Email-aware
viruses/malware, like the infamous Melissa, Loveletter, AnnaKournikova
and others, have the ability to spread through email by automating
the infected computer's email client. Mass-mailing behavior describes
a situation when an infection spreads rapidly between clients and
servers in an Exchange environment. Mass-mailing attacks can be
expensive to clean up and cause panic among users.
Trend Micro designed the
scan engine to detect behaviors that mass-mailing attacks usually
demonstrate. The behaviors are recorded in the Virus Pattern file
that is updated using the
Trend
Micro™ ActiveUpdate
Servers.
You can enable ScanMail to
take a special action against mass-mailing attacks whenever it detects
a mass-mailing behavior. The action configured for mass-mailing
behavior takes precedence over all other actions. The default action against
mass-mailing attacks is Delete entire message.
For example: You configure ScanMail to
quarantine messages when it detects a worm or a Trojan in an email
message. You also enable mass-mailing behavior and set ScanMail to delete
all messages that demonstrate mass-mailing behavior. ScanMail receives a
message containing a worm such as a variant of MyDoom. This worm
uses its own SMTP engine to send itself to email addresses that
it collects from the infected computer. When ScanMail detects the MyDoom
worm and recognizes its mass-mailing behavior, it will delete the
email message containing the worm - as opposed to the quarantine
action for worms that do not show mass-mailing behavior.