2: E-mail Threats and Attacks
access. Moreover, when considering only the large
organisations (rather than the respondent base as a
whole) the proportion experiencing e-mail misuse
rose to a quarter. In terms of the volume of
associated incidents, approximately half of the
affected respondents were reporting only ‘a few’
during the prior year. However, at the extreme end
of the scale, almost one in ten were reporting
several misuse incidents per day.
The focus of this chapter is primarily placed upon
the threats that may enter the organisation via e-
mail, with the problems arising from staff misuse
being more fully pursued in Chapter 8. With this
in mind, a good starting point is the significant
threat posed by e-mail-based malicious code …
Mass-mailed malware
Although Internet-wide incidents had been
experienced before (e.g. the Internet Worm, or
Morris Worm, of 1988 was able to infect the entire
network via a combination of vulnerability
exploits), the mass adoption of e-mail was a
catalyst for ushering in truly large-scale and more
frequent malware incidents. Landmark cases such
as the Melissa virus and the Love Letter worm
were fundamentally possible because they used e-
mail as their distribution channel. While later
years have seen fewer celebrity cases of this
nature, the problem has far from disappeared. To
illustrate the point, Figure 2 draws upon data from
MessageLabs and depicts the changing picture
over the past decade, with the worst period having
been in 2004, with an average of one in every
sixteen messages being infected.
2: E-mail Threats and Attacks
Figure 2: Proportion of malware-infected e-
mail from 2000 to 2009
As a consequence of the threat, e-mail protection
is now a standard feature of antivirus and Internet
security packages, and e-mail clients themselves
now incorporate features to block potentially
suspicious attachments and executable scripts.
However, this is one of the many areas of security
in which technology alone cannot provide the
complete solution. Many malware-related e-mails
(and indeed wider e-mail scams that are discussed
later in the chapter) seek to exploit people via
social engineering. For example, the
aforementioned Melissa virus claimed to be an
important message containing a document
requested by the recipient,
whereas (as its name
suggests) the Love Letter worm found success by
CERT. 1999. ‘CERT
Advisory CA-1999-04 Melissa
Macro Virus’, 27 March 1999.
2: E-mail Threats and Attacks
claiming that its attachment was a love letter.
fact, the methods and guises that malware may
employ are so variable that it is difficult to provide
specific advice to staff beyond exercising caution
with attachments and any messages that do not
contain expected work-related content.
Organisations appear to be fairly well attuned to
the need to protect themselves against incoming
problems, with the aforementioned 2008 ISBS
reporting that 95% scanned incoming e-mail and
web downloads for malware. However, there
appears to be somewhat less recognition of the
importance of scanning outgoing mail, with only
77% claiming to do so. As such, malware that may
have entered the organisation via another route
(e.g. on removable media or an infected laptop)
may then find an unprotected channel for
spreading onwards and outwards to other systems.
In fact, scans of outgoing e-mails can also be
utilised to safeguard against a variety of other
threats relating to content that employees should
not be sending. However, as Figure 3 illustrates,
only a minority of organisations tend to scan for
things other than malware (with the identification
of inappropriate content being the next most likely
target, but still trailing by a considerable margin).
The finding that a fifth of organisations scan for
nothing at all clearly goes some way to explaining
why other organisations still face a considerable
volume of incoming threats.
CERT. 2000. ‘CERT
Advisory CA-2000-04 Love
Letter Worm’, 4 May 2000.

Get Email Security: A Pocket Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.