FYI
This is a good summary about the dangers of virus scanning software automatically warning "senders" of infected messages.  I emailed a suggestion yesterday to two MSU sites that are doing this (Radiology and HR). Hopefully they are reconsidering.

Also, last week I sent a message to our users trying to explain what was happening. If anyone wants a copy of that, let me know. Or if anyone has other resources that explain Klez to a non-technical person, please let me know.

-jav

Mailing-List: contact [log in to unmask]; run by ezmlm
X-No-Archive: yes
List-ID: unisog
List-Post: <mailto:[log in to unmask]>
List-Help: <mailto:[log in to unmask]>
List-Unsubscribe: <mailto:[log in to unmask]>
List-Subscribe: <mailto:[log in to unmask]>
List-Digest-Subscribe: <mailto:[log in to unmask]>
List-Digest-Unsubscribe: <mailto:[log in to unmask]>
Delivered-To: mailing list [log in to unmask]
Delivered-To: moderator for [log in to unmask]
Date: Wed, 11 Sep 2002 09:13:10 -0400
From: Joseph Brennan <[log in to unmask]>
Reply-To: Postmaster <[log in to unmask]>
To: unisog <[log in to unmask]>
cc: Postmaster <[log in to unmask]>
X-Mailer: Mulberry/2.1.0 (Mac OS/PPC)
Subject: [unisog] The danger of Klez warnings


We have found ourselves in the position of changing users' addresses
because of Klez virus warnings.  Not Klez-- we can identify and reject
that-- but Klez warnings.

We have two users whose addresses are being faked into the From line
of Klez mail at an astounding rate.  For each, we see 94,000 attempts
per day to relay through smtp.columbia.edu.  All are rejected.  Evidently
there are additional instances that are relayed through other systems
successfully and trigger warnings or accusations from antivirus software.
One of the users now reports getting dozens of warnings per day with
no end in sight.  This will be the second one who needs a new address,
with all the notifying to friends and associates that is involved.
It's not the Klez-- it's the warnings.

Any virus software that can spot Klez should also avoid sending useless
mail to the faked envelope From.  Most of the bogus warnings do not even
include the original headers, so we cannot even re-send them to the
actual source of the virus.  They are just totally without value.  In
fact they're worse than no value.  They cause needless worry and needless
calls to helpdesk.  A meta-virus, you might say.

We are now filtering out one of the warnings, for Declude, because it's
been reported so many times.  We may need to add more, but with every
one using different text, it does not seem practical.

You all might want to check what your system does when it gets a Klez
message.  Please.

Joseph Brennan                           [log in to unmask]
Academic Technologies Group, Academic Information Systems (AcIS)



* John Valenti Systems Analyst, Labor & Industrial Relations *
* 408 S Kedzie Hall, Michigan State University, E. Lansing, MI 48824 *
* (517) 353-1807 fax (517) 355-7656 [log in to unmask] *