1. Field of the Invention
This invention relates to the field of data processing systems. More particularly, this invention relates to the identification of malware infected reply messages, such as, for example, reply email messages infected with computer viruses, worms, Trojans etc.
2. Description of the Prior Art
An increasingly common and serious malware threat is that of email propagated computer viruses, worms, Trojans and other items of malware. Using email propagation, such items of malware can rapidly multiply and spread to an extent that causes considerable disruption and economic damage. One type of email propagation involves so called mass mailer viruses. When a computer is infected with such a mass mailer virus, then the mass mailer virus sends itself to some or all of the email addresses in the infected computer's email address book. An outbreak of a mass mailer virus can be identified by observing the email usage characteristics of an email server, such as noting the occurrence of a large number of emails being sent to a large number of different recipients, the occurrence of a large number of emails sharing a common title, a common attachment, or other common features. This type of characteristic behaviour can be identified and anti-malware actions, such as quarantining etc, taken even before a new virus has been fully identified and a proper signature identified and distributed. Existing computer programs which serve to monitor email server behaviour to identify this type of mass mailer virus include Outbreak Manager produced by Network Associates, Inc.
A new type of malware has emerged which propagates by email and has the potential for causing considerable damage and yet does not give rise to characteristic patterns of email traffic that can be proactively detected using the known techniques as mentioned above. These so called reply mailer viruses act on an infected computer by waiting for an email to be received from another computer user and then automatically replying to that specific other computer user with an infected reply email. This infected reply email can reuse the message title of the originating email from that other user and the other user will recognise the sender of the infected reply email as a person known to them. Furthermore, the receipt of a reply email of some sort by the other user will not be unexpected since they have just themselves initiated the email exchange. The result is that the recipient of the infected reply email is likely to consider the infected reply email as genuine and open or deal with it in other ways which cause their computer to become infected.
The known techniques for dealing with mass mailing computer viruses are ineffective against reply mailer computer viruses since the reply is generally made to a single user making the increase in email traffic relatively slight, the email titles can be copied from the originating email messages giving no consistent title that identifies an infected email and there is no sending of a single email message to a large group of recipients which could otherwise be suspicious. Thus, until the specific virus signature for the reply mailer virus has been developed and deployed in the email virus scanning systems, then the known types of email scanners are unable to detect and accordingly provide a defense against reply mailer viruses.