HEC Montréal: Follow-up on the Large-Scale Mail Installation
The May 2004 issue of Linux Journal features an article that discusses the large-scale mail installation we did at HEC Montréal at the end of 2003. The present article describes how the system handled the recent e-mail worm explosion. It provides relevant information and statistics about the efficiency of unsolicited bulk email (UBE) prevention and virus protection policies now in place at HEC Montréal.
HEC Montréal is Canada's first management school, founded in 1907. Over 11,000 students and 220 career professors are active every year. Furthermore, each student that graduates from HEC Montréal is provided with a lifelong e-mail account; over 35,500 accounts are active to date. As with many organizations, the e-mail infrastructure at HEC Montréal is a critical component that cannot perform at anything less than optimal functionality.
As this article explains, the new infrastructure not only excels in performance and stability, but it also allows HEC Montréal to save money. Thus, it benefits from an accelerated return on investment (ROI). Emmanuel Vigne, Information Director at HEC Montréal, put it this way:"Without the new mail infrastructure, we likely wouldn't have survived the recent e-mail worms crisis. We probably would have closed all servers in order to limit the damage. With the new infrastructure, we went through this crisis without issues or outages. Our network analysts can now focus on developing tools to manage more efficiently the infrastructure, as they are no longer always fixing issues with regard to the mail servers."
The implemented solution was based mostly on open-source components. A total of 11 servers, mostly IBM xSeries, and storage array networks (SAN) are used in the new infrastructure. Figure 1 depicts the architecture of the implemented solution.
The core of the new mail infrastructure is based on components with industry proven track records. The components are:
Postfix: A fast, easy to administer, secure and scalable mail transport agent.
Cyrus IMAP Server: IMAP, POP3, Sieve services and message storage management.
SquirrelMail: Complete Web mail system, slightly adapted for the specific needs of HEC Montréal.
OpenLDAP: Directory services for user management, authentication and more.
Furthermore, in order to limit the delivery of UBEs and viruses, a number of policies were adopted and deployed on the four SMTP servers. Among them, we have:
Header and MIME header checks that use up-to-date maps
Carefully chosen real-time blackhole lists (RBL)
Content filtering using SpamAssassin (with some network checks enabled, including Vipul Razor)
Virus scanning using NAI VirusScan
To get a full description of the implemented solution, please refer to the May 2004 edition of Linux Journal.
Although UBEs continued to grow at an alarming rate, at the beginning of 2004, we also have seen of e-mail worms. Those worms spread themselves over the Internet as attachments to infected mail. The attached files are all Windows portable executable (PE) EXE files affecting various versions of Microsoft Windows. Table 1 describes some of the most popular e-mail worms we have seen in the first three months of 2004.
Table 1. Recent Internet Worms
|MyDoom.A||MyDoom.A, also known as Novarg, had the most impact at the beginning of 2004. Once it has infected a computer, the worm uses its own SMTP engine to send files (while harvesting the addresses found in those files) with the following extensions: asp, dbx, tbb, htm, sht, php, adb, pl, wab and txt. The worm also contained a backdoor function programmed to launch a Denial of Service (DoS) attack on www.sco.com on February 1st, 2004, by sending HTTP GET requests every millisecond to port 80 of the attacked site. MyDoom.A also has two well-known modifications, MyDoom.B and MyDoom.E. The first one is similar to MyDoom.A, but it also carries out a DoS attack on www.microsoft.com and replaces the standard Windows host file with its own to prevent access to domains of anti-virus software companies. Finally, MyDoom.E (also called MyDoom.F) is similar to MyDoom.A; it also is programmed to carry out a DoS attack on www.microsoft.com and www.riaa.com. In addition, it searches for more file extensions in order to send copies of itself and randomly deletes files with avi, bmp, doc, jpg, mdb, sav and xls extensions.|
|Bagle.A||Beside replicating itself with its own SMTP engine (with harvested e-mail addresses from various files), Bagle.A also opens a backdoor on port 6777 to listen for commands (allows an attacker to download files and execute commands on the infected computer). Similar to its predecessor, Bagle.B opens a backdoor on port 8866. Bagle.C, Bagle.D and Bagle.E are mostly identical: they all open a backdoor on port 2745 and block anti-virus database updates by terminating update processes from a list of well-known vendors. Finally, Bagle.F is similar to Bagle.C, but it also propagates to P2P networks.|
|NetSky.C||Like the first two worms, NetSky.C searches for files with many extensions and harvests e-mail addresses from them. It then sends a copy of itself to these addresses--using its own SMTP engine--directly to the message's recipient server. If it fails, it uses a list of predefined SMTP servers. NetSky.D, also known as SomeFool, is similar to NetSky.C but is programmed to delete MyDoom from the infected machine.|
As you can expect, those viruses make a huge economical impact, calculated in terms of help desk support, overtime payments, false positives, bandwidth clogging, transient storage consumption, productivity erosion, management time reallocation and cost of recovery. Various industry estimates speculate that global businesses lost $55 billion in 2003 due to viruses, up from $30 billion in 2002 and $13 billion in 2001. Other research papers show that a typical user spends 4.4 seconds taking action against an e-mail. As an example, if we take the 25 most-spammed employees at HEC Montréal and set the average annual salary at $46,618 CAN, we can proceed with an estimate of productivity cost for the first three months of 2004. Table 2 shows the cost worksheet.
Table 2. Cost Worksheet
|Number of employees||25|
|Average annual salary||$46,618 CAN|
|Number of UBEs that would have been delivered to them for the first three months of 2004||172,887|
|Time to identify and discard each UBE||4.4 seconds|
|Total amount of time lost in the first two months of 2004 for those employees||33 days|
|Total cost for the first two months||$6,157 CAN|
Some analysts quantified the annual cost of spam at $8.9 billion for US corporations and $2.5 billion for European businesses in 2002. In 2003, the numbers increased and reached $10 billion for the US and over a $1 billion for Canada. This tendency most likely will continue, and some estimate that over 8.8 billion UBEs will be sent daily in 2004, compared to 7.3 billion in 2003 and 5.6 billion in 2002.
"Our library director can now efficiently use his e-mail account. Before the new system was put in place, he was receiving hundreds of spam every week. Going through his e-mail during the day in order to respond to student requests was relatively painful and the associated productivity erosion was high", said Emmanuel Vigne. Nevertheless, although tallying the true cost of spams and viruses is relatively hard, HEC Montréal certainly saved money by reducing the loss of productivity of its employees due to UBEs and e-mail worms.
- The Ubuntu Conspiracy
- A First Look at IBM's New Linux Servers
- Vigilante Malware
- Disney's Linux Light Bulbs (Not a "Luxo Jr." Reboot)
- Libreboot on an X60, Part I: the Setup
- Vagrant Simplified
- System Status as SMS Text Messages
- Bluetooth Hacks
- Dealing with Boundary Issues
- Non-Linux FOSS: Code Your Way To Victory!