PLEASE NOTE: As of October 1, 2001, I have stopped maintaining the spreadsheet that tracks virus counts, because with the introduction of Magistr.b, it's become extremely difficult to try to identify viruses by filename. (It's never a good idea to identify viruses by filename. Since this system bounces mail at the gateway, the only purpose of identifying viruses by filename was to generate some useful statistics and perhaps warn some folks that they might be infected with a virus. In an effort to help people, I will still maintain the virus_id.txt file, which one of my scripts uses to warn people of viral infections. It turns out that a number of people are searching the Internet for particular filenames to see if they are viral, and they're finding my virus_id.txt file useful in that endeavor. My only caution would be that identifying viruses by filename is little more than a crapshoot, so take the list with a large grain of salt.)
On December 2, 2000, UTD began bouncing certain extensions (in email attachments) at the gateway mail server. We did this because it was no longer feasible to block viruses by filename. Hybris had been released, and it had random filenames, random subject lines and random body messages. It would have been beyond our capabilities to keep up with all the variations, so we decided to block by extension instead. These pages document what we're doing and the impact it has had on our campus.
We anticipated that bouncing email with certain attachments might be controversial. We also knew that keeping track of statistics would verify (or refute) the rationale for our decision. So, along with bouncing the email, we began collecting data on the types of attachments in email that were bounced. We also had to design a system of notification for our users, because our MTA (PostFix) sends a cryptic "Content rejected" error message which is meaningless to the average user.
So, I wrote a couple of Perl scripts (to do several things.) The "virus_count.pl" script sends me email with a count of the total emails bounced, the viruses found with their counts, and a copy of the log so I can examine it. The "virus_mail.pl" script sends email to the sender (and recipient if the sender is from another domain) with a notice of the bounce, an explanation of our policy, a copy of the log entry and the identity of the virus, if one was indentified.
What follows is links to copies of the scripts. I hope the extensive comments are explanatory enough, but if you have questions about them, just email me. Each link will open its page in a new browser window, so you can compare things side by side. I used to include an up-to-date copy of the spreadsheet I maintained (through the wonders of "Save As a Web Page" in Excel), so you could see exactly what we were bouncing and how we identified and counted the viruses we bounced. This allows you to look at every file (by filename) that we've bounced, as well as view the daily and monthly statistics we are gathering, as well as a summary of all activity. I stopped maintaining the spreadsheet in September, 2000, because I was concerned about the accuracy of the numbers. Since I am identifying viruses by attachment filename only, it is impossible to be statistically accurate
It's interesting to note that, since we started doing this, we have had few cases of a "new" virus infection, other than Word macros and the "Funlove" virus. (We seldom get infections any more. Most reported "infections" are actually detections and cleanings by McAfee. We install and update McAfee automatically from our login scripts).
The Virus Count script.
The Virus Mail script.
A copy of the Virus ID file that "feeds" the hash for identifying viruses.
A copy of the Rejects Log that shows a typical day's bounces.
A copy of the email I get from the virus_count.pl script.
Some copies of bounce messages.
The spreadsheet that contains all the data. (Please note that the 0.5 counts that you see are filenames that could be either of two viruses; MTX or Badtrans.)
Last modified: Wednesday, 23-May-2007 16:48:58 CDT.