Sasser/Viruses

[jpollack]

A handful of users have been getting hit hard with viruses lately. Some users may get up to 25 a day. I have taken down the header information (all spoofs) and either called the ISP or sent an email to abuse@. Is there anything that I am overlooking that could be done to slow down the frequency of viruses? Norton has been detecting everything, but several users and my boss have been annoyed over the frequency.

Thanks,
John

 

[Mike2287]

it depends on your email system that your using. I use lotus Domino and am able to reject or hold attachments with certin file extentions at the server before they get to the end user.

 

[LloydSev]

also... emailing admin@ and abuse@ and all that will not help you in fighting viruses..

Understand that viruses don't use the person's email address from the computer they infected anymore.. they generally send themselves out as someone in that person's address book, etc..

Computer/Network Technician
CCNA

 

[jpollack]

Mailing to abuse@ can help. In some cases this was the only way that I could tell ISPs that we were getting viruses from one of their IP addresses. A couple of ISPs turned of connections within a couple of days. We use exchange here, so I will look into what settings I can change.

 

[aquias]

Are users getting hit with the virus or with a notification that a message with a virus was stopped from being delivered to them?

There are ways to combat both of these...

If they are just receiving a message from the server, you should be able to turn these off. However, you open yourself up to the liability of someone not realizing that they've missed an important e-mail.

If they're getting the virus' coming through. You should be able to configure exchange to block/remove specific attachment types. Or, you can looking into buying an appliance to filter out virus', spam, etc... .

Currently, our sister facility is going through the same problem. We just priced out getting them FrontierMail as a solution to sit between the firewall and Exchange box to block out all unwanted E-Mail (inbound and outbound, preventing you from infecting business partners).

 

[jpollack]

People are getting hit with either a notification or a virus that is immediately detected and quarantined by Norton AV.

 

[aquias]

You could disable the notification message, but I'd advise against that. The only reason being, the first time someone doesn't know they missed an important message, you're back in the same boat.

If virus' are making it through, it doesn't sound as if the virus software that is loaded to the server is picking up all the mail that comes through. Is the virus software on the server a client software or an "Exchange server" virus client?

My advise, is to look into three options.

1. Create a rule/script to remove or quarentine specific attachments, until they're verified and released.

2. Purchase an appliance to scan prior to mail getting to the Exchange box.

3. Seek out a specific virus client, designed to work on Exchange servers.

IMO, option 2 provides the greatest security and flexibility with the least amount of maintence (highest cost as well). This is followed by option 3, with option 1 being the cheapest but the most work for you and the staff that maintains this.

If you do with the appliance option, shop around a bit. But most people I've talked with promote MailFrontier, and it seems to average about 18 per license (IE Person) and about 2k for the hardware piece (provided you do the hardware and not a software/server combination).

 

[jpollack]

We use Norton Corporate AV. Generally viruses are a nonissue, but this past week has been heavy.

 

[aquias]

The best way to resolve the issue, permanently, is still one of the above options (at least that I know of).

 

[jpollack]

Thanks guys