Interesting People mailing list archives
Can't catch it? A virus can still hurt you. Risks Digest 22.89
From: Dave Farber <dave () farber net>
Date: Tue, 02 Sep 2003 19:50:47 -0400
---------------- Date: Wed, 27 Aug 2003 15:41:08 +1200 From: "Dr Richard A. O'Keefe" <ok () cs otago ac nz> Subject: Can't catch it? A virus can still hurt you. I thought I was safe. My mail machine is an Alpha running OSF/1. I use mailx, which not only doesn't do anything in particular with attachments, it wouldn't know an attachment if one bit it in the backside. I suppose it's theoretically possible to write a virus or worm for the Alpha, but there's not that much thrill in persecuting orphans; the bad guys much prefer going after idiot boxes. So I thought no virus could possibly pose a threat to *my* mail. Wrong. My mail comes through the University's Information Technology Services. Quoting their recent "ITS Incident Report: E-Mail Services #2", E-Mail from off-campus destinations were lost by the University e-mail system from approximately 5:00 am until 4:45 pm on August 23. People will have received an e-mail from the sender that contained no subject line or content. In fact I received a couple of hundred such messages. How could that be? Continuing the quote: Since Wednesday August 20 [to Monday August 25] the University has received over 120,000 copies of the Sobig-F virus. ... The University e-mail hubs scan all e-mail messages for viruses. Any e-mail that contains a virus is quarantined and no further delivery attempts are made. The quarantined e-mail messages are occasionally analysed in order to trace the origins of viruses, with old e-mail messages purged as required. So far so good. They try hard to stop viruses getting through, and they monitor the bad stuff so they can do a better job. BUT With the advent of Sobig-F, the number of e-mail messages quarantined grew dramatically. The file system on the mailhubs only permits 32,000 files per directory. On Thursday last week one of the mailhubs hit this limit. At this time it was thought that the large number of quarantined e-mail messages was due to historical data not being purged. However, another 32,000 virus infected e-mail messages were intercepted by each of the mailhubs over the next 36 hours which caused similar failures to the one on Thursday. As a result of these failures, incoming e-mail messages could not be written to disk for virus and spam scanning. When the system went to send on the e-mail to its destination, only the sender data was retained. OOPS. In hindsight, it was a bad idea to store quarantined messages and good ones on the same file system, and it might not have been such a good idea to store each quarantined message as a separate file. However, I'm pretty sure I wouldn't have thought of that without the benefit of hindsight. The e-mail messages that have had their content lost are not recoverable. The only way for you to know the contents of those e-mail messages is to ask for the sender to resend the message(s). You are urged to take care to only request a resend from known senders. In the event that a request for a resent message is made to a spammer, you are likely to receive greater volumes of spam in the future. The really sad thing here is that the guys in ITS *do* have a clue or two, and were trying to do their job. ITS has now stopped reaining block e-mail messages containing viruses. Oh dear. Retaining messages was a *good* thing. The sheer volume of bad stuff has stopped them doing it. Death of the net? Oh yes, it's entirely forgivable that they didn't spend a lot of time thinking about the problem on Thursday, because tech support people around the campus have been as busy as one-armed paperhangers trying to clean up after Blaster and Sobig-F. Yes, they *do* stop those things entering through the network. Yes, they *do* provide up-to-date anti-virus software. However, people _will_ run Windows on their laptops, take them home, and bring the infection back... Instead of just deleting all virus messages, I think it would be better to retain a random sample of (say) 30,000 of them. So I've learned something: I can lose a couple of hundred messages because of a virus my machine didn't catch and cannot catch, because of what the virus did to a mail hub that didn't and couldn't catch it either. I've also learned that if I receive e-mail without content or subject line, I probably shouldn't delete it all, like I did. Sigh. [The quoted text was quite sloppy. Vastly too many "(sic.)"s have been removed, and various garbles fixed to make this message more readable. My apologies if I missed a few! PGN]
------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Can't catch it? A virus can still hurt you. Risks Digest 22.89 Dave Farber (Sep 02)