Your Peace of Mind is our Commitment

Contact Us English Recent Articles

Who Should You Warn?

The above apology does highlight the question, who should you warn about an infected email? The situation is not simple, and recent viruses have made it more difficult. To some extent, it depends on organisation policies, but these suggestions are probably suitable in most cases:

All Messages

The anti-virus administrator should get all warnings - this is useful for statistics to show the severity of the virus problem and diagnostics when tracing problems. Whether this is implemented as messages to the administrator's pager, or a line in a log file the administrator can access will depend on the administrator's preference and the volume of alerts.

Outgoing Messages

The sender should be warned; the recipient should not be warned. Most organisations do not want to advertise that they have a virus incident. When the sender is warned, they should follow the standard procedure for a virus incident (contact technical support, get the infection cleaned), before resending their message.

Incoming Messages

The sender and recipient should be warned. It is polite to warn the sender that their message is being blocked, and why. It is useful for the recipient to receive a warning, so that they can be aware someone is trying to contact them, but is failing (were they waiting for that big P.O.?)

Internal Messages

When the message is to and from the same organisation, then it is really up to internal policy. Probably alerting both sender and recipient is appropriate. Exceptions

Mailing Lists

As we, inadvertently, demonstrated (sorry!), sending a message to an entire mailing list when just one member is infected is unnecessary. Unfortunately, there is no way for an anti-virus scanner to determine whether a recipient address is a single user or a whole list. Ensuring that warning messages are sent from an address that is not a moderator or member of any list does prevent this on moderated and member-only lists.

Forged Email

An increasing number of email worms, including two of the currently commonest ones: W32/Bugbear.A and W32/Klez.H, forge the sender's address so that there is no reliable way of determining from where they arrived. In this case, warning the apparent sender is worse than useless - at best, it wastes the time of an innocent party; at worst, people take damaging action in a miss-guided attempt to get rid of a non-existent infection, or start ignoring all warnings, even when they have been infected.

One solution would be to stop warning the sender in all cases, but this would make the situation worse for viruses where the sender can be reliably identified. The fact that W32/Klez.H, a virus that forges the sender's address, has persisted at high levels in the wild far longer than similar viruses that do not forge the sender's address strongly suggests that an important factor in eliminating viruses is people (or email scanners) who use updated anti-virus software telling people who do not that they are infected.

A better solution would be an email anti-virus scanner that is aware of the viruses forge the senders address, and which modifies its' alerting behaviour accordingly. Unfortunately, I am not aware of any gateway products that have this sophisticated adaptive capability.