LISTSERV 16.0 - MSUNAG Archives

Yes, but what if the external recipient does not know they have a virus and
the message from Antigen is the first to tell them?  I certainly understand
that minimizing network traffic is a desired result, but wouldn't end users
like to know that they have a virus?



-----Original Message-----
From: Brubaker, Aaron [mailto:[log in to unmask]]
Sent: Tuesday, January 29, 2002 8:00 AM
To: [log in to unmask]
Subject: Re: Misconfigured Software


Fortunately, Antigen administrators can control the way virus notifications
are configured.  Most sites should disable notification for external
recipients/senders as a matter of good netiquette.

Aaron Brubaker
Information Technologist I
Administrative Information Services
Michigan State University
(517) 353-4420 x249
[log in to unmask]

-----Original Message-----
From: George J Perkins [mailto:[log in to unmask]]
Sent: Monday, January 28, 2002 5:14 PM
To: [log in to unmask]
Subject: Re: Misconfigured Software


Missy Koos wrote:
> The Antigen Software is the Virus Scanning software that we use on our
> exchange server.
> I did run 2 scan this morning, I apologize if you received multiple
> iterations of the message, I am trying to clean up the mess left by the
> myparty virus.
> The software is not misconfigured that I am aware of, it is set to send 3
> messages...
> One is sent to the originator of the message to make sure they are aware
> the workstation has a virus
> One is sent to the recipient letting them know that the attachment was
> stripped
> Also one goes to me so that I can follow up and make sure that nothing was
> infected.
>
> I will look at the software to make sure that the configuration is still
> correct.
> Thank you for your concern.
>
> Missy Koos
> Career Services and Placement
> [...]

If the recipient is a mailing list, then Antigen appears to send out this
"I've stripped the attachment" message back to the mailing list, not just
to the users on the Antigen-protected system who are on the mailing list
and whose attachments have actually been stripped -- members of the mailing
list who are not on that system have _not_ had their attachments stripped
(unless they have their own anti-virus or content-management software),
so that system is generating potentially hundreds or thousands of bogus
E-mails.

If the address in the "To:" header of the affected E-mail message is not
that of a local user, a system such as Antigen should
(a) look further into the headers or other E-mail information to see
    which local users are really due to get the infected message, and
    send the warning message only to them (who really have had the
    offending attachment squelched); or
(b) assume that it is a mailing list name and either just ignore it or
    send the alert to "mailinglistname-owner@wherever" instead of to
    the whole list;
or possibly both (a) and (b).

If it doesn't, as more and more sites implement anti-virus and/or
content-management scanning, mailing lists will become totally
unworkable.  At present, one virus sent out might generate a handful
of such "I've blocked a virus" messages. Imagine in a year or two when
a single virus is sent out to a major list, and each member of the list
(whether protected from the virus by his/her local system or not) gets
several hundred followup messages about the virus being blocked by some
system somewhere in the world.

This is not entirely far-fetched, even now, as I've recently found out.
I'm on a mailing list which over the weekend apparently processed a
virus-laden message.  The local system that the list server runs on
does checks for viruses and disinfected it in a way that kept the dis-
infected attached file as part of the message.  The attachment, while
allegedly neutralized, still had a ".bat" filename ending.  Within a
couple of hours, I (and the other several hundred people on the list)
had at least 15 messages each telling us that various systems (some
Antigen, some other similar products) were blocking all ".bat" file
attachments; plus at least one message from a system telling us that
the ".doc" attachment which one of the other anti-virus checkers had
used as part of ITS warning which was sent out to the list was being
blocked on some other system somewhere.

Since many systems are configuring their E-mail systems to block
attachments by name alone, regardless of whether there is really a
virus present (i.e., content management, rather than anti-virus
protection), it may soon be possible to create an effective denial
of service attack by just sending totally innocuous files with the
right file name extensions out to mailing lists, whose members will
then have to shovel themselves out from under piles of "I've blocked it"
messages which have nothing to do with their own systems.

This is the basis of my opinion that if Antigen can't be set to do either
(a) or (b) above, then maybe it's time to get another filtering product
which can.
--
                                George

------------------------------------------------------------------------
George J Perkins                 [log in to unmask]  Work: 517-432-3820
125 Physics-Astronomy Bldg, MSU  Home: 517-332-2746  FAX:  517-353-4500
East Lansing, MI  48824-1116     http://www.pa.msu.edu/people/perkins/