Design, Implementation and Test of an Email Virus Throttle

Matthew M. Williamson
Hewlett-Packard Labs
United Kingdom

This paper presents an approach to preventing the damage caused by viruses that travel via email. The approach prevents an infected machine spreading the virus further. This directly addresses the two ways that viruses cause damage: less machines spreading the virus will reduce the number of machines infected and reduce the traffic generated by the virus.

The approach relies on the observation that normal emailing behaviour is quite different from the behaviour of a spreading virus, with the virus sending messages at a much higher rate, to different addresses. To limit propagation a rate-limiter or virus throttle is described that does not affect normal traffic, but quickly slows and stops viral traffic. The paper includes an analysis of normal emailing behaviour, and details of the throttle design. In addition an implementation is described and tested with real viruses, showing that the approach is practical.

Keywords: email virus, virus throttle

Read Paper Read Paper (in PDF)