.
Dear Gonzaga Students, Staff and Faculty,
Beginning Wednesday, November 14th, 2001, Gonzaga will be putting a new e-mail attachment filtering system in place that will block potentially hostile attachments from coming into Gonzaga's mail systems. The purpose of this new system is to reduce the number of viruses that are coming into the Gonzaga mail system. There are many file types that are very rarely sent as legitimate attachments. However, these file types are often used to propagate viruses and so can be safely blocked in most cases since they aren't commonly used.
This new system will be almost transparent to the typical user. The most commonly used file types are passed through the system as are all messages that have no attachments at all. This new system is meant to catch the uncommon file types that are the typical virus carriers.
This system doesn't eliminate the need for users to be aware of the documents that they are opening! Users should never open up file from people they don't know. The user must always be aware of the dangers of unknown attachments. E-mail is a common distribution method for viruses so all attachments should be opened only if you know the person who sent the file and that they knowingly sent it.
This new system will examine the extensions (e.g., .doc, .exe, etc.) of all of the attachments that come into the Gonzaga mail system or between mail servers on campus. Based upon the file extension that it finds, it will do one of three things:
Most files will fall under the first case; they will be sent through without any modification whatsoever. This doesn't mean that these files are virus free, it just means that they have passed the first screening. Norton Anti-Virus on the Exchange servers will still scan the attachment for any known viruses once it's delivered to GEM or GULAW. Barney and Grace don't have anti-virus software scanning the incoming mail so this is the only protection currently offered to those servers.
Any message that includes an attached file with any of the following extensions will be blocked:
*.asd *.bat *.chm *.cil *.dll *.hlp *.hta *.js *.lnk *.nws *.ocx *.exe *.reg *.scr *.shb *.shs *.vbs *.vbe *.wsc *.wsf *.wsh *.pif *.mdb *.vb
Blocking will also occur if the attachment name matches that of well-known viruses. For example, README.EXE is blocked because it is a known delivery agent for a specific virus.
If the attachment is one that will be blocked (case 2), the entire e-mail message is rejected. The sender of the blocked message is notified that the message was rejected along with the reason that it was blocked and instructions on how to bypass the block if the file is legitimate. In addition, the Gonzaga postmaster (postmaster@gonzaga.edu) is also notified so we can track how well the system is working.
Some attachment types are considered potentially hostile but are more commonly used so we don't want to just block them. These extension types fall under case 3; the attachment is changed so that the file is non-executeable. After the file name has been changed, the message and attachment are sent to the specified recipient of the message. Other than the name change, the file is unaltered. By changing the extension, the recipient will not be able to automatically execute or open the attachment without first saving the attachment and removing the extra characters that the software adds. This step "should" cause the recipient to think about what they are doing and thus reduce the likelihood of opening a virus.
A typical name change would be something like "hfnetchk.exe" to "hfnetchk.28573DEFANGED-exe". It's quite clear what the original filename and extension are but the attachment cannot be executed or opened without first renaming the file.
While Microsoft Office documents (.doc, .xls, .ppt) have often been the carriers of viruses, we have decided to allow these documents through unaltered. This means that a .doc file containing a virus could still pass through this filter and a user could still open it and get infected. Even given this risk, we felt it was important to minimize the impact on the end-user by not renaming or blocking Microsoft Office documents. The filtering software does have the capability to check for hostile macros within Office documents. If it finds hostile macros within the document it will reject the document and notify the sender of the message that it wasn't delivered.
The exception to Microsoft Office documents are Microsoft Access databases. All files ending with *.mdb are blocked.
If you are attempting to send a file to someone that ends with one of the banned extensions, you simply have to change the extension to one that isn't blocked and let the recipient know what the extension should be changed back to. This will allow the file to pass through the filters and ensures that the file won't be executable until the recipient renames the file.
In summary, we want to reiterate that this system is going to be almost transparent to the typical user. You will typically only be aware of it if you send unusual file types such as batch files, vbs scripts and executables. You will also notice that you receive fewer messages that contain viruses.
If you have any questions, please refer to the frequently asked questions (FAQ) below. If they don't answer your question, then contact the Help Desk at helpdesk@gonzaga.edu or 313-5550.
Also, if you encounter any problems, I would like to know about
them. While this system has been in testing for about more than a
month, there may still be problems that we haven't encountered.
Problems should be reported to .
Central Computer and Network Support Services
Why is this system necessary if we already have anti-virus software?
The purpose of GUAVFS is to block all potentially hostile attachments from coming into Gonzaga's mail servers or passing between Gonzaga's internal mail servers. This includes both known and unknown viruses. Anti-virus products typically look for known viruses so are vulnerable to new viruses until they have been updated. In addition, many of the student computers have no virus protection at all so this is the only defense they have against viruses.
Does this mean that I don't have to have anti-virus software on my computer?
No! You should still have anti-virus software on your computer and you should keep it up-to-date at all times. E-mail is not the only way to distribute viruses. Viruses can be transmitted via the web, floppy disk, ftp, etc. It is always beneficial to have multiple layers of protection against viruses.
How do I send or receive a file that is on the "blocked" list?
If you want to send or receive an attachment that is blocked by GUAVFS, you need to change the extension of the file to something that won't be blocked or append an extension onto the first extension. For example, you could rename database.mdb to database.txt or database.mdb.txt. This will allow the file to pass through GUAVFS. The receiver of the message would need to remove the extra extension or rename the file to make it usable again. While this seems to defeat the purpose of GUAVFS, it really doesn't since the recipient is forced to think about what they are doing which should make them consider whether or not it is a good idea to open the file.
Will this system block graphic or music files?
No, GUAVFS was only put into place to block files that are potentially viruses so it only blocks executable files and files that can contain macros.
Will all Microsoft Word (.doc) and Microsoft Excel (.xls) documents with macros be blocked?
No. GUAVFS does an analysis of the macro to check for specific hostile commands. It assigns a score to each command that it encounters and if the total score of the macro achieves a certain value, the file is blocked as a potential virus carrier. For example, even though GUAVFS doesn't know anything about the Melissa virus (a Word macro virus), it blocks it because it performs commands that Word macros don't normally perform. Using this technique, it can also block Word and Excel macro viruses that haven't even appeared yet.
If the attachment is blocked, will I still receive the message without the attached file?
No. The entire message is rejected so the recipient doesn't receive anything at all. The sender of the message is notified that the recipient didn't receive the message so they will have the opportunity to resend the message without the blocked file or with the file renamed if the file does need to be sent to the recipient.
Where is GUAVFS located and what is it built from?
GUAVFS runs on Gonzaga's two mail hubs that connect Gonzaga's mail servers with one another and with the Internet. GUAVFS is a combination of Sendmail, Procmail, and the E-mail Sanitizer by John Hardin. Below is a simple diagram of Gonzaga's mail system.
As you can see from this diagram, GUAVFS sits between the Gonzaga mail servers and the Internet and between the mail servers themselves. The only exception to this is that the GEM and GULAW Microsoft Exchange servers communicate directly with one another. By placing GUAVFS between the mail servers at Gonzaga, a virus from one will typically not be transmitted to the other mail servers.