International Messaging Associates

Tech Support

Internet Exchange Frequently Asked Questions

Internet Exchange Messaging Server
Anti-Virus Module Technical Overview

Introduction
Internet electronic mail (email) provides both small and large organizations with an inexpensive but reliable tool for communicating with their customers and employees, as well as with other organizations. However, like most technologies, Internet email is not immune to problems. Recently, the Internet community has been the victim of serious virus attacks, which were carried out via email. One such virus, named Chernobyl, infected thousands of computers in several countries, particularly in Asia. This virus has the capability to erase hard drives and corrupt a PC's BIOS. Another virus, named Melissa, is launched when a user opens a Microsoft Word document attached to a message. The virus disables Word's usual warning when a Word template is altered and is also capable of sending out email messages to the first 50 people in a victim's Microsoft Outlook address book.

To provide system administrators with a cost-effective solution protecting their systems against viruses Internet Exchange 4.0 comes with the Anti-virus Module. Internet Exchange 4.0's anti-virus module is a 32-bit multi-threaded standalone pre-processing module capable of performing simultaneous virus scanning for MIME and non-MIME message attachments. Each thread created by the anti-virus engine is responsible for processing one message at a time, allowing high message throughput.

When a message enters the Anti-virus Module (pre-processor), it will first decode the attachment. Then it scans the said attachment by invoking the anti-virus program indicated by the MTA administrator. Once a virus is detected, the anti-virus module can optionally delete the message right away (with an option to notify the Internet Exchange Administrator that the message has been deleted), bounce back the message to the original sender, or archive the message to a quarantine directory for later manual processing.

Decoding Attachments
To ensure that all message attachments are scanned, the Anti-virus Module decodes all attachments according to their encoding. Most MTA's use MIME encoding in attachments, but there are still few sites that use non-MIME encoding. Internet Exchange has solved this problem by using decoding procedures that are based on the encoding method used in the attachment(s). After the attachment has been decoded, the anti-virus engine calls the scan procedure to perform the actual scanning of the attachment.

File Attachment Scanning
Since most of the virus scanning software use the filename extension to invoke the appropriate virus scan routine, the Internet Exchange 4.0 Anti-virus Module is designed to recognize the original file extension using information available in the message file. For MIME attachments, the file extension is retrieved from the internal MIME mapping table. This table stores the mapping between Content-type and the associated file extension of the attachments.

For non- MIME messages, the filename is retrieved in the following sequence:

If the attachment is UUENCODED file, the Anti-virus Module will use the filename from the "BEGIN XXX <filename>" line.

If the attachment is a BINHEX encoded file, the filename from the decoded BINHEX segment header will be used.

If the "filename" parameter is present in the "Content-Disposition" header, the Anti-virus Module will use the value of "filename" parameter as the attachment filename.

If the "name" parameter is present in the "ContentType" header, the value of the "name" parameter will be used as the attachment filename.

If the attachment cannot be determined even after the checks above, the anti-virus module will do a lookup to find the corresponding filename extension from the Content-type header (if it is present in the MIME message) and assign a dummy name to the attachment.

If all the above procedures have been performed and the file extension still cannot be determined, the Anti-virus Module will assign a <DEFAULT> value as the file extension. This value is configured by the gateway administrator.

When viruses are detected, the anti-virus engine handles the message based upon the option chosen by the Internet Exchange administrator.