Information Technology

Viruses That Spoof E-Mail

Return to top of page
  • I couldn't have sent that virus!
  • What's a "GroupShield" message?

This is an information page about e-mail-borne viruses, the messages in which they arrive, and "GroupShield" alert messages.

E-mail has supplanted floppy disks as the primary medium through which computer viruses spread, or attempt to spread, to computers in our environment. Many viruses are designed to propagate via mechanisms built-in to unpatched versions of Microsoft Outlook for Windows. Outlook is one of the most popular e-mail clients in use worldwide; it is also SLA IT's preferred client for Liberal Arts faculty and staff.

Q. Someone told me that I sent them a virus! But I'm fairly confident that I didn't. What's going on?

A. A virus-generated message could easily have seemingly been sent by a colleague, by you, or by any of us. Here's how:

  1. A legitimate message which includes your e-mail address is in someone's mailbox.
  2. His or her computer, lacking up-to-date anti-virus software, gets infected with a virus such as "Klez" (or another e-mail-generating virus like "Mydoom").
  3. "Klez" scans the mailbox and randomly picks your e-mail address from a message there.
  4. To propagate itself, "Klez" then forges numerous new outgoing messages in your name.

Diabolically clever -- and amazingly annoying.

Q. I don't even know the person who sent me the virus message or I don't even know the person who accused me of sending him/her a virus.

A. A legitimate message which includes your e-mail address could get into someone's mailbox in a variety of ways. For people you know,

  • ... you could have sent him/her a message. (Your address is in his/her inbox.)
  • ... he/she could have sent you a message. (Your address is in his/her "sent items" folder.)

For people you don't know,

  • ... you might both be acquaintances of a third party who sent you the same message. (Your address is in the third party's "sent items" folder.)
  • ... you might both be on a mailing list to which a message was sent. (Your address or the mailing list's address might be in every list member's mailbox.)

On the infected computer, the e-mail-generating virus picks addresses randomly from all messages that it can see in the local mailbox and then forges new outgoing messages using those names. (Sending e-mail with falsified names is called "spoofing.") In this manner, you could receive spoofed mail or mail could seem to have been sent by you.

Q. Why is this happening so often?

A. We've seen many Outlook-borne viruses, but most fade into obscurity after an initial outbreak. "Klez" and its variants, though, continue to generate large quantities of messages months after the initial "Klez" discovery (in January 2002). And there have been other e-mail generating viruses, such as "Mydoom" (discovered in January 2004).

The ability of this virus to forge, or "spoof," e-mail makes it difficult to determine whose computer has been infected. IT staff may lack adequate information to find and disinfect the source computer.

Q. So how do we combat e-mail-borne viruses?

A. The defense against e-mail-borne viruses is multi-faceted: Your network administrator should install anti-virus protection on the e-mail server; you should have up-to-date anti-virus software on your computer; and, if you use Outlook, you should have an up-to-date ("patched") version on your computer.

Protection at the server: To prevent users of the Liberal Arts e-mail server (anyone with an@sla.purdue.edu e-mail address) from receiving e-mail-borne viruses, SLA IT installed the GroupShield anti-virus utility. It detects and deletes known viruses before they arrive in your mailbox. It also sends alerts to the recipients and sender. Unfortunately, because these viruses use forged sender addresses, GroupShield can't always know the correct person to alert.

Anti-virus software on your computer: As always, it is essential to have anti-virus software installed on your computer -- and it must be configured to automatically update itself. (SLA IT recommends daily automatic updates.) Purdue has licensed McAfee VirusScan (for Windows) and Virex (for Macintosh).

 

If you need updated anti-virus software for your computer and/or help configuring your software for daily updates, please contact your department's IT support staff.

Outlook with all available patches: Microsoft has made available software patches which eliminate known vulnerabilities in Outlook. We recommend using Outlook 2000 or newer, and all available patches should be installed. (Contact your department's IT support staff for assistance.)

SLA IT's experience has been that users of properly-patched versions of Outlook running in an environment properly protected by anti-virus utilities needn't worry about virus infection (and subsequent data loss) any more than users of other e-mail clients.

Q. Anything else I should do?

A. Yes. Continue to be extremely cautious about sending file attachments in e-mail and especially about opening attachments you receive. E-mail-borne viruses can't put your anti-virus software to the test if you don't open the attachments in which the viruses are contained. We recommend that you do not open files received as e-mail attachments unless you know the exact purpose of the attachment. It is not enough that you may recognize the sender's name.

More information about working with e-mail attachments is available here.

 

Q. What should I do if I receive a GroupShield alert message?

A. Whether or not you use Outlook, you might receive a message with a subject line including the phrase "ALERT - GroupShield". Adjacent to the GroupShield message is another message with a random subject line. The message carries a file attachment, and it might even appear to be from someone you know.

That the "Alert - GroupShield" message is adjacent probably means the message in question was generated by a computer virus. Please be comfortable that you haven't likely received a virus; GroupShield's purpose is to keep that from happening. You may safely delete and forget both messages.

An e-mail-generating virus on an entirely different person's computer probably sent the message -- forged with someone's name who likely has no responsibility whatsoever for propagating the virus.



Return to top of page