|
A recently installed scanner on the College mail system is dramatically
reducing the threat posed by viruses, worms, and other malicious things
typically delivered by e-mail attachments — intercepting, on average, between
140 and 200 viruses per day.
A virus is a malicious piece of computer code that, when delivered to a
computer, can cause a wide variety of problems. There are different kinds of
viruses, including "trojans," that arrive disguised as another
program, and "worms," that can propagate themselves to other
computers.
Starting in late 2001 and through much of last year, an epidemic of worms
that exploit Windows e-mail programs, such as Outlook and Outlook Express,
swept the Internet. When introduced to a vulnerable computer, a worm e-mails
copies of itself to all the addresses it finds in the computer's address book.
Variants, such as klez, go further and e-mail randomly selected files from the
host computer to all it finds in the address book.
That's a problem for all affected: those infected are embarrassed and lose
time cleaning up the computer; mail system administrators spend long hours
unclogging mail systems choked with huge volumes of e-mail attachments. And
once a person's computer is cleaned up, another infected attachment can start
the cycle all over again.
Enter Sophos AntiVirus. The virus-scanning software package scans e-mail
looking for attachments with tell-tale signs of infection. This happens in two
ways: by looking at the attachment's file name for suspicious suffixes, and by
scanning the attachment itself. The scan is done by looking for patterns — a
fingerprint — hidden in the code of the attachment.
Messages between Dartmouth BlitzMail users are not scanned, but all
messages that pass through the computers known as mailhub will be checked. That
includes all mail between Dartmouth and the Internet, and all messages to and
from people who use mail programs other than BlitzMail. If the
attachment passes the inspection, a note is added to the message header:
X-MailScanner: No virus detected by mailhub.Dartmouth.EDU, and the attachment
and message are sent on their way.
When a virus is detected, Sophos deletes the attachment, adds a line to the
message header, tacks a "Virus Found" report to the e-mail and sends
the disinfected message to the intended recipient. A message is also relayed to
the sender, telling them that the message carried a malicious payload.
The privacy of the sender, recipient, and the content of the message is
respected: the log file that reports what was found does not record any
identifying information or note anything regarding the message contents, beyond
the type of virus that was found.
The package has proven to be very effective at reducing virus-related
problems. Computing Services is evaluating systems that might help filter spam
— unsolicited commercial e-mail. More on that in a future article.
|
