Re: E-mail virus stuff killing my office
From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: Mon, 03 May 2004 23:55:25 +0200
On 30 Apr 2004 17:37:18 -0700, firstname.lastname@example.org (Tim J. Johson)
>We are understaffed, but dedicated in a tough business enviroment. We
>keep getting hit by these stupid e-mail worms, trojan horses, etc.
>Try not to open e-mails that might be infected, but sometimes it is
>tough to tell and to be honest, none of us are that computer savvy,
>and we DO need to use our e-mail.
>Of course we use MS Outlook. And I guess the answer is NOT TO, but I
>think I would have trouble convincing the boss of that....
Darwin take the hindmost...
>We have good Norton antivirus that is updated each week (sometimes
>several times a week) good firewall protection, etc. But we still
>manage to get these darn things.
Of course. Currently you may expect variants of Netsky, Bagle and
MyDoom every few hours, and *every* new malware has a "Day Zero"
period (in your "update each week" case, "Week Zero") during which
your av won't have a clue.
>Sometimes I do the following before opening an e-mail. Does doing this
>without yet opening the e-mail expose you to any virus?
You are using Outbreak, which uses IE's HTML rendering engine. So any
time a defect is found that can be used to run malware as soon as it
is (pre)viewed, you are sitting in Ground Zero. So you need to stay
patched, almost as often as you need your av updated.
See http://cquirke.mvps.org/9x/safe2000.htm as a somewhat dated (not
much on 21st century crucials such as patching, pure worms, firewalls,
commercial malware) primer on safe hex, and follow links from there.
As the "9x" suggests, this stuff is written with Win9x in mind,
whereas you may be using an NT such as Win2000 or XP. So when it gets
into specifics, YMMV... but the basic concepts still apply.
The most important thing to know about email, is that it is NOT enough
to check that it comes from "someone you know". Most malware look for
email addresses to send to on the PC they infected, so most of the
time it *does* come from "someone you know" (specifically, someone's
PC that has your email address visible on it).
So you need to perform the "Turing Test" (Google that, it's
interesting) to know whether a human really intended to send you the
message, as opposed to a malware bot.
If the message from "someone you know" doesn't contain enough info to
satisfy the Turing Test, be ruthless; reply that you have deleted the
attachments unread, and will continue to do so as SOP until they get a
clue and bother to write a non-generic covering message.
I use http://cquirke.mvps.org/9x/mail-rej.txt as a generic emaul
attackment rejection form. It's not particularly friendly - I don't
think ppl too lazy to write message text derseve any better - but it
is a learning opportunity for the recipient and easy for the sender to
paste in and fill in the relevant checkboxes.
"Safe2000" is long, so here's the relevant paste:
Think before you click
Don't even consider "opening" an attachment unless:
* It is from someone you know, and
* The message makes meaningful reference to all files, and
* All files pass virus check with up-to-date virus checker
"Here are the files you requested" is not a meaningful reference to
attached files; several trojans and worms use similar generic phrasing
when sending themselves to addresses stolen from your own "address
book" (Melissa with Outlook) or incoming messages (Zipped_Files
Don't send attachments unless you need to, and if you do, describe
every file you send in a meaningful way. Don't presume the trust of
strangers by sending them unsolicited attachments, especially "joke"
files received from other strangers.
Don't allow active content to run unless you trust the site and the
site needs it to do something important and useful to you (e.g. a
banking site or a sign-up server).
Don't "open" files off a diskette without virus checking first, and
I'd extend that advice even to computer CDs.
Do virus check any files you download off the web before using them.
>-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -