University of Toronto Crest

What's new in the Network Services Group?

services
statistics
projects
policies
software
support
resources
staff

contact us

NSG home

UofT home

Network Services logo

UTORmail: Virus Filtering

Overview

In order to reduce the amount of virus laden e-mail reaching your Inbox every day, Computing and Networking Services (CNS) has installed an anti-virus filter at the UTORmail post office.

First the antivirus filter checks every message received from outside UTORmail against all known viruses. If there is a match, the UTORmail post office will not accept the message from the sending post office. Note that although Sophos, our post office anti-virus vendor, usually detects new viruses quickly, it can still take a few hours for a virus to become known; for this reason, we use Sophos tools to implement the following lines of defense.

Certain types of email attachments pose significant risks to UTORmail customers. These dangerous attachment types are favoured by virus writers because they automatically execute on many computers, and are seldom used for legitimate communication. Our anti-virus filter removes all such attachments, and replaces them with advisory text explaining what happened. The Subject line of these messages will also be altered to include the special tag "[PMX:suspect attachment]" to help you quickly identify affected messages. The resulting message is then delivered to your junk-mail folder.

Messages older than seven days will be regularly deleted from your junk-mail folder.

One attachment type, known as a "zip" files, is also considered risky, but is not discarded because it is often used for legitimate purposes. Instead such attachments are renamed by appending '-utUNSAFE' to the file name, and warning text is added to the message. The presence of the zip attachment has no bearing on whether the message is delivered to the Inbox or the junk-mail folder.

IMPORTANT : The above applies to messages coming from other post offices. Starting in 2008 with the introduction of smtp.utoronto.ca, messages sent by UTORmail customers (whether to other UTORmail customers or to the internet) are also checked for viruses. However, messages sent by UTORmail customers (whether to other UTORmail customers or to the internet) are not checked for dangerous attachment types.

Frequently Asked Questions

What are viruses and where do they come from?
Visit the 'Malicious Code' page under UTORprotect at Computing and Networking Services. Lots of information about malicious programs or "Malware" such as computer Viruses, Worms, Trojans, Spyware, and other programs written specifically to spy on network traffic, record private communications, execute unauthorized commands, steal and distribute private and confidential information, disable computers, erase files, etc.

Why is an email virus filter at the post office necessary?
The vast majority of viruses originate and/or transmit themselves through email. Viruses are extremely destructive and can be responsible for data deletion, bandwidth congestion, and service infrastructure downtime. Recovering from the damage costs the University and its community time, effort, and money. 

If CNS is filtering viruses at the post office, do I still need to run anti-virus software on my computer?
Yes. The anti-virus filter at the post office does not replace the need to install and maintain up-to-date anti-virus software on your computer. The anti-virus filter and anti-virus software work together to give you the best possible protection against virus delivery and infection. To download Symantec® Norton Anti-Virus (NAV) software, please visit the University's UTORprotect site. The UTORprotect site is also an excellent resource on Best Practices for protection against viruses.

Do you notify the sender(s) of removed attachments?
If a message is found to contain a known virus, it will not be accepted from the sending post office. Normally the sending post office will notify the sending human that the message could not be delivered.

If a message does not contain a known virus, but contains an attachment which will be removed or renamed, then the sender is not notified. Messages containing viruses usually bear forged e-mail addresses and bogus reply headers. Sending a notification simply compounds the problem by sending email to people who did not send the original message.

Which attachment types are considered dangerous and thus removed?
The attachment is removed, replaced with advisory text, and the message put in the junk-mail folder if the attachment file name ends in: .ace, .ade, .adp, .bas, .bat, .chm, .cla, .class, .cmd, .com, .cpl, .crt, .cs, .eml, .email, .exe, .hta, .inf, .ins, .isp, .js, .jse, .lnk, .mde, .msc, .msi, .msp, .mst, .ocx, .pcd, .pif, .reg, .scr, .sct, .shs, .shb, .vb, .vbe, .vbs, .wsc, .wsf, or .wsh. If the attachment file name ends in .zip, the attachment is renamed by appending '-utUNSAFE' to the file name.

A message contains a zip attachment. It does not contain a known virus. Will it be delivered to the Inbox?
The presence of the zip attachment has no bearing on whether the message is delivered to the Inbox or the junk-mail folder. The University also maintains a spam filter and if there is a high probability the message is spam, it will be delivered to the junk-mail folder.

What if someone needs to send me a legitimate attachment? I need the attachment to arrive intact.
If you are expecting a legitimate attachment from someone outside of the UTORmail system and the attachment has one of the filtered extensions, you will need to ask the sender to rename the attachment before sending it so that it is not detected by the anti-virus filter. Once you receive the message with the renamed attachment, you will have to rename it again in order to view it. There is a trick if you are a Windows user - so it is important that you read the full renaming instructions. Renaming instructions for Macintosh users are also available.

Is anti-virus filtering the same as anti-spam filtering?
No. Spam is unsolicited email, often called junk mail. It is generally commercial in nature and considered a high-volume nuisance. A virus, on the other hand, is considered 'malicious code' and is typically designed to cause harm to the recipient's computer. For more information on anti-spam filtering, please visit the UTORmail anti-spam page.

If both spam messages and messages with dangerous attachments are filtered to my junk-mail folder, how do I tell the difference?
Messages containing dangerous attachments can be identified by a special tag in the Subject line: "[PMX:suspect attachment]".

I can't find my junk-mail folder!
The junk-mail folder should appear and require no additional intervention. Should that not be the case, you may need to subscribe to junk-mail in order to see it. Please consult with an advisor at the Information Commons Help Desk for assistance in subscribing to the junk-mail folder. Call 416-978-HELP.

What happens if I accidentally delete my junk-mail folder?
Beginning in July 2005, the first time there is a message to be delivered to the junk-mail folder, it will be recreated.

Will my other email addresses also be filtered?
The anti-virus filter function only works on email handled by UTORmail. At present, only email arriving to addresses ending in @utoronto.ca can be filtered. Some departments run their own email systems independent of UTORmail. Messages going directly to such systems are not affected by this filter.

If I forward mail from my UTORmail address to another address, will viruses be filtered?
Yes. All messages found to contain known viruses will be rejected, and hence not forwarded. All messages containing zip attachments will be marked as described in the Overview, and all dangerous attachments will be removed, and the resulting message will be forwarded.

What happens to anti-virus filtering when I go on vacation and set my auto-reply?
Nothing different. Messages containing known viruses are still rejected. Dangerous attachments are still removed, and the resulting message put in the junk-mail folder, and then deleted when older than seven days.

Will email be delayed as a result of the filtering?
There will be a moderate delay.

What if my email program is configured to use POP instead of IMAP?
The anti-virus filter works for both POP and IMAP. That said, POP is not a supported protocol. We strongly recommend converting to IMAP. For assistance, please consult with an advisor at the Information Commons Help Desk. Call 416-978-HELP.

Do other Universities have similar policies to defend against viruses?

Yes, One place is the University of Washington http://www.washington.edu/computing/email/manage/blocking.html

We wish to thank James Morris of the University of Washington for helping us when we were setting up our anti-virus post office policies.

I am technical staff, technically advanced or just curious about how the anti-virus filter works - where can I find more information?
Please visit our advanced explanation page.

This page reflects what the UTORmail post office does for viruses starting March 30, 2006. See http://www.utoronto.ca/ns/antivirus/antivirus-old.html for what was done up until that date.
----

Network Services Group links