[unisog] should one pull the plug in worm outbreak?

Patrick O'Callaghan poc at usb.ve
Thu Dec 6 13:22:54 GMT 2001

On Wed, 2001-12-05 at 19:58, Russell Fulton wrote:
> On Wed, 05 Dec 2001 08:21:39 -0800 Greg Francis <francis at gonzaga.edu> 
> wrote:
> > 
> > We currently have around 1200 workstations on the main network so our hit
> > isn't nearly as bad as what it would be for a large university.
> > 
> We are going throught the same process with thousands of machines,  we 
> have been at it for months, one faculty at a time.
> The problem is that Antivirus software (unless it is heuristic based) 
> can not help with these fast spreading worms.  We go our first 
> infection at least 2 hours before NAV made the updates available. Since 
> this one had a simple subject line we were able to block it using 
> Sendmail configs, but not fast enough to stop it hitting several large 
> internal lists :(

There's actually a very effective measure that will stop a large
percentage of the most popular viruses: prohibit the use of Outlook. I
wonder why no-one ever seems to mention this? We don't exactly prohibit
it but we do tell people in strong terms that we don't support it and
they should look for a safer alternative (Netscape Messenger for

The excuse a few people give for using Outlook is that they want the
calendering features, but there are alternatives (e.g. Evolution on
Linux, iPlanet Calendar, webevent.com etc.). The real reason is that
it's the path of least resistance for Windows users.

Universities are particularly sensitive about prohibiting stuff, and
with reason, but consider this: if you find a machine on your internal
network that constantly floods your servers with DOS attacks, what do
you do? You pull the plug *on the user's machine* and then talk to the
user. It's part of your responsability in maintaining a service. An
Outlook user spreading viruses is to my mind no different.


Prof. Patrick O'Callaghan <poc at usb.ve> <http://www.ldc.usb.ve/~poc>
Director de Servicios Telemáticos (Director of Telematics Services)
Universidad Simón Bolívar, Caracas, Venezuela             | "Errare
Tel: +58 (212) 906-3200, 3201; FAX: +58 (212) 906-3202    | uHmanum
NIC handle: PO22-ARIN        (Postal address on request)  |   Est"

More information about the unisog mailing list