[unisog] FWD: [SECURITY] bugbear variant

Jenett Tillotson jtillots at pharmacy.purdue.edu
Sat Jun 7 04:56:12 GMT 2003

I put MIMEDefang on my email server over a year ago.  Since we didn't have
the horsepower to do actual virus scanning, I just remove any attachment
with a "dangerous" extension.  MIMEDefang quarantines the attachment and
instructions are placed in the email message on how to contact me and ask
for the attachment - just in case it was legitimate.  With over 350 users,
I've gotten about 6 requests for legitimate attachments that were removed
(and 1 request for a virus attachment - "no, Mr. User, you REALLY don't
want that attachment - trust me!").

The beautiful thing about MIMEDefang is that it scans every piece of email
that goes through the server whether it's outgoing or incoming, to be
forwarded or not.  This means that even if someone on my network gets a
virus, they can't send out any viruses through my email server.  This has
worked great for the viruses that get sent to mailing lists - it stops the
virus sent to "everyone at pharmacy.purdue.edu" from infecting a dozen or so 
computers each time and even protects people outside our organization.

MIMEDefang has reduced my virus infections on our 350+ PCs from more than
a 150 a year to about 12 a year.  And the good news is that once a virus
does get into my network, it doesn't spread like wildfire like it use to.

Let me also say that in my opinion, removing potential virus-infected
attachments is the second line of defense.  The first in my mind is user
awareness.  People should be knowledgeable about the dangers of email
communications, how viruses work, and how to protect themselves.  
Training is the single most important way to protect against any security
issue.  I'm also think that each computer should have a local virus
scanner installed.  You can never be too careful.

It's all about layers and layers and layers of defense...

Jenett Tillotson
School of Pharmacy
Purdue University

On Fri, 6 Jun 2003, Joseph Brennan wrote:

> > We got hit with this today before Norton Antivirus came out with the
> > definitions.
> Or forget the vendors' marketing and just routinely delete email
> attachments with names ending .scr, .pif, and .exe.  That's all
> it takes to stop this one *and the next one*.  Or am I missing
> something?
> Joseph Brennan          Columbia University in the City of New York
> postmaster at columbia.edu                 Academic Technologies Group

More information about the unisog mailing list