[SpamCop-Geeks] Re: How to handle viral email

Fri Dec 16 10:50:30 EST 2005

"G" <gregstigers+msnews at spamcop.net> wrote in message 
news:dnuhf7$ru2$1 at news.spamcop.net...
: I'm curious what others would do in my situation. I've figured 
out how I can
: try to find the sender of a viral email, which I should 
disclaim may be
: useless to identify dial-up users, although if they send a 
legitimate email
: from their transient IP address, I have them. With the IP 
address in the
: header, which I also ping and tracert, I create a rule in 
Outlook to alert
: on any email with that IP address in the header, which I do not 
normally
: enable, but do "Run now".
:
: That said, having identified an infected user, or his or her 
employer, then
: what? Who do we notify, and how?
:
: The two options are being discussed. One is to have our 
recipient notify the
: sender that his or her PC is infected, and let the user seek 
whatever help
: can be had from IT. The other is for me as the system admin to 
attempt to
: identify the IT contact by whois or other means, or contact the 
infected
: user, at my discretion, offering the emails as evidence, and 
some level of
: assistance. There are probably other options, and I would 
welcome hearing
: them.
:
: There is also the question of where to draw the line. Do we 
assume that our
: AV is sufficient, and only respond if an affected user 
complains about
: receiving the denatured viral email? Do we only notify business 
partners,
: and for instance wash our hands of the problem if the infected 
sender is a
: friend, relative, or incidental business contact with whom we 
have no
: particular relationship (with a shrug to all those vendors who 
have
: contacted us on their own initiative)?
:
: Greg Stigers
: I hope this is the appropriate forum for this one
:
:
I'm not sure why the question; it seems like, if it were me, I 
would (and do):

IFF I am certain I have the actual sender & it's not forged,
Notify the sender AND the sender's server administrator (ISP, 
whatever), request a response for when the situation gets fixed, 
and then block that address until the response is received. 
Period; no exception.
   Nothing wrong with advising how to use alternate email routes, 
etc., in the notifications, especially if it's a preferred 
customer.  If it's a customer, a phone call might be in order so 
as to prevent surprises.  They will likely be grateful to know 
they are infected.  Lots of ways to be nice about it and to look 
like the great business they know you are.  Unless you're not.

The only other alternative I see is to ignore it and do nothing.

And if this is a business, start limiting personal usage of the 
system as much as reasonable.  Email is not/should never be, the 
ONLY functional means of contact.

Pop