FYI
This is a good summary about the dangers of virus scanning software
automatically warning "senders" of infected messages. I
emailed a suggestion yesterday to two MSU sites that are doing this
(Radiology and HR). Hopefully they are reconsidering.
Also, last week I sent a message to our users trying to explain what was
happening. If anyone wants a copy of that, let me know. Or if anyone has
other resources that explain Klez to a non-technical person, please let
me know.
-jav
Mailing-List: contact
[log in to unmask]; run by ezmlm
X-No-Archive: yes
List-ID: unisog
List-Post:
<mailto:[log in to unmask]>
List-Help:
<mailto:[log in to unmask]>
List-Unsubscribe:
<mailto:[log in to unmask]>
List-Subscribe:
<mailto:[log in to unmask]>
List-Digest-Subscribe:
<mailto:[log in to unmask]>
List-Digest-Unsubscribe:
<mailto:[log in to unmask]>
Delivered-To: mailing list [log in to unmask]
Delivered-To: moderator for [log in to unmask]
Date: Wed, 11 Sep 2002 09:13:10 -0400
From: Joseph Brennan <[log in to unmask]>
Reply-To: Postmaster <[log in to unmask]>
To: unisog <[log in to unmask]>
cc: Postmaster <[log in to unmask]>
X-Mailer: Mulberry/2.1.0 (Mac OS/PPC)
Subject: [unisog] The danger of Klez warnings
We have found ourselves in the position of changing users'
addresses
because of Klez virus warnings. Not Klez-- we can identify and
reject
that-- but Klez warnings.
We have two users whose addresses are being faked into the From
line
of Klez mail at an astounding rate. For each, we see 94,000
attempts
per day to relay through smtp.columbia.edu. All are rejected.
Evidently
there are additional instances that are relayed through other
systems
successfully and trigger warnings or accusations from antivirus software.
One of the users now reports getting dozens of warnings per day
with
no end in sight. This will be the second one who needs a new
address,
with all the notifying to friends and associates that is involved.
It's not the Klez-- it's the warnings.
Any virus software that can spot Klez should also avoid sending
useless
mail to the faked envelope From. Most of the bogus warnings do not
even
include the original headers, so we cannot even re-send them to the
actual source of the virus. They are just totally without
value. In
fact they're worse than no value. They cause needless worry and
needless
calls to helpdesk. A meta-virus, you might say.
We are now filtering out one of the warnings, for Declude, because it's
been reported so many times. We may need to add more, but with
every
one using different text, it does not seem practical.
You all might want to check what your system does when it gets a
Klez
message. Please.
Joseph
Brennan
[log in to unmask]
Academic Technologies Group, Academic Information Systems
(AcIS)
* John Valenti Systems Analyst, Labor & Industrial Relations *
* 408 S Kedzie Hall, Michigan State University, E. Lansing, MI 48824
*
* (517) 353-1807 fax (517) 355-7656
[log in to unmask] *