FYI This is a good summary about the dangers of virus scanning software automatically warning "senders" of infected messages. I emailed a suggestion yesterday to two MSU sites that are doing this (Radiology and HR). Hopefully they are reconsidering. Also, last week I sent a message to our users trying to explain what was happening. If anyone wants a copy of that, let me know. Or if anyone has other resources that explain Klez to a non-technical person, please let me know. -jav >Mailing-List: contact [log in to unmask]; run by ezmlm >X-No-Archive: yes >List-ID: unisog >List-Post: <mailto:[log in to unmask]> >List-Help: <mailto:[log in to unmask]> >List-Unsubscribe: <mailto:[log in to unmask]> >List-Subscribe: <mailto:[log in to unmask]> >List-Digest-Subscribe: <mailto:[log in to unmask]> >List-Digest-Unsubscribe: <mailto:[log in to unmask]> >Delivered-To: mailing list [log in to unmask] >Delivered-To: moderator for [log in to unmask] >Date: Wed, 11 Sep 2002 09:13:10 -0400 >From: Joseph Brennan <[log in to unmask]> >Reply-To: Postmaster <[log in to unmask]> >To: unisog <[log in to unmask]> >cc: Postmaster <[log in to unmask]> >X-Mailer: Mulberry/2.1.0 (Mac OS/PPC) >Subject: [unisog] The danger of Klez warnings > > >We have found ourselves in the position of changing users' addresses >because of Klez virus warnings. Not Klez-- we can identify and reject >that-- but Klez warnings. > >We have two users whose addresses are being faked into the From line >of Klez mail at an astounding rate. For each, we see 94,000 attempts >per day to relay through smtp.columbia.edu. All are rejected. Evidently >there are additional instances that are relayed through other systems >successfully and trigger warnings or accusations from antivirus software. >One of the users now reports getting dozens of warnings per day with >no end in sight. This will be the second one who needs a new address, >with all the notifying to friends and associates that is involved. >It's not the Klez-- it's the warnings. > >Any virus software that can spot Klez should also avoid sending useless >mail to the faked envelope From. Most of the bogus warnings do not even >include the original headers, so we cannot even re-send them to the >actual source of the virus. They are just totally without value. In >fact they're worse than no value. They cause needless worry and needless >calls to helpdesk. A meta-virus, you might say. > >We are now filtering out one of the warnings, for Declude, because it's >been reported so many times. We may need to add more, but with every >one using different text, it does not seem practical. > >You all might want to check what your system does when it gets a Klez >message. Please. > >Joseph Brennan [log in to unmask] >Academic Technologies Group, Academic Information Systems (AcIS) * John Valenti Systems Analyst, Labor & Industrial Relations * * 408 S Kedzie Hall, Michigan State University, E. Lansing, MI 48824 * * (517) 353-1807 fax (517) 355-7656 [log in to unmask] *