HEC Montréal: Follow-up on the Large-Scale Mail Installation

How did HEC Montréal's new mail installation handle the spam and virus explosion of early 2004?

The May 2004 issue of Linux Journal features an article that discusses the large-scale mail installation we did at HEC Montréal at the end of 2003. The present article describes how the system handled the recent e-mail worm explosion. It provides relevant information and statistics about the efficiency of unsolicited bulk email (UBE) prevention and virus protection policies now in place at HEC Montréal.

HEC Montréal is Canada's first management school, founded in 1907. Over 11,000 students and 220 career professors are active every year. Furthermore, each student that graduates from HEC Montréal is provided with a lifelong e-mail account; over 35,500 accounts are active to date. As with many organizations, the e-mail infrastructure at HEC Montréal is a critical component that cannot perform at anything less than optimal functionality.

As this article explains, the new infrastructure not only excels in performance and stability, but it also allows HEC Montréal to save money. Thus, it benefits from an accelerated return on investment (ROI). Emmanuel Vigne, Information Director at HEC Montréal, put it this way:"Without the new mail infrastructure, we likely wouldn't have survived the recent e-mail worms crisis. We probably would have closed all servers in order to limit the damage. With the new infrastructure, we went through this crisis without issues or outages. Our network analysts can now focus on developing tools to manage more efficiently the infrastructure, as they are no longer always fixing issues with regard to the mail servers."

Implemented solution

The implemented solution was based mostly on open-source components. A total of 11 servers, mostly IBM xSeries, and storage array networks (SAN) are used in the new infrastructure. Figure 1 depicts the architecture of the implemented solution.

Figure 1. Architecture of the Solution

The core of the new mail infrastructure is based on components with industry proven track records. The components are:

  • Postfix: A fast, easy to administer, secure and scalable mail transport agent.

  • Cyrus IMAP Server: IMAP, POP3, Sieve services and message storage management.

  • SquirrelMail: Complete Web mail system, slightly adapted for the specific needs of HEC Montréal.

  • OpenLDAP: Directory services for user management, authentication and more.

Furthermore, in order to limit the delivery of UBEs and viruses, a number of policies were adopted and deployed on the four SMTP servers. Among them, we have:

  • Header and MIME header checks that use up-to-date maps

  • Carefully chosen real-time blackhole lists (RBL)

  • Content filtering using SpamAssassin (with some network checks enabled, including Vipul Razor)

  • Virus scanning using NAI VirusScan

To get a full description of the implemented solution, please refer to the May 2004 edition of Linux Journal.

Recent Attacks

Although UBEs continued to grow at an alarming rate, at the beginning of 2004, we also have seen of e-mail worms. Those worms spread themselves over the Internet as attachments to infected mail. The attached files are all Windows portable executable (PE) EXE files affecting various versions of Microsoft Windows. Table 1 describes some of the most popular e-mail worms we have seen in the first three months of 2004.

Table 1. Recent Internet Worms

MyDoom.AMyDoom.A, also known as Novarg, had the most impact at the beginning of 2004. Once it has infected a computer, the worm uses its own SMTP engine to send files (while harvesting the addresses found in those files) with the following extensions: asp, dbx, tbb, htm, sht, php, adb, pl, wab and txt. The worm also contained a backdoor function programmed to launch a Denial of Service (DoS) attack on www.sco.com on February 1st, 2004, by sending HTTP GET requests every millisecond to port 80 of the attacked site. MyDoom.A also has two well-known modifications, MyDoom.B and MyDoom.E. The first one is similar to MyDoom.A, but it also carries out a DoS attack on www.microsoft.com and replaces the standard Windows host file with its own to prevent access to domains of anti-virus software companies. Finally, MyDoom.E (also called MyDoom.F) is similar to MyDoom.A; it also is programmed to carry out a DoS attack on www.microsoft.com and www.riaa.com. In addition, it searches for more file extensions in order to send copies of itself and randomly deletes files with avi, bmp, doc, jpg, mdb, sav and xls extensions.
Bagle.ABeside replicating itself with its own SMTP engine (with harvested e-mail addresses from various files), Bagle.A also opens a backdoor on port 6777 to listen for commands (allows an attacker to download files and execute commands on the infected computer). Similar to its predecessor, Bagle.B opens a backdoor on port 8866. Bagle.C, Bagle.D and Bagle.E are mostly identical: they all open a backdoor on port 2745 and block anti-virus database updates by terminating update processes from a list of well-known vendors. Finally, Bagle.F is similar to Bagle.C, but it also propagates to P2P networks.
NetSky.CLike the first two worms, NetSky.C searches for files with many extensions and harvests e-mail addresses from them. It then sends a copy of itself to these addresses--using its own SMTP engine--directly to the message's recipient server. If it fails, it uses a list of predefined SMTP servers. NetSky.D, also known as SomeFool, is similar to NetSky.C but is programmed to delete MyDoom from the infected machine.

