Melissa, the ghost in the machine

Three years ago today, IT departments around the world were battling with the Melissa virus.

Three years ago today, IT departments around the world were battling with the Melissa virus.

Melissa, which used security weaknesses in Microsoft Outlook e-mail software to spread itself to every person in each user's address book, caused millions of pounds worth of damage.

Other virus writers have copied it repeatedly, yet the man who admitted writing Melissa is still awaiting punishment, and many companies still haven't learned basic lessons from the experience.

According to Alex Shipp, anti-virus technologist at security software company MessageLabs, the level of attacks via e-mail is increasing year on year.

"In 1999, there was one infected e-mail in every 1,500 sent, but in 2000 this rose to one in every 800," said Shipp. "By the time we got to Christmas last year, it had reached one in every 200."

Company spending on security infrastructure has risen with the increased threat, but hard cash does not guarantee security. Internet penetration testing company NTA Monitor told that since 1998, there had been a 45% increase in firewall vulnerabilities.

This means that e-mails with attached viruses such as Melissa may not be stopped, even though organisations have been alerted to their presence.

NTA blames this on a lack of security expertise, with some organisations not even able to install the correct security patches.

Jack Clark, product marketing manager at anti-virus software company McAfee, said some companies had responded to the problem by outsourcing the management of e-mail systems.

Many organisations are also blocking all e-mails with executable attachments at the firewall, said Clark. The speedy distribution of software and software patches across the network instead of on CDs has also helped, he added.

The determination of virus writers to target Microsoft software has started a debate about the type of e-mail systems that organisations deploy.

Peter Sommer, senior research fellow at the London School of Economics, with responsibility for IT security, told that companies should rethink their use of e-mail software.

Sommer, who uses Eudora e-mail software alongside Microsoft Office applications such as Word and PowerPoint, said the functionality offered by Outlook was the problem.

"Most of this functionality is exploited by cyber-criminals, even though most users don't need most of the features in Outlook," said Sommer

"The more complex the software, the more program hooks and bugs there will be for cyber-criminals to take advantage of.

"I'm not anti-Microsoft," he insisted. "Some of its products are very good, but it obviously wants to lock you in by bundling Outlook with all the other products. Companies should, however, consider using another solution."

Read more on IT risk management