Automatic email warning messages from anti-virus systems, mail servers and mail gateways or simply people reporting that someone else receare generating 'false alarms'.

False Alarms

There are several types of message that are causing false alarms:

• Cleaned versions of a real virus - automatic anti-virus systems let 'cleaned' virus messages through.
• Error reports about viruses that fake the sender's address - can get sent back to the wrong person.
• False Undeliverable mail messages - if the senders address is faked - undelivererd mail will be mis-returned.

False Error Reports

Many of the current email viruses/worms fake the 'senders name', making the virus appear to come from somewhere other than its actual source. This is designed to mislead 'virus investigators' and anti-virus programs. And it does - causing false alarms to be sent out.

Example Report:

_____________________________________________

The MessageLabs SkyScan Anti-Virus service discovered a possible virus
or unauthorised code (such as a joke program
or trojan) in an email sent by you.

The email has now been quarantined and was not delivered.

Please read the whole of this email carefully. It
explains what has happened to your email, which suspected
virus has been caught and what to do if you need help
addressing the problem.

To help identify the quarantined email:

The message sender was
a.person@lancaster.ac.uk

The message recipients were
a.person@imeche.org.uk

The message title was Hello
The message date was Tue, 27 Jan 2004 11:16:09 +0000 The virus
or unauthorised code identified in the email is

>>> W32/MyDoom.A in '390205_2X_PM4_EMS_MA-OCTET=2DS__doc.pif'

_____________________________________________

'Address faking' worms do the following:

1. a PC gets infected with an 'address faking' virus/worm, such as 'SoBig', by someone opening an infected attachment.
2. that PC then (silently) sends out large numbers of emails with the virus/worm in an attachment to addresses from the owners address book:

• if you get an infected email - the anti-virus system of your email provider (or your own PC) may detect this and notify you - this is good news - you are NOT infected.
• but IMPORTANTLY, the virus/worm fakes the 'senders address' (also using addresses found on the PC - again, your address could be used) - so you can NOT tell who sent it.
• the infected emails are then discovered by a person (or an automatic anti-virus system) and an email is sent back to the (faked) senders email address (which could be you).

3. when the infected emails go out - some of them go to non-existent email addresses and get returned by the system to THE WRONG EMAIL address - they get automatically returned to the fake address (which could be you).
4. when the infected emails go out - some of them could land in the inbox of someone who has 'Out of Office' switched on which will send back an email to the fake address (again this could be you).

To summarize:

If your email address has been used in the 'senders field' instead of the genuine originator, you will get 'false alarms' email messages sent to you because:

• some anti-virus programs send out automatic warnings to the originator of virused email messages. If the 'sender's name' has be falsified, the warnings are sent to the wrong place (you).
• sometimes individuals will send warnings back to the source of an email virus they have received. Again, if the senders name has been falsified - these warnings will go to the wrong place (you).
• you may get 'returned undeliverable email' because the virus has sent out email to defunct addresses and email system has returned undelived email to the falsified senders address (you).

   

The result is that people receive a lot of false notifications that their PCs are infected when they are not infected.

Solutions

There is not much you can do about these false alarms, as the name of actual sender of the virused messages has been replaced by your name. What you can do is:

• check that the virus/worm (being warned about) fakes the senders address (or not):

  • check the Symantec virus pages.
  • ring the Help Desk - 0845 45 01254.
• do NOT forward virus warnings by email.
• ensure that your anti-virus software is working and up-to-date.
• for peace of mind, scan your PC for viruses.
• if you get a lot of 'warnings' from one place - block the email from that address.

Implications

It would seem that:

• we should NOT warn people about virus infections using email.
• we (preferably) should NOT use 'Out of Office' to notify people we are away.
• all we can do is ensure that our system is clean and as secure as possible.

Cleaned Viruses Get Through

Many email systems protect against viruses. The anti-virus systems remove the infected attachment and send on the message. The message arrives with a short text attachment which explains that the original (infected) attachment has been removed.

The name of the replacement attachment will be something like:

Deleted attachment.txt

These 'replacement' attachments are safe to open and will infom you of what virus was detected and removed.

This behavior may seem strange, but sometimes viruses infect (add themselves to) genuine messages. The automatic systems are designed not to remove the whole message in case a genuine original message is deleted.

Returned Undeliverable Messages

Faked senders names can cause 'false undeliverable mail' returns. An example of an 'undeliverable mail' report:

____________________________________________

Your message did not reach some or all of the intended recipients.
Subject: TEST
Sent: 27/01/2004 15:19

The following recipient(s) could not be reached:

linda@disney.com on 27/01/2004 15:24

The e-mail account does not exist at the organization
This message was sent to. Check the e-mail address, or
contact the recipient directly to find out the correct
address.

____________________________________________

Messages from another persons virus compromised system may have sent out lots of emails in your name to a wide range of addresses new and old (harvested from various places on your hard disk) and some of these messages will be sent non-existent addresses which will send back 'message undelivered' notices. As you didn't send the messages either as yourself or because of a virus - you may be puzzled.