IT Assist
The University of Sydney
Uni Home / IT Assist / Staff / Support / Guides / Email
Logout
spcr
spcr
spcr
spcr
spcr
Large text
spcr
Default text
spcr

Viruses & Spam

Virus Checking on the UniKey Mail Server FAQ

 

Spam Checking on the Unikey Mail Server

 

What does the University do to protect me from computer viruses spread by email?

 

All email sent or received via the University central mail service is scanned for viruses and potentially malicious content or structure by the University Email Virus Scanning System. Messages identified as containing a virus or being potentially malicious will be deleted or altered in accordance with The University of Sydney, Email Virus Scanning Policy.

This service is supplemental to well managed local virus protection. It DOES NOT do away with the requirement for robust security practices on local workstations.

Can my email messages be deleted or modified by the University?

 

Yes! The University asserts its right to delete or alter messages that, in its discretion, are suspected of containing viruses. This is done in accordance with The University of Sydney, Email Virus Scanning Policy.

Under what circumstances would the University email virus scanning system modify email messages I send?

 

In essence, there are three reasons why your message may be modified by the University email scanning system.  They are as follows:
1)  A virus infected file was attached to the email.

The email virus scanning system will remove and discard attachments to messages that contain known viruses.

If after the virus has been removed, there is at least 0.5kb of text or other safe attachments associated with the email, these will be forwarded along with a warning to the person you addressed it to.

However, if after the virus has been deleted, the remainder of the message contains less than 0.5kb of text (i.e. the remaining message is effectively empty), it will be discarded - this is done on purpose to make sure the email virus scanning system does not send unnecessary warning messages.
 
2)  A suspicious (or potentially malicious) file was attached to the email.

If one or more files are attached to an email, which have potentially malicious characteristics, they will be converted into plain text by the email virus scanning system.  This process is sometimes called defanging.  This is done to make sure that they do not cause harm to the recipient's computer.

Files that will be rendered safe include:

  • Encrypted ZIP files.  Encrypted ZIP files are ZIP files which have had password access associated with them.  Encrypted ZIP files are removed because a number of existing viruses deliver their harmful content in a password protected ZIP file.  The viruses do this specifically so that the malicious payload can not be detected by virus scanners.  They then include the password in the body of the email in the hope that a recipient will inadvertently extract, then run the virus;
  • Very large compressed files.  Very large compressed files include ZIP or TAR files that contain: more than 1000 files; decompress to be larger than 150Mb; include more than ten nested sub-directories; or have been recursively compressed more than 5 times (for example, ZIP files inside ZIP files).  Large compressed files are treated as suspicious because they may prevent the virus scanning system from checking all messages in a timely manner.
  • PC/Windows Executable programs.  Files that can be run as a program.  In the case of windows files this would include most files with a ".exe" extension which have been compiled to run.  The virus scanning system identifies PC/Windows Executable programs based on their content rather than simply the extension.  Many viruses use PC/Windows executables to conceal and deliver their malicious payload;
  • Suspicious or bad file names.  Some times the name of a file is used by viruses to mask the true nature of the file from recipients.  Where possible you should be careful not to give a bad or suspicious name to your files.  To avoid this you should not give names:
  • that are the same as DOS device names (such as AUX, CON);
  • have multiple consecutive dots (such as document...doc);
  • have a dot or space as last character of filename (such as document.doc.);
  • that include a dot followed by text followed by a space followed by dot (such as .document .doc).

 

 

 

  •  Long file names.  Files with very long names (more than 100 characters).  Long filenames can be used to exploit known vulnerabilities in some email clients.  Hence you should be careful not to name your files in this way if you are planning to share them via email; and
  • Scripts.  Visual Basic (VB) or other scripts.  This includes any files that have extensions of .cmd .bat .vbs .vbe.  Many viruses use scripts to conceal and deliver their malicious payload.

 

3)  The email message has a highly suspicious structure or content.

