Modern e-mail programs make it convenient to send and receive
arbitrary computer files as attachments. Unfortunately this feature
also makes it easy to send and (worse) receive computer
``viruses'' (malicious programs) via e-mail as well. Viruses can
damage your computer system, destroy or modify your files, or cause
other mystifying and annoying behavior. Many computer viruses
propagate themselves by taking over your mail program, using your
machine to send further infected mail messages to addresses found in
your address book.
Viruses can be kept in check by installing and maintaining
anti-virus software, exercising caution in opening e-mail
attachments, and keeping your machine up-to-date with vendors'
security releases for your operating system and applications. (See,
for example, the
Anti-Virus Tips page maintained by McAffee Security's Anti-Virus
Emergency Response Team.)
Unfortunately, relying on such measures has proved inadequate to
protect CIS Unix users from virus infection; over the past months
we've noticed numerous infected machines (both on-campus and
off-campus) sending virus attachments through the CIS Unix systems to
local and remote users. So …
On February 19, 2003 UNH Computing & Information Services
(the previous name of UNH Information Technology)
installed the MailScanner
mail filtering software as part of the CIS Unix mail system. This
filtering is performed on all e-mail that is sent through
the CIS Unix systems. When a potential virus is detected, this
service will alert the relevant users with information about what was
found and the corrective steps taken by the system.
How It Works
Here is how the process works and what you may see:
The figure below illustrates a message with two attachments. The
first attachment is infected with a virus and is automatically
replaced with the alert message.
The modified message is then passed on to the recipient(s).
The scanner filters out attachments with file extensions
indicating that they contain executable content under Microsoft
.pif). These are considered too dangerous to mail, no
matter what the actual content. (See below for a workaround.)
Other attachments (for example, Microsoft Word
files) are scanned for specific viruses that are known to infect that
type of file.
A relative handful of viruses have
the potential to generate high
volumes of "cleaned" messages to user mailboxes.
To avoid cluttering mailboxes with such worthless messages,
we've decided to
eliminate the messages to the recipient for the following:
- W32/Klez (all variants)
- W32/Mimail (all variants)
- W32/Dumaru (all variants)
- W32/Sobig (all variants)
- W32/Netsky (all variants)
How to Bypass the System
In rare cases where you need to mail an executable file
to another person, the most common workaround is to save the file in
pre-agreed upon file archive format (such as Unix tar) or file
compression utility format (Stuffit, WinZip, gnuzip, etc.) and then
send the resulting file as the attachment. And of course, recipients
of such attachments should take care in verifying that the contents
of such ``hidden'' executables aren't malicious.
If your message is generating errors due to its unparsability
by the scanner, your best bet may be
to configure your mail software
to send plain-text messages. Information on how to do that
for various mail software packages is here,
For More Information...
The CIS Newsletter Signals has an article
about CIS Unix virus scanning.
You might also want more information on how to use MailScanner's
feature to make dealing with unwanted e-mail