The time has come to put the proverbial foot down: those who send file attachments in e-mail must take it upon themselves to also send any information a recipient may need to protect themselves from viruses.
The proliferation of self-propagating e-mail viruses and worms has obliterated the concept of a trusted sender. Happy99.exe, Melissa and Worm.ExploreZip all found a way to pass themselves along without the sender knowing it until the angry replies started pouring in. As a result, anyone who opens an e-mail attachment these days without some assurance that it’s safe is asking for trouble.
The problem is, how can the recipient be sure?
There’s no sense in panicking users that every attachment could potentially blow up their computer, and even less sense in passing on ridiculous hoax messages that teach users to eventually ignore all warnings. Warnings should be checked against major virus and hoax lists (such as www.symantec.com/avcenter/hoax.html or vil.mcafee.com/hoax.asp) before being passed on.
Users should be instructed to not open any potentially infected file such as executables, zips or Word documents unless the sender has made it clear that the file is, to the best of their knowledge, safe. When in doubt, recipients should delete the e-mail immediately, including out of any deleted folder, to resist the temptation to go and open it when a colleague naively informs them that it’s okay because it didn’t “look” like anything bad happened when they ran it.
We need to create an on-line culture where the onus is on the sender to ensure the following information accompanies every file attachment that could carry a virus:
that the sender really is sending it of their own accord and proves this by saying their name and something else about themselves, such as a job title, that a smarter virus can’t just pull out of their e-mail program
what the file is and what programs or plug-ins it needs to run
that the sender has scanned the file with an updated anti-virus program and found that it is, to the best of their knowledge, safe.
For example, I don’t send any executable, zip, or Word file without stating something like, “I, Kimberly Chapman, wacky tech reporter at large, am sending you this file called goofy.exe. It is a short animated movie that requires the Macromedia Flash plug-in to view, which can be downloaded at www.macromedia.com/software/flash/. I have scanned it with InoculateIT anti-virus, last updated on October 1, 1999, and it was found clean at that time.”
Furthermore, netiquette would dictate that attachments only be sent to those who have agreed to accept them, as some older systems can’t handle attached files in the first place.
It is insufficient to merely tell recipients, “I’ve checked this, it’s safe,” because it’s too easy for a virus writer to include that as part of the standard delivery message. It is insufficient to just put this information into an automated signature; it must appear in every possibly infected attachment e-mail, every time, always specific to that case.
If the recipient has deleted the file because these criteria were not meant, the recipient can inform the sender, possibly by a standard form letter, of the criteria and request that the file be scanned and resent.
Senders who find these requests too much of a hassle are generally not worth dealing with. If they don’t care about network safety enough to type a few lines of text and run a virus scan, they’re too much of a security risk for business.
These measures will not prevent viruses from spreading and wreaking havoc on systems, because anti-virus programs can’t be updated until the virus is already in the wild and spreading. These measures can, however, minimize the spread of e-mail viruses and worms and thus save hours of frustrated clean-up and recovery time. Making these practises part of standard corporate e-mail and security policies will help thwart future Melissas.