 

It is very unlikely that you will send an email with a suspicious structure or content by accident.  That said the constructs that are targeted by the email virus scanning system include messages:

  • With VBScript embedded in HTML email;
  • That contain non-multipart eml – an unusual combination of mime-type and file extension;
  • Containing iframe+exe – an html tag that includes an executable;
  • Containing iframe tag – often used to download then execute viruses; and/or
  • That are only partially a mime-type.

 

Messages constructed to be only partially a mime-type will be discarded in the same way that virus infected attachments are handled.  Messages constructed to include any or all of the other components listed above will be changed so that they can not inadvertently or intentionally harm the recipient’s computer.  In the case of messages that are partial mime-type Therefore, if you understand what these constructs are, it is best not to plan to use them in your emails.

As mentioned above, if you don’t know how to create this type of message, it is very unlikely that you will make it by accident – so most people will not need to change their email habits to prevent this from happening.

Note:  Any of these changes would be made in accordance with The University of Sydney, Email Virus Scanning Policy.


What should I do if the recipient of a message I sent (or appear to have sent) contacts me to say the message has been modified because of a virus or potentially malicious content?

 

A warning such as this is created when a potentially dangerous file or attachment to an email has been rendered safe, or a known virus has been deleted by the University’s Email Virus scanning system.

This does not necessarily mean your computer is infected with a virus.  What it does mean is that:

1)  Someone's computer that is infected with a virus has sent an email via the University’s email service purporting to be you; or

2)  You have sent a file or attachment that contains some characteristics that have been identified as potentially malicious by the University’s Email Virus scanning system.  For more details on the characteristics determined to be potentially malicious see the FAQ titled - Under what circumstances would the University email virus scanning system modify email messages I send?; or

3)  Your computer is infected with a virus which is trying to spread itself by either sending itself to people contained in your address book, or by attaching itself to files you send to other people.

Before you give advice to the recipient you will need to investigate which circumstance has resulted in the warning message being generated.  In many cases you may need to contact computer support staff in your area or department for assistance with confirming that your computer is not the source of a virus.

If you CAN NOT confirm that the file or attachment is safe, or you are sure that it did not originate from your computer, you should instruct the recipient to delete and ignore the email.

If you can confirm that you sent the file or attachment and it is safe, you may instruct the recipient to restore it by following the instructions in the email (and also at http://www.usyd.edu.au/is/comms/webrefang/index.html.)
Note:  The message was modified in accordance with The University of Sydney, Email Virus Scanning Policy.


What do I do if I get a message saying I sent an email containing a virus?

 

Because many viruses can fake (spoof) the address which they are sent from it is not always possible to identify the true sender of a virus infected message. Hence, to prevent email addresses from receiving unwarranted (and often incorrect) warnings, the University of Sydney email virus scanning system does not return warnings to the possible senders of virus infected messages.

If the message purports to be from the University of Sydney’s central mail service, you should ignore it.

However, if the warning comes from another source you should try to determine whether you sent the message, file or attachment. If you did send the file or attachment you should take action to confirm your system is secure and free from viruses before resending the original or any other messages. In many cases you may need to contact computer support staff in your area or department for assistance with confirming that your computer is not the source of a virus.

Will I get a warning if a message I send is modified by the email virus scanning system?

 

No. As many viruses can fake (or spoof) the address that they are sent from it is not always possible to identify the true sender of a virus-infected message. Hence, to prevent email addresses from receiving unwarranted (and often incorrect) warnings, the University of Sydney email virus scanning system does not return warnings to the possible senders of virus infected messages.

In this way, the University’s email virus scanning system puts the onus on the recipient of a message to determine the safety of a message or attachment before it is opened or recovered.
Note: This action is in accordance with The University of Sydney, Email Virus Scanning Policy.

Disclaimer | Privacy Statement | University of Sydney home | Positions vacant
© 2002 - 2008 The University of Sydney, NSW 2006 Australia. Phone +61 2 9351 2222.
ABN: 15 211 513 464    CRICOS Number: 00026A
Authorised by: Director, Client Services.    Last Updated: 24-Jul-2008