UTORmail:
Virus
Filtering
Overview
In
order to reduce the amount of virus laden e-mail reaching your
Inbox every day, Computing and Networking Services (CNS) has installed
an anti-virus filter at the UTORmail post office.
First the antivirus filter checks every message received from outside UTORmail against all known viruses.
If there is a match, the UTORmail post office will not accept the message from the sending post office.
Note that although Sophos, our post office anti-virus vendor, usually detects new viruses quickly, it can still take a few hours for a virus to become known; for this reason, we use Sophos tools to implement the following lines of defense. Certain types of email attachments pose significant risks to UTORmail customers. These dangerous attachment types are favoured by virus writers because they automatically execute on many computers, and are seldom used for legitimate communication.
Our anti-virus filter removes all such attachments, and replaces them with advisory text explaining what happened.
The Subject line of these messages will also be altered to include the special tag "[PMX:suspect attachment]" to help you quickly identify
affected
messages. The resulting message is then delivered to your junk-mail
folder.
Messages
older than seven days will be regularly deleted from your junk-mail
folder.
One attachment type, known as a "zip" files, is also considered risky, but is not discarded because it is often used for legitimate purposes.
Instead such attachments are renamed by appending '-utUNSAFE' to the file name, and warning text is added to the message.
The presence of the zip attachment has no bearing on whether the message is delivered to the Inbox or the junk-mail folder.
IMPORTANT
:
The above applies to messages coming from other post offices. Starting in 2008 with the introduction of smtp.utoronto.ca, messages sent by UTORmail customers (whether to other UTORmail customers or to the internet) are also checked for viruses. However, messages sent by UTORmail customers (whether to other UTORmail customers or to the internet) are not checked for dangerous attachment types.
Frequently
Asked Questions
What
are viruses and where do they come from?
Visit the 'Malicious
Code' page under UTORprotect at Computing and Networking Services.
Lots of information about malicious programs or "Malware" such as
computer Viruses, Worms, Trojans, Spyware, and other programs written
specifically to spy on network traffic, record private communications,
execute unauthorized commands, steal and distribute private and
confidential information, disable computers, erase files,
etc.
Why
is an email virus filter at the post office necessary?
The vast majority of viruses originate and/or transmit themselves
through email. Viruses are extremely destructive and can be responsible
for data deletion, bandwidth congestion, and service infrastructure
downtime. Recovering from the damage costs the University and its
community time, effort, and money.
If
CNS is filtering viruses at the post office, do I still need to run
anti-virus software on my computer?
Yes.
The anti-virus filter at the post office does not replace the need
to install and maintain up-to-date anti-virus software on your computer.
The anti-virus filter and anti-virus software work together to give
you the best possible protection against virus delivery and infection.
To download Symantec® Norton Anti-Virus (NAV) software, please visit
the University's UTORprotect
site. The UTORprotect site is also an excellent resource on
Best
Practices for protection against viruses.
Do
you notify the sender(s) of removed attachments?
If a message is found to contain a known virus, it will not be accepted from the sending post office.
Normally the sending post office will notify the sending human that the message could not be delivered.
If a message does not contain a known virus, but contains an attachment which will be removed or renamed, then the sender is not notified.
Messages containing viruses usually bear forged e-mail addresses
and bogus reply headers. Sending a notification simply compounds
the problem by sending email to people who did not send the original
message.
Which attachment types are considered dangerous and thus removed?
The attachment is removed, replaced with advisory text, and the message put in the junk-mail folder if the attachment file name ends in:
.ace, .ade, .adp, .bas, .bat, .chm, .cla, .class, .cmd, .com, .cpl, .crt, .cs, .eml, .email, .exe, .hta, .inf, .ins, .isp, .js, .jse, .lnk, .mde, .msc, .msi, .msp, .mst, .ocx, .pcd, .pif, .reg, .scr, .sct, .shs, .shb, .vb, .vbe, .vbs, .wsc, .wsf, or .wsh.
If the attachment file name ends in .zip, the attachment is renamed by appending '-utUNSAFE' to the file name.
A message contains a zip attachment. It does not contain a known virus. Will it be delivered to the Inbox?
The presence of the zip attachment has no bearing on whether the message is delivered to the Inbox or the junk-mail folder.
The University also maintains a
spam filter
and
if there is a high probability the message is spam, it will be delivered to the junk-mail folder.
What
if someone needs to send me a legitimate attachment? I need the
attachment to arrive intact.
If
you are expecting a legitimate attachment from someone outside of
the UTORmail system and the attachment has one of the filtered
extensions, you will need to ask the sender to rename the attachment
before sending it so that it is not detected by the anti-virus filter.
Once you receive the message with the renamed attachment, you will
have to rename it again in order to view it.
There is a trick if you are
a Windows user - so it is important that you read the
full renaming instructions. Renaming instructions for Macintosh
users are also available.
Is
anti-virus filtering the same as anti-spam filtering?
No. Spam is unsolicited email, often called junk mail. It is
generally commercial in nature and considered a high-volume nuisance.
A virus, on the other hand, is considered 'malicious
code' and is typically designed to cause harm to the recipient's
computer.
For more information
on anti-spam filtering, please visit the UTORmail
anti-spam page.
If
both spam messages and messages with dangerous attachments are filtered
to my junk-mail folder, how do I tell the difference?
Messages containing dangerous attachments can be identified by a special
tag in the Subject line: "[PMX:suspect attachment]".
I
can't find my junk-mail folder!
The junk-mail folder should appear and require no additional intervention.
Should that not be the case, you may need to subscribe to junk-mail
in order to see it. Please consult with an advisor at the
Information Commons Help Desk
for assistance in subscribing to the junk-mail
folder. Call 416-978-HELP.
What
happens if I accidentally delete my junk-mail folder?
Beginning in July 2005, the first time there is a message to be delivered to the junk-mail folder, it will be recreated.
Will
my other email addresses also be filtered?
The
anti-virus filter function only works on email handled by UTORmail.
At present, only email arriving to addresses ending in @utoronto.ca
can be filtered.
Some departments run their own email systems independent of UTORmail.
Messages going directly to such systems are not affected by this
filter.
If
I forward mail from my UTORmail address to another address, will
viruses be filtered?
Yes. All messages found to contain known viruses will be rejected, and hence not forwarded. All messages containing zip attachments will be marked as described in the Overview, and all dangerous attachments will be removed, and the resulting message will be forwarded.
What
happens to anti-virus filtering when I go on vacation and set my
auto-reply?
Nothing different. Messages containing known viruses are still rejected. Dangerous attachments are still removed, and the resulting message put in the
junk-mail folder, and then deleted when older than seven days.
Will
email be delayed as a result of the filtering?
There will be a moderate delay.
What
if my email program is configured to use POP instead of IMAP?
The anti-virus filter works for both POP and IMAP. That said, POP
is not a supported protocol. We strongly recommend converting to
IMAP. For assistance, please consult with an advisor at the
Information Commons Help Desk.
Call 416-978-HELP.
Do other Universities have similar policies to defend against viruses?
Yes,
One place is the University of Washington
http://www.washington.edu/computing/email/manage/blocking.html
We wish to thank James Morris of the University of Washington for helping us when we were setting up our anti-virus post office policies.
I
am technical staff, technically advanced or just curious about how
the anti-virus filter works - where can I find more information?
Please visit our advanced explanation
page.
This page reflects what the UTORmail post office does for viruses starting March 30, 2006. See http://www.utoronto.ca/ns/antivirus/antivirus-old.html
for what was done up until that date.
----
|