Skip to content Skip to navigation

Anti-Virus Gateway

Overview

Stanford implemented a virus protection system on the Stanford email servers in February 2002. The system scans incoming and outgoing email attachments for viruses before they are delivered. The anti-virus measures apply to email attachments sent to @stanford.edu addresses, or to those sent out from the central email servers (smtp.stanford.edu). The new anti-virus system provides better campus-wide protection against virus attacks.

How does it work?

Every incoming email that has an attachment is scanned by the anti-virus system.

  • If no virus is found in the attachment, the email and attachment are delivered as usual.
  • If the attachment does have a virus, both the attachment and the email are deleted from the Stanford email system. Neither are sent through the system or delivered.
  • If the attachment is of a type that is frequently infected by viruses, but no virus is actually identified, the email is given a "[POSSIBLE VIRUS:]" tag and delivered. (Such attachments should be opened with extreme caution only. See below.)

What makes it work?

The software that makes all this possible is PureMessage by Sophos. It's licensed for campus use and runs on most major platforms (NT, Solaris, Linux, HP-UX, etc.) To learn more, go to www.sophos.com/products/pm/.

If you want to install PureMessage on your departmental mail server, please contact IT Services Software Licensing for a license key.

Do I still need Sophos Anti-Virus on my personal computer?

Definitely. Sophos Anti-Virus can protect you from viruses that sneak in on CD's, via downloads from the Web, on floppy disks, etc.; anti-virus measures on the Stanford mail servers only stop viruses that arrive with email.

For the best possible virus protection we strongly recommend that you continue to use Sophos on your desktop or laptop computer. To get Sophos Anti-Virus software for your Mac or PC, go to the Essential Stanford Software page.

What if I need help?

If you have problems with or questions about these anti-virus procedures, send a help request to: helpsu.stanford.edu.

What are "mass mailing worms?"

One of the most common viruses are mass mailing worms. Stanford has been dealing with mass mailing worm attacks for years. Stanford's anti-virus gateway has kept most mass mailing worms at bay, but the nature of mail worms is such that these attacks will continue for awhile. Here's why:

Mass mailing worms hide in email attachments. After infecting a person's computer, the mass mailing worm transmits copies of itself to other computers via email. It does this by stealing email addresses from the infected person's email address book. It puts one stolen address in the TO: field, then alters or "spoofs" the FROM: field with another stolen address. The subject, message body, and attachment are selected at random from a list. The worm then sends these bogus email messages, which are secretly infected with copies of itself, to as many people as possible.

Because it has filled the FROM: field with someone else's address, the worm succeeds in making non-infected people appear to be the ones sending infected email. This prevents the real sender from learning that his or her machine has been infected, and from taking steps to remove the worm as a result. It also confuses those people whose email addresses were placed into the FROM: field ... they're not sure if their machine has been infected or not.

So if you receive email from a friend who claims you sent him or her a virus, don't panic. Your computer is probably not infected. It is possible that your name was picked up by another worm-infected computer and placed into the FROM: field as a sender.

The "possible virus" tag

If you receive an email message with "[POSSIBLE VIRUS:]" in the subject line, be cautious about opening the message. Be even more cautious about opening its attachment. Unless you're certain the email attachment is legitimate — it's sent from a trusted source, you're expecting it, the message carrying the attachment doesn't look suspicious — you should refrain from opening it.

Here's a list of the kinds of attachments that often get a "possible virus" tag. Most of them are hardly ever associated with legitimate attachments. The one exception is ".zip" attachments. Because files ending with "zip" are compressed, the anti-virus system can't peer inside them. These files can contain almost anything ... including a virus.

.ade .class .eml .js .ocx .shb .wsf
.adp .cmd .exe .jse .pcd .shs .wsc
.bas .com .hlp .lnk .pif .url .wsh
.bat .cpl .hta .msc .reg .vb .zip
.chm .crt .inf .msi .scr .vbe  
.cla .email .ins .mst .sct .vbs  

Because new viruses appear quickly and begin to spread before Stanford's central virus filters can be updated to detect and remove them, the "[Possible Virus]" tag can function as an early warning system for all suspicious attachments.

Last modified February 23, 2010