Email-aware virus/malware have the ability to spread
by email message by automating the infected computer's email clients
or by spreading the virus/malware themselves. Mass-mailing behavior
describes a situation when an infection spreads rapidly in a Microsoft
Exchange environment. Trend Micro designed the scan engine to detect
behavior that mass-mailing attacks usually demonstrate. The behaviors
are recorded in the Virus Pattern file that is updated using the
Trend Micro ActiveUpdate Servers.
You can enable the Messaging Security Agent (Advanced only) to
take a special action against mass-mailing attacks whenever it detects
a mass-mailing behavior. The action set for mass-mailing behavior
takes precedence over all other actions. The default action against
mass-mailing attacks is delete entire message.
For example: You configure the Messaging Security Agent to quarantine messages
when it detects that the messages are infected by a worm or a Trojan. You
also enable mass-mailing behavior and set the agent to delete all
messages that demonstrate mass-mailing behavior. The agent receives
a message containing a worm such as a variant of MyDoom. This worm
uses its own SMTP engine to send itself to email addresses that
it collects from the infected computer. When the agent detects the
MyDoom worm and recognizes its mass-mailing behavior, it will delete
the email message containing the worm - as opposed to the quarantine
action for worms that do not show mass-mailing behavior.