Stanford has provided a virus protection system on the Stanford email servers since February 2002. In August 2014 the service transitioned to a new product from Proofpoint. The system scans incoming and outgoing email attachments for viruses before they are delivered. The anti-virus measures apply to email attachments sent to @stanford.edu addresses, or to those sent out from the central email servers (smtp.stanford.edu). The new anti-virus system provides better campus-wide protection against virus attacks.
How does it work?
Every incoming email is scanned by the anti-virus system.
- If no virus is found in the, the email and any attachment are delivered as usual.
- If the message does have a virus, both the attachment and the email are deleted from the Stanford email system. Neither are sent through the system or delivered.
- If the message or attachment cannot be successfully scanned a "[POSSIBLE VIRUS:]" tag is inserted in the subject line and the message is delivered delivered. (Such attachments should be opened with extreme caution only. See below.) One possible the message can't be scanned is the presence of a password-protected attachment.
- "Executable" attachments that are file types commonly associated with malware will be stripped from email messages.
What makes it work?
Do I still need Sophos Anti-Virus on my personal computer?
Definitely. Sophos Anti-Virus can protect you from viruses that sneak in on CD's, via downloads from the Web, on floppy disks, etc.; anti-virus measures on the Stanford mail servers only stop viruses that arrive with email.
For the best possible virus protection we strongly recommend that you continue to use Sophos on your desktop or laptop computer. To get Sophos Anti-Virus software for your Mac or PC, go to the Essential Stanford Software page.
What if I need help?
If you have problems with or questions about these anti-virus procedures, send a help request to: helpsu.stanford.edu.
What are "mass mailing worms?"
One of the most common viruses are mass mailing worms. Stanford has been dealing with mass mailing worm attacks for years. Stanford's anti-virus gateway has kept most mass mailing worms at bay, but the nature of mail worms is such that these attacks will continue for awhile. Here's why:
Mass mailing worms hide in email attachments. After infecting a person's computer, the mass mailing worm transmits copies of itself to other computers via email. It does this by stealing email addresses from the infected person's email address book. It puts one stolen address in the TO: field, then alters or "spoofs" the FROM: field with another stolen address. The subject, message body, and attachment are selected at random from a list. The worm then sends these bogus email messages, which are secretly infected with copies of itself, to as many people as possible.
Because it has filled the FROM: field with someone else's address, the worm succeeds in making non-infected people appear to be the ones sending infected email. This prevents the real sender from learning that his or her machine has been infected, and from taking steps to remove the worm as a result. It also confuses those people whose email addresses were placed into the FROM: field ... they're not sure if their machine has been infected or not.
So if you receive email from a friend who claims you sent him or her a virus, don't panic. Your computer is probably not infected. It is possible that your name was picked up by another worm-infected computer and placed into the FROM: field as a sender.
The "possible virus" tag
If you receive an email message with "[POSSIBLE VIRUS:]" in the subject line, be cautious about opening the message. Be even more cautious about opening its attachment. Unless you're certain the email attachment is legitimate — it's sent from a trusted source, you're expecting it, the message carrying the attachment doesn't look suspicious and you are running anti-virus protection on your desktop — you should refrain from opening it.
Because new viruses appear quickly and begin to spread before Stanford's central virus filters can be updated to detect and remove them, the "[Possible Virus]" tag can function as an early warning system for all suspicious attachments.
If an "executable" attahchment is found (essentially a script or program that can be run) it will be removed from the email message in order to protect users from this common method of distributing malware. Users sending such files will have the message rejected with the following message: "5.7.0 Message rejected due to attachment type commonly associated with malicious software. Please use an alternate mechanism such as Stanford's Box service (https://itservices.stanford.edu/service/box) to transmit the file."