Virus Filtering Service for CIS Unix Mail

Modern e-mail programs make it convenient to send and receive arbitrary computer files as attachments. Unfortunately this feature also makes it easy to send and (worse) receive computer ``viruses'' (malicious programs) via e-mail as well. Viruses can damage your computer system, destroy or modify your files, or cause other mystifying and annoying behavior. Many computer viruses propagate themselves by taking over your mail program, using your machine to send further infected mail messages to addresses found in your address book.

Viruses can be kept in check by installing and maintaining anti-virus software, exercising caution in opening e-mail attachments, and keeping your machine up-to-date with vendors' security releases for your operating system and applications. (See, for example, the Anti-Virus Tips page maintained by McAffee Security's Anti-Virus Emergency Response Team.)

Unfortunately, relying on such measures has proved inadequate to protect CIS Unix users from virus infection; over the past months we've noticed numerous infected machines (both on-campus and off-campus) sending virus attachments through the CIS Unix systems to local and remote users. So …

On February 19, 2003 UNH Computing & Information Services installed the MailScanner mail filtering software as part of the CIS Unix mail system. This filtering is performed on all e-mail that is sent through the CIS Unix systems. When a potential virus is detected, this service will alert the relevant users with information about what was found and the corrective steps taken by the system.

How It Works

Here is how the process works and what you may see:

• Every message sent through the CIS Unix systems will be analyzed. This includes mail sent to addresses of the form address@unh.edu.
• If no potential problems are detected, the message is passed on to the recipient(s) without modification or comment.
• If the message contains one or more attachments, these attachments are examined by the scanner. If a virus is detected in an attachment, or if it is determined that the type of attachment is inappropriate, it is removed from the message and replaced with an alert message. The modified message is passed on to the recipient(s).
• When a virus or inappropriate attachment is detected, a separate return notice is sent back to the apparent sender. [Important Change: on August 19, 2003, CIS decided to cease sending return notices; too many mail viruses now forge the sender address, which was causing inappropriate warning messages to be sent to the innocent apparent senders.]

The figure below illustrates a message with two attachments. The first attachment is infected with a virus and is automatically replaced with the alert message. The modified message is then passed on to the recipient(s). The return notice is [no longer] sent back to the apparent sender describing the actions taken by the mail scanner.

Details

The scanner filters out attachments with file extensions indicating that they contain executable content under Microsoft Windows (e.g.: .bat, .exe, .pif). These are considered too dangerous to mail, no matter what the actual content. (See below for a workaround.)

Other attachments (for example, Microsoft Word .doc files) are scanned for specific viruses that are known to infect that type of file.

If the scanner cannot completely process an incoming mail message for some reason, such as bad message structure, unreadable winmail.dat TNEF attachments, or messages sent in some versions of Rich Text Format (RTF), a error report is sent back to the apparent sender. The scanner will remove those portions it could not analyze from the message before sending it along to the designated recipients.

We've been referring to ``apparent sender'' in this document. Some viruses forge the sender's address in the mail they send; In such cases, return notices and error reports will probably go to the forged address, which will often be the owner of an uninfected machine. The actual owner of the infected machine won't be automatically notified. In such cases, we will try to notify the owners of infected machines by other means; if possible, we'll also probably take steps to prevent the infected machine from sending further mail through us until it's cleaned. [Note: as previously discussed, the forged-sender problems has caused us to cease sending return notices.]

Effective December 16, 2003: A relative handful of viruses have the potential to generate high volumes of "cleaned" messages to user mailboxes. To avoid cluttering mailboxes with such worthless messages, we've decided to eliminate the messages to the recipient for the following:

• W32/Bagle
• W32/Klez (all variants)
• W32/Swen@MM
• W32/Mimail (all variants)
• W32/Dumaru (all variants)
• W32/Sobig (all variants)
• W32/Netsky (all variants)

How to Bypass the System

In rare cases where you need to mail an executable file to another person, the most common workaround is to save the file in pre-agreed upon file archive format (such as Unix tar) or file compression utility format (Stuffit, WinZip, gnuzip, etc.) and then send the resulting file as the attachment. And of course, recipients of such attachments should take care in verifying that the contents of such ``hidden'' executables aren't malicious.

If your message is generating errors due to its unparsability by the scanner, your best bet may be to configure your mail software to send plain-text messages. Information on how to do that for various mail software packages is here, here, or here.

For More Information...

The CIS Newsletter Signals has an article about CIS Unix virus scanning.

You might also want more information on how to use MailScanner's spam-tagging feature to make dealing with unwanted e-mail easier.

Acknowledgments

Large parts of this document have been borrowed from UNH Virus Filtering Service for Mailing Lists

Last modified: 2009-09-18 14:09 EDT Paul A. Sand pas@unh.edu