Beating the Spim-Spam Man
- By Wendy Chretien
It’s time to wage the battle against viruses and spam—and win.
Are your users asking IT to please do something about spam? What about spim
(spam via instant messaging)? Were your campus network services on the ropes
after that last malevolent virus attack? If your answer to any of these questions
is “yes” (or even, “huh?”), read on for proven methods
to avert or at least mitigate these types of risks.
Threat Level Orange
Heard this one lately? “Spam is ubiquitous and merely an annoyance, so
users might as well get used to it.” If only that were true! Today, attachments
to spam messages are the primary technique by which viruses and other malware
(malicious software) are spread. Further, some hackers “aim” spam
dumps at particular mail servers to flood them with messages, thus taking them
out of service. Such attacks have also been used as a means to sneak into networks.
Although the server no longer responds to e-mail messages at that point, it
may still be vulnerable to IP or operating systems attacks.
Another potentially severe threat is that of viruses entering the network
from unexpected angles. Too many campuses (and other entities) have suffered
severe virus damage because all their antivirus protections were centralized
at the incoming Internet access point, while a virus rode into the network on
a “trusted” laptop system (after entering the laptop via the user’s
home Internet connection). Methods of entry include e-mail attachments (including
attachments to spam, as noted), downloaded software, instant messaging attachments,
and direct transfers, including via USB flash drives, floppies, and CD media.
And here’s one that could keep you up at night: a virus masquerading as
an attached MP3 file. Maybe it hasn’t happened yet, but imagine how fast
something like that could spread through your network. What’s a CIO to
Prevention and Risk Mitigation
A multilevel approach considering all potential malware entry points will provide
your campus with the most effective protection. Tools in your box include communications
with users, judicious use of policies and enforcement, and specialized training
for network administrators, as well as more tangible options such as focused
software and hardware.
Level 1: Communications. Ask your user community to assist
you in protecting the network everyone depends upon. First, communicate to them
the ways in which malware can infiltrate the system, and show them how to avoid
perils at the desktop. Then, inform users how to report suspicious attachments
and spam issues. If you don’t have a full help desk, at least create a
special e-mail box for such reports, and have support personnel check it at
least twice daily.
Within the IT department, train two people as defenders against spam and malware,
and if you have someone in charge of network security, have those people report
to that officer. A little money spent on training g'es a long way toward ensuring
uptime for your network. Require these individuals to keep up on CERT advisories
and other trustworthy sources of threat information.
Level 2: Policy and Enforcement. Your campus Acceptable Use
Policy (AUP) likely includes provisions about users causing damage to the network.
Make sure your user community is well aware of this, and of any legal recourse
available to the institution if you identify an attacker. Also be sure you have
administrative support authorizing you to pursue such cases when feasible.
Level 3: Network Boundary. This is typically where Internet1
service enters and exits the campus. In general, one wants to intercept data
traffic that has been designed to cause problems (“bad actor” traffic)
before it has a chance to spread. There are both software and hardware solutions
available. Many firewall companies now offer add-on software to combat virus
infiltration. Plus, there are hardware appliances whose sole purpose is to filter
out spam and malware. (See “Taking Action” right, for information
about a specific appliance-based solution adopted by two universities.) One
caveat: Nearly all spam-fighting systems require a fair amount of “tuning”
or “teaching” in the first few weeks. Be sure to build this time
into your implementation schedule.
Level 4: Servers. Mail servers are the next point of possible
damage. If incoming spam hasn’t already been stopped at the boundary,
it will pause here as the mail server (or servers) store and route items to
be delivered. Many spam filters are designed to be run directly on a mail server,
and while generally effective, they also reduce the overall mail-processing
capacity of that machine by using processor cycles for their own purposes. Heed
this best practice: If you plan to add spam filtering at this level, be sure
to run a pilot on a non-production mail server first. Some incompatibilities
have been found between various operating systems and applications.
Level 5: User Desktops and Laptops. This is where most campus
IT folks surrender, because it’s notoriously difficult to manage all the
disparate devices out there. Yet, it is this scenario that is also one of the
largest threat potentials. Today, there are feasible methods to combat the virus
threat at this level, assuming one has the support of the campus. These systems/packages
typically are offered on a per-user basis, and cost from $40 to $100 per license
(depending on quantity). Examples include Symantec Antivirus Corporate Edition
(Norton is now owned by Symantec) (enterprisesecurity.symantec.com),
McAfee Active Virus Defense (www.mcafeesecurity.com),
Sophos Anti-Virus (www. sophos.com),
and TrendMicro (www.trendmicro.com).
A relatively new technique to ensure compliance is to compel users’ systems
(on login) to first access a security system, which checks the system for antivirus
software and which will deny full network access if that software is not present
and/or updated. Some of these solutions can also download the latest antivirus
version to the non-compliant system. Cisco Systems (
calls its version the “Network Admission Control.” Other network
manufacturers have similar programs, though differently titled. Here’s
another best practice: For presentation systems in classrooms, logically isolate
those network ports, and ask users to bring only media/data, rather than their
Not long ago, two universities were inundated with spam and knew they needed
to act: At Washburn University (KS), Interim Co-Director of
Information Technology Bob Stoller confessed, “Spam was overwhelming us,”
and Interim Interim Director of Information Services Jason Lamar at Ohio
Wesleyan University (OH) admitted, “We knew we needed more virus
and particularly spam protection for our campus e-mail users, but we also wanted
to find a solution that didn’t strain our budget.” Both of these
universities recently implemented the Barracuda Spam Firewall from Barracuda
OWU deployed the model 400 (up to 10,000 active e-mail users) in early June
2004, with Lamar noting that implementation of the system “is about as
close to ‘plug and play’ as you can get.” Stoller, at Washburn,
agreed, reporting, “We had it running in a test setup within 15 minutes.”
Based on the model purchased, OWU and Washburn each paid less than $10,000,
which included up to five years of updates.
Both administrators agree there is relatively little care and feeding required
by the systems. Says Lamar: “Barracuda Networks will automatically and
transparently push virus and spam definition updates to the appliance on either
an hourly or daily basis. The appliance will also notify you via e-mail when
a new firmware update has been released and can be installed, which must be
done manually through the Web interface.” Stoller points out that “firmware
updates come out every few months, and have been for the most part pain-free.
Point and click to install.”
Though the two administrators at different schools had been equally as dubious
about finding an affordable way to effectively combat spam, was the search for
their perfect solution worth it? Lamar puts it plainly: “It has single-handedly
transformed our campus e-mail systems.”