IronPort turns spamblocker onto viruses

IronPort has released a new anti-virus filter that it has said uses anti-spam technology to block infected messages before they enter the network.

Tom Gillis, IronPort's senior VP of worldwide marketing, stressed that the software does not detect viruses as such. Instead, it looks for anomalous patterns, such as a network of zombie PCs suddenly spewing out a flood of messages, all with encrypted Zip attachments. Nor does it delete suspect messages, preferring to quarantine them for later analysis.

The aim is to cover the first few hours of a virus outbreak, when the number of infected PCs is still relatively low and before the anti-virus companies can release a new signature. Gillis adds that you would still need to run AV software. "Most AV systems are reactive, so there is always a short window before they get updated to meet a new threat," he says. "The core problem is SMTP, because there is no capability to authenticate a message sender."

He adds that this is the same problem IronPort faced when trying to block spam. Its solution was to build a database of known good and bad IP addresses called Senderbase, derived from ISPs and other organisations worldwide. It uses this, plus other information such as the type of message, to rank e-mail for risk.

"For example, when a virus breaks out we see a huge increase in the number of IPs sending e-mail that haven't sent before and don't accept e-mail in return," he says. The virus outbreak filters will be available as an add-on to IronPort's C-series e-mail appliances, but the company has not yet set a price for them.

Meta Group analyst Peter Firstbrook says that this type of global activity monitoring can reduce the time during which organisations are vulnerable to a new virus. "Systems can detect an early stage outbreak and automatically change filtering policy," he says.

The vital thing here is to use 'the network effect', adds Jeff Brainard, a senior product manager at rival e-mail appliance developer Mirapoint. He says that other companies which have spam-filtering databases based on global e-mail monitoring, such as Mirapoint, are also planning to use these to fight more than just spam.

"Another reason to do creative things like this in the future is because of the industry consolidation going on right now," he says. "IronPort just lost a key partner when Symantec bought Brightmail, and regardless of what they say about working together, Symantec is not historically known as an OEM friendly company.

"With that said, this innovation is good for customers. e-mail security is a big issue that has cost implications, productivity consequences, and in some cases liability exposure for businesses. And the problems from all signs are getting worse and not better."

Tom Gillis says that things will get better, but only once there is an agreed way of authenticating an e-mail sender, and he praised recent moves by Microsoft, Yahoo and others to assemble a joint approach to the problem. "Three to five years from now there will be a whole new e-mail infrastructure, and you will have to identify yourself and authenticate in order to send." He predicts that unauthorised e-mail will eventually get shut off completely but says that point is further out, and that in the meantime it will merely suffer poorer quality of service.

"A lot of things add complexity - a big one is e-mail forwarding, and there are issues with list servers too," he says. "But this is a problem that if it's left unchecked, everyone loses. E-mail is much too powerful for us to let that happen, so we're all pitching in to solve the problem, and we will - it's just going to take time."

This story, "IronPort turns spamblocker onto viruses" was originally published by

Copyright © 2004 IDG Communications, Inc.

Shop Tech Products at Amazon