False Alarms
Automatic email warning messages
from AntiVirus systems mail servers and mail gateways are
generating 'false alarms'.
There are several types of message that are causing false
alarms:
False
Error Reports
Many of the current email viruses/worms fake the 'senders
name', making the virus appear to come from somewhere other
than its actual source. This is designed to mislead 'virus
investigators' and anti-virus programs. And it does - causing
false alarms to be sent out.
Example Report:
---------------------------------------------------------------
The MessageLabs SkyScan
Anti-Virus service discovered a
possible virus or unauthorised code (such as a joke program
or trojan) in an email sent by you.
The email
has now been quarantined and was not delivered.
Please read
the whole of this email carefully. It
explains what has happened to your email, which suspected
virus has been caught and what to do if you need help
addressing the problem.
To help
identify the quarantined email:
The message
sender was
a.person@agnesscott.edu
The message
recipients were
a.person@imeche.org.uk
The message
title was Hello
The message date was Tue, 27 Jan 2004 11:16:09 +0000 The virus
or unauthorised code identified in the email is
>>> W32/MyDoom.A in '390205_2X_PM4_EMS_MA-OCTET=2DS__doc.pif'
------------------------------------------------------------------
'Address faking' (spoofing) worms do the following:
1. a PC gets infected with
an 'address faking' virus/worm, such as 'SoBig', by someone
opening an infected attachment.
2. that PC then (silently)
sends out large numbers of emails with the virus/worm in
an attachment to addresses from the owners address book:
- if you get an infected
email - the anti-virus system of your email provider (or
your own PC) may detect this and notify you - this is
good news - you are NOT infected.
- but IMPORTANTLY, the virus/worm
fakes the 'senders address' (also using addresses found
on the PC - again, your address could be used) - so you
can NOT tell who sent it.
- the infected emails are
then discovered by a person (or an automatic anti-virus
system) and an email is sent back to the (faked) senders
email address (which could be you).
3. when the infected emails
go out - some of them go to non-existent email addresses
and get returned by the system to THE WRONG EMAIL address
- they get automatically returned to the fake address (which
could be you).
4. when the infected emails
go out - some of them could land in the inbox of someone
who has 'Out of Office' switched on which will send back
an email to the fake address (again this could be you).
To summarize:
If your email address
has been used in the 'senders field' instead of the genuine
originator, you will get 'false alarms' email messages sent
to you because:
some anti-virus programs send
out automatic warnings to the originator of virused email
messages. If the 'sender's name' has be falsified, the warnings
are sent to the wrong place (you).
sometimes individuals will send
warnings back to the source of an email virus they have received.
Again, if the senders name has been falsified - these warnings
will go to the wrong place (you).
you may get 'returned undeliverable
email' because the virus has sent out email to defunct addresses
and email system has returned undelived email to the falsified
senders address (you).
The result is that people receive
a lot of false notifications that their PCs are infected when
they are not infected.
Solutions
There is not much you can do about these false alarms, as
the name of actual sender of the virused messages has been
replaced by your name. What you can do is:
- check that the virus/worm
(being warned about) fakes the senders address (or not):
- check the Symantec virus
pages.
- call the ITSHelp Desk - x5487
or check http://its.agnesscott.edu/virus.
- do NOT forward virus warnings
by email.
- ensure that your anti-virus
software is working and up-to-date.
- for peace of mind, scan your
PC for viruses.
- if you get a lot of 'warnings'
from one place - block the email from that address.
Implications
It would seem that:
- we should NOT warn people
about virus infections using email.
- we should NOT use 'Out of
Office' to notify people we are away.
- all we can do is ensure that
our system is clean and as secure as possible.
Cleaned
Viruses Get Through
Many email systems protect against viruses. The anti-virus
systems remove the infected attachment and send on the message.
The message arrives with a short text attachment which explains
that the original (infected) attachment has been removed.
The name of the replacement
attachment will be something like:
These 'replacement' attachments
are safe to open and will infom you of what virus was detected
and removed.
This behaviour may seem strange,
but sometimes viruses infect (add themselves to) genuine messages.
The automatic systems are designed not to remove the whole
message in case a genuine original message is deleted.
Returned
Undeliverable Messages
Faked senders names can cause 'false undeliverable mail' returns.
An example of an 'undeliverable mail' report:
-----------------------------------------------------------------
Your message did not
reach some or all of the intended recipients.
Subject:
TEST
Sent: 27/01/2004 15:19
The following
recipient(s) could not be reached:
linda@disney.com
on 27/01/2004 15:24
The e-mail account does not exist at the organization
This message was sent to. Check the e-mail address, or
contact the recipient directly to find out the correct
address.
-----------------------------------------------------------------
Messages from another persons virused system may have sent
out lots of emails in your name to a wide range of addresses
new and old (harvested from various places on your hard disk)
and some of these messages will be sent non-existant addresses
which will send back 'message undelivered' notices. As you
didn't send the messages either as yourself or because of
a virus - you may be puzzled.
|
