By Diane Poremsky
Another month, another virus. This time it's the fast moving MyDoom (a.k.a. MiMail.R) that's driving everyone bonkers. You'd think by now people would learn, and for the most part, users are better at recognizing an infected message on their own. Many antivirus programs and firewalls automatically filter out messages containing *.EXE, *.PIF, *.SCR, and others, but allow the *.ZIP extension to pass. Unfortunately, enough people opened the ZIP and executed the contents before the antivirus filters were updated to create a flood of viruses and bogus virus warnings for the rest of us.
"What can administrators do to stop the lunacy?"
My pet peeve today is more with antivirus installations that have notifications enabled than the users who open the attachments without thinking. MyDoom collects addresses from any number of sources: text files, Outlook Express's mail store (*.DBX), the Windows Address book (*.WAB), HTML files, and others. If that doesn't provide enough addresses, it makes them up, using common first names and domains it finds in the files it scans. So, we have a virus sending messages to and/or from bogus addresses and antivirus programs blocking delivery, then creating more load on already swamped servers by sending notification to a falsified address that they sent an infected message, creating even more NDRs (Non-Delivery Receipts).
What can administrators do to stop the lunacy? They can begin by turning off the virus notifications to Internet addresses. These notifications create more useless traffic, often exceeding the bandwidth caused by the actual virus because of all the NDRs generated, and often needlessly scaring users into thinking they are infected when they aren't.
One administrator had this to say:
I spent more time today assuring clients that they haven't got the virus because of these types of NDR. The worse one had this as part of their text:
'This notice is sent as a courtesy so that you have the option of contacting your user and helping them get rid of the virus. This message was sent by Declude Virus. If your mail server had better virus protection, it would have caused less work for our server and could have prevented one of your users from getting a virus.'
I told my client that if the NDR sender had a better administrator 90% of their problems would disappear.
To learn more about how MyDoom works, see http://www.viruslist.com/eng/viruslist.html?id=841769.
This is also a good time for network administrators to review and update the policy on which extensions are blocked and find a new way to transfer files. Email is a convenient way for users to transfer files, but network security is more important.
