive training might not be the right solution for you.

Other factors to evaluate include the following:

The good news for SMBs is that a variety of good, inexpensive filtering solutions exist, such as Nemx's Power Tools, Cloudmark's Outlook filtering tools, and hosted services from MessageLabs and Symantec Brightmail. For information about email security products, see the Windows IT Pro Buyer's Guide "Email Security Suites," February 2004, InstantDoc ID 41397. For information about spam filters for the enterprise, see Buyer's Guide, "Enterprise Spam Filters," April 2003, InstantDoc ID 38277.

Microsoft's Offerings
Microsoft has put a great deal of emphasis on beefing up the security of its products by improving design, development, testing, and support. This effort has already borne fruit (just compare Secunia's reported vulnerability counts for Windows Server 2003 and Windows 2000), and Microsoft is helping speed up the rate of improvement by adding security-focused products and features to its existing portfolio.

On the antivirus front, Microsoft bought GECAD Group (a Romanian software company little known in the United States but internationally recognized as a successful antivirus solutions provider) and antivirus company Sybari Software. Microsoft has since announced its Client Protection product for desktops and has renamed Sybari's Antigen to Microsoft Antigen—probably as a harbinger of future server-based security products.

In the antispam world, Microsoft offers an extensive set of spam filtering features in Outlook 2003 and Exchange Server 2003. The combination of Outlook 2003 and the Exchange Intelligent Message Filter (IMF) provides excellent filtering based on a large corpus of spam gathered through MSN Hotmail. That makes this combination of client and server-side filtering a good fit for many small organizations because there's no additional cost over the product licenses. However, neither the Outlook nor Exchange filtering system is very flexible, and the update frequency has slowed since the products were released. If you want more control over the filtering process, you'll have to use another solution.

Choose Wisely
Small businesses might not have the numbers of workstations that larger companies do, but they face the same threats from viruses and spam. Designing a multilayered defense requires carefully choosing products that match the requirements of your environment. The resulting layers of security create effective protection.

Paul Robichaux (troubleshooter@ robichaux.net) is a principal engineer for 3sharp, an MCSE, and an Exchange MVP. He is the author of several books, including The Exchange Server Cookbook (O'Reilly and Associates), and creator of the http://www.exchangefaq.org Web site.