In this chapter, we investigate the related works of anti-virus and anti-spam. In fact, there are already various products of anti-virus; the most popular ones include the anti-virus products of Symentatec and TrendMicro, and the Anti-Virus Engine of Sophos. In section 3.1, we review the techniques that are used to defeat viruses at the gateway. In section 3.2, we introduce the Anti-Virus Engine from Sophos. Section 3.3 gives a brief discussion regarding the SpamAssassin.
3.1 Defeating Viruses at the Gateway
The IDC Research estimated that over 450 new viruses are discovered each month.
Gartner Group estimates that more than 80 percent of computer viruses enter the network through email. The early anti-virus products mostly execute on the personal computer of the client. Once we find computer virus embedded in the program to be executed, or in the programs that are attached to emails, the mail system will carry out an action according to the configured rule the user has previously set, such as delete or quarantine. Currently, email with virus is obviously increasing, and we want to find ways to stop these malicious programs before they infect the users’ computer.
Paul Schemel, Supervisor of Support Services in the Technical Customer Support Services Department (TCS), has presented a paper at the Special Interest Group, University and College Computing Services (SIGUCCS) Conference in Portland, Oregon, from October 17-20, 2001.
The paper, "Barbarians at the Gateway, Defeating Viruses in EDU" [10], includes a presentation of email server blocking techniques. UTD has already used these techniques to successfully prevent many viruses from entering the network. TCS staff has also employed the techniques to keep viruses out of our network.
Paul Schemel states that viruses are a security problem. Thus, we should implement solutions of normal security problems to solve the virus problem. These include, but are not limited to, establishing written policies to address common security issues, defining appropriate behavior and best practices and publishing them, devising both detection and defense in depth1 strategies, and clearly defining problem identification and cleanup methodologies.
Paul Schemel points out that it is possible to keep a LAN relatively virus free if we construct a fitting anti-virus plan. Universities, any enterprises or organizations must have policies and procedures that establish a unified approach to solving the virus problem. Then it takes a combination of desktop protection, user education, constant OS patching, defense in depth and innovative approaches to implement those policies and make them effective.
One key to a successful security structure is “defense in depth”. This means that network administrators do not rely upon one method of protection against a threat. Network administrators should devise multiple layers of protection, so that if one layer fails, another will still protect the campus.
For practice of “defense in depth”, we design the EMF system which is an anti-virus and anti-spam protection at your network gateway to remove virus from e-mail before they have a chance to penetrate your network.
3.2 Sophos Anti-Virus Engine
Anti-virus protection is a critical component in protecting a network from email-related threats. An anti-virus engine is required for a mail filtering system to detect and/or remove virus attached to the mail. And a good, updated virus-pattern database is also required for the anti-virus engine to perform accurate scanning task. To maintain an updated virus-pattern database is not an easy task and thus we decided to choose an anti-virus engine available in the Internet.
There are many anti-virus engines available on the Internet. These include McAfee Anti-Virus Engine, Sophos Anti-Virus Engine, Computer Associates Vet Anti-virus engine, Norman Virus Control, GossamerHost Anti Virus Scanner, Aladdin Kaspersky Anti-Virus Engine, DrWeb Anti-Virus Engine, Authentium CipherTrust Anti-Virus engine, etc. Sophos is the provider of anti-virus software to over 60% of the FT-100 companies. The Sophos Anti-Virus Engine [17] is a virus protection utility designed for small and medium sized networks. The utility can be directly linked to the MailServer core for extended viral detection and elimination.
One of the problems of maintaining an anti-virus engine is that you need to keep an up-to-date virus signature files. According to Sophos, virus signatures are kept up-to-date and are delivered directly from Sophos's worldwide research labs as part of the automatic updating process. Organizations can choose to update either internally from the organization's intranet, or directly from Sophos. Meanwhile, its products are sold and supported in more than 150 countries. We chose the Sophos Anti-Virus Engine to perform the anti-virus task in our EMF system.
Many universities and corporations provide their users with the comfort of Web-based email. However, web mail uses only the HTTP protocol when sending an email from one internal user to another. In this case, if a user sends email with an infected attachment to another user utilizing a Web mail tool, the message will be delivered without being scanned since traditional anti-virus engines only monitor the POP3 and SMTP ports. We tried to solve this problem by linking Sophos Anti-Virus Engine to our EMF system. In order to integrate the anti-virus engine into our EMF which implemented in PERL, SAVI-Perl is chosen to be the API (APplication Interface). SAVI-Perl is a Perl module interface to the Sophos Anti-Virus Engine.
3.3 SpamAssassin
Spam is the popular term for junk email, also known more formally as unsolicited bulk mail. Unfortunately, it's not as easy to spot and throw away as the junk ads you get in the mail every day at home. Spam mail has grown rapidly within the past few years. Five years ago, a percentage of 10% out of the received mail is spam; now the percentage has vastly increased up to around 85%. There are many anti-spam products, either a commercial one or an open source.
SpamAssassin [15] is a popular open-source software package which can be used to detect spam mail. It is a PERL based spam filter program that utilizes a series of rules to flag mail as Spam. It can be run on the e-mail server and analysis your e-mail message to see if any of them may be SPAM.
SpamAssassin scans the e-mail message looking for key phrases that can be found in most spam messages. Examples are phrases containing: AMAZING or FREE in all capital letters; lots of money; enlarge your penis; SEXY GIRLS; claims you can be removed from the list; claims NOT to be spam; and hundreds of other phrases.
SpamAssassin applies a variety of textual and other tests to messages in order to estimate the likelihood that they are spam. This likelihood is represented as a number, the spam score.
The spam score is assigned to each message it scans, which can subsequently be used to determine the message's disposition. The spam score assigned to any message is not a certain judgments but is instead an estimate of the likelihood that it's spam. The higher the score, the more likely it is that it's spam, and the lower the score the less likely it is. But it's quite possible for a non-spam to score highly and for a spam to score lowly.
SpamAssassin does NOT filter out or delete any email. It only flags mail that it thinks is spam. The mail will still be delivered to you. You may choose to set up a filter to move all your probable spam mail into a folder, and then go through them when you have time. A quick way to deal the spam mail is to sort them by the sender, and then do a scan for familiar names before trashing the lot.
According to SpamAssassin’s documentation, in its most recent test, SpamAssassin differentiated between spam and non-spam mail correctly in 99.94% of cases. SpamAssassin is one of the best anti-spam solutions but it may sometimes label legitimate email as spam (false positive).
SpamAssassin is written in PERL, and can be used as a Spam detection engine. It is quite a robust program, having been used in the Unix world for many years. We chose it as our anti-spam engine and integrated it into our EMF system with several improvements. The PERL module Mail::SpamAssassin classes can be found here:
http://spamassassin.apache.org/