As you can expect, those viruses make a huge economical impact, calculated in terms of help desk support, overtime payments, false positives, bandwidth clogging, transient storage consumption, productivity erosion, management time reallocation and cost of recovery. Various industry estimates speculate that global businesses lost $55 billion in 2003 due to viruses, up from $30 billion in 2002 and $13 billion in 2001. Other research papers show that a typical user spends 4.4 seconds taking action against an e-mail. As an example, if we take the 25 most-spammed employees at HEC Montréal and set the average annual salary at $46,618 CAN, we can proceed with an estimate of productivity cost for the first three months of 2004. Table 2 shows the cost worksheet.

Table 2. Cost Worksheet

Number of employees25
Average annual salary$46,618 CAN
Number of UBEs that would have been delivered to them for the first three months of 2004172,887
Time to identify and discard each UBE4.4 seconds
Total amount of time lost in the first two months of 2004 for those employees33 days
Total cost for the first two months$6,157 CAN

Some analysts quantified the annual cost of spam at $8.9 billion for US corporations and $2.5 billion for European businesses in 2002. In 2003, the numbers increased and reached $10 billion for the US and over a $1 billion for Canada. This tendency most likely will continue, and some estimate that over 8.8 billion UBEs will be sent daily in 2004, compared to 7.3 billion in 2003 and 5.6 billion in 2002.

"Our library director can now efficiently use his e-mail account. Before the new system was put in place, he was receiving hundreds of spam every week. Going through his e-mail during the day in order to respond to student requests was relatively painful and the associated productivity erosion was high", said Emmanuel Vigne. Nevertheless, although tallying the true cost of spams and viruses is relatively hard, HEC Montréal certainly saved money by reducing the loss of productivity of its employees due to UBEs and e-mail worms.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

nice follow up by the way.i

Anonymous121's picture

nice follow up by the way.i think that is good help for single mothers

HEC Montréal: Follow-up on the Large-Scale Mail Installation

wristbands's picture

Amazing stuff and I very much like the Table 2. Cost Worksheet.

Very detailed and neatly written.Thanks for sharing such a great article. wristbands

User Friendly

Kate Hendryx's picture

Now days email is so user friendly and easy to set up. You use to need an I.T. guy anytime you needed to integrate emails, or set up a brand new email system. Now pretty much everything is integrated making most websites, or html email accessible. Wordpress for example comes with automatic email installation. Just goes to show how far we've come with technology. fulfillment companies

IMAP usage

Anonymous's picture

If their services are anything like ours, their graph of service utilization doesn't clearly represent the real use of their IMAP services. A POP3 user will typically poll the server regularly, causing a connection to be logged each and every time, where it's not uncommon for IMAP users to remain connected throughout the day, showing only one connection initated.

For IMAP utilization, it is usually more interesting to look at the number of concurrent POP and IMAP connections, as this often more closely reflects the real load on the server.

Of course, I could also be entirely wrong about how they're graphing their results.

Re: IMAP usage

Anonymous's picture

I haven't looked closely at their stats. But they are using Squirrelmail to provide their webmail services. We do as well and have noticed that
it logs in a lot to do its job.


Anonymous's picture

They're running IMAPproxy (which makes the webmail connections persistent) to counter that.