Virus Filtering for CIS Unix Mail

Modern e-mail programs make it convenient to send and receive arbitrary computer files as attachments. Unfortunately this feature also makes it easy to send and (worse) receive computer ``viruses'' (malicious programs) via e-mail as well. Viruses can damage your computer system, destroy or modify your files, or cause other mystifying and annoying behavior. Many computer viruses propagate themselves by taking over your mail program, using your machine to send further infected mail messages to addresses found in your address book.

Viruses can be kept in check by installing and maintaining anti-virus software, exercising caution in opening e-mail attachments, and keeping your machine up-to-date with vendors' security releases for your operating system and applications. (See, for example, the Anti-Virus Tips page maintained by McAffee Security's Anti-Virus Emergency Response Team.)

Unfortunately, relying on such measures has proved inadequate to protect CIS Unix users from virus infection; over the past months we've noticed numerous infected machines (both on-campus and off-campus) sending virus attachments through the CIS Unix systems to local and remote users. So …

On February 19, 2003 UNH Computing & Information Services (the previous name of UNH Information Technology) installed the MailScanner mail filtering software as part of the CIS Unix mail system. This filtering is performed on all e-mail that is sent through the CIS Unix systems. When a potential virus is detected, this service will alert the relevant users with information about what was found and the corrective steps taken by the system.

How It Works

Here is how the process works and what you may see:

  • Every message sent through the CIS Unix systems will be analyzed. This includes mail sent to addresses of the form address@unh.edu, address@usnh.edu, and address@granite.edu.
  • If no potential problems are detected, the message is passed on to the recipient(s) without modification or comment.
  • If the message contains one or more attachments, these attachments are examined by the scanner. If a virus is detected in an attachment, or if it is determined that the type of attachment is inappropriate, it is removed from the message and replaced with an alert message:
    ------------------------------------------------------------
    Important Message from the UNH E-Mail Virus Scanning Service
    ------------------------------------------------------------
    
    The original e-mail attachment:
    
    ------------------------------------------------------------
      Date       "$date"
      Attachment "$filename"
    ------------------------------------------------------------
    
    is believed to be infected by a virus. Rather than forward
    this potentially destructive file to you, it has been
    replaced with this warning message instead.
    
    For more information about the UNH E-Mail Virus Scanning 
    Service, please see:
    
         http://pubpages.unh.edu/notes/mailfiltering.html
    
    If you have a question or concern specific to this incident,
    please forward this entire message to:
    
         MailScanner.Admin@unh.edu
    
    along with your comments for this system's administrator.
    
    ------------------------------------------------------------
    Virus Scan Report
    ------------------------------------------------------------
       DATE: $date
     ACTION: $report
       HOST: "$hostname"
     MSGDIR: $quarantinedir/$datenumber
      MSGID: $id
    ------------------------------------------------------------
    
    --
    MailScanner
    EMail Virus Scanner
    

    The 'dollar-sign' words in the text above are replaced with message-specific strings in the actual alert. The modified message is passed on to the recipient(s).

  • No notice is provided to the apparent sender of infected mail. Too many mail-borne viruses forge their sender addresses for this to be more useful than annoying.

The figure below illustrates a message with two attachments. The first attachment is infected with a virus and is automatically replaced with the alert message. The modified message is then passed on to the recipient(s).

Sender Recipient(s)
Message
Text
Mail
Scanner
Message
Text
Infected
Attachment
---------> ---------> Alert
Message
Safe
Attachment
Safe
Attachment

Details

The scanner filters out attachments with file extensions indicating that they contain executable content under Microsoft Windows (e.g.: .bat, .exe, .pif). These are considered too dangerous to mail, no matter what the actual content. (See below for a workaround.)

Other attachments (for example, Microsoft Word .doc files) are scanned for specific viruses that are known to infect that type of file.

A relative handful of viruses have the potential to generate high volumes of "cleaned" messages to user mailboxes. To avoid cluttering mailboxes with such worthless messages, we've decided to eliminate the messages to the recipient for the following:

  • W32/Bagle
  • W32/Klez (all variants)
  • W32/Swen@MM
  • W32/Mimail (all variants)
  • W32/Dumaru (all variants)
  • W32/Sobig (all variants)
  • W32/Netsky (all variants)

How to Bypass the System

In rare cases where you need to mail an executable file to another person, the most common workaround is to save the file in pre-agreed upon file archive format (such as Unix tar) or file compression utility format (Stuffit, WinZip, gnuzip, etc.) and then send the resulting file as the attachment. And of course, recipients of such attachments should take care in verifying that the contents of such ``hidden'' executables aren't malicious.

If your message is generating errors due to its unparsability by the scanner, your best bet may be to configure your mail software to send plain-text messages. Information on how to do that for various mail software packages is here, here, or here.

For More Information...

The CIS Newsletter Signals has an article about CIS Unix virus scanning.

You might also want more information on how to use MailScanner's spam-tagging feature to make dealing with unwanted e-mail easier.