Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Can't catch it? A virus can still hurt you. Risks Digest 22.89

From: Dave Farber <dave () farber net>
Date: Tue, 02 Sep 2003 19:50:47 -0400


----------------

Date: Wed, 27 Aug 2003 15:41:08 +1200
From: "Dr Richard A. O'Keefe" <ok () cs otago ac nz>
Subject: Can't catch it?  A virus can still hurt you.

I thought I was safe.  My mail machine is an Alpha running OSF/1.  I use
mailx, which not only doesn't do anything in particular with attachments, it
wouldn't know an attachment if one bit it in the backside.  I suppose it's
theoretically possible to write a virus or worm for the Alpha, but there's
not that much thrill in persecuting orphans; the bad guys much prefer going
after idiot boxes.  So I thought no virus could possibly pose a threat to
*my* mail.

Wrong.

My mail comes through the University's Information Technology Services.
Quoting their recent "ITS Incident Report: E-Mail Services #2",

  E-Mail from off-campus destinations were lost by the University e-mail
  system from approximately 5:00 am until 4:45 pm on August 23.  People will
  have received an e-mail from the sender that contained no subject line or
  content.

In fact I received a couple of hundred such messages.  How could that be?
Continuing the quote:

  Since Wednesday August 20 [to Monday August 25] the University has
  received over 120,000 copies of the Sobig-F virus. ...  The University
  e-mail hubs scan all e-mail messages for viruses.  Any e-mail that
  contains a virus is quarantined and no further delivery attempts are made.
  The quarantined e-mail messages are occasionally analysed in order to
  trace the origins of viruses, with old e-mail messages purged as required.

So far so good.  They try hard to stop viruses getting through, and they
monitor the bad stuff so they can do a better job.  BUT

  With the advent of Sobig-F, the number of e-mail messages quarantined grew
  dramatically.  The file system on the mailhubs only permits 32,000 files
  per directory.  On Thursday last week one of the mailhubs hit this limit.
  At this time it was thought that the large number of quarantined e-mail
  messages was due to historical data not being purged.  However, another
  32,000 virus infected e-mail messages were intercepted by each of the
  mailhubs over the next 36 hours which caused similar failures to the one
  on Thursday.

  As a result of these failures, incoming e-mail messages could not be
  written to disk for virus and spam scanning.  When the system went to send
  on the e-mail to its destination, only the sender data was retained.

OOPS.  In hindsight, it was a bad idea to store quarantined messages and
good ones on the same file system, and it might not have been such a good
idea to store each quarantined message as a separate file.  However, I'm
pretty sure I wouldn't have thought of that without the benefit of
hindsight.

  The e-mail messages that have had their content lost are not recoverable.
  The only way for you to know the contents of those e-mail messages is to
  ask for the sender to resend the message(s).  You are urged to take care
  to only request a resend from known senders.  In the event that a request
  for a resent message is made to a spammer, you are likely to receive
  greater volumes of spam in the future.

The really sad thing here is that the guys in ITS *do* have a clue or two,
and were trying to do their job.

  ITS has now stopped reaining block e-mail messages containing viruses.

Oh dear.  Retaining messages was a *good* thing.  The sheer volume of bad
stuff has stopped them doing it.  Death of the net?  Oh yes, it's entirely
forgivable that they didn't spend a lot of time thinking about the problem
on Thursday, because tech support people around the campus have been as busy
as one-armed paperhangers trying to clean up after Blaster and Sobig-F.
Yes, they *do* stop those things entering through the network.  Yes, they
*do* provide up-to-date anti-virus software.  However, people _will_ run
Windows on their laptops, take them home, and bring the infection back...

Instead of just deleting all virus messages, I think it would be better to
retain a random sample of (say) 30,000 of them.

So I've learned something:  I can lose a couple of hundred messages because
of a virus my machine didn't catch and cannot catch, because of what the
virus did to a mail hub that didn't and couldn't catch it either.

I've also learned that if I receive e-mail without content or subject
line, I probably shouldn't delete it all, like I did.  Sigh.

  [The quoted text was quite sloppy.  Vastly too many "(sic.)"s have been
  removed, and various garbles fixed to make this message more readable.
  My apologies if I missed a few!  PGN]


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: