The danger of Klez warnings

Joseph Brennan brennan at
Wed Sep 11 13:13:10 GMT 2002

We have found ourselves in the position of changing users' addresses
because of Klez virus warnings.  Not Klez-- we can identify and reject
that-- but Klez warnings.

We have two users whose addresses are being faked into the From line
of Klez mail at an astounding rate.  For each, we see 94,000 attempts
per day to relay through  All are rejected.  Evidently
there are additional instances that are relayed through other systems
successfully and trigger warnings or accusations from antivirus software. 
One of the users now reports getting dozens of warnings per day with
no end in sight.  This will be the second one who needs a new address,
with all the notifying to friends and associates that is involved.
It's not the Klez-- it's the warnings.

Any virus software that can spot Klez should also avoid sending useless
mail to the faked envelope From.  Most of the bogus warnings do not even
include the original headers, so we cannot even re-send them to the
actual source of the virus.  They are just totally without value.  In
fact they're worse than no value.  They cause needless worry and needless
calls to helpdesk.  A meta-virus, you might say. 

We are now filtering out one of the warnings, for Declude, because it's 
been reported so many times.  We may need to add more, but with every
one using different text, it does not seem practical.

You all might want to check what your system does when it gets a Klez
message.  Please.

Joseph Brennan                           postmaster at
Academic Technologies Group, Academic Information Systems (AcIS)

More information about the unisog mailing list