>Your email to <dkvander@joplin.com> with subject "Stats" had an attachment >named "RCMAN.CFG.exe" I've had a couple questions about this post, so I thought I'd follow up and explain what it means. We currently catch any messages with attachments that are programs before they go out on the lists. These messages get held for checking by a volunteer from the Electronic Communications Committee. If the attachment could be a program, the volunteer trashes the message and it doesn't go out on the list. Looking at the post quoted above, the virus attachment name ended with ".exe" and that is one of our disallowed file extensions. Look at the pianotech archives and you'll see no message with that attachment was posted through the list. The quote says: Your email to <dkvander@joplin.com> with subject "Stats" had an attachment named "RCMAN.CFG.exe" But there has not even been a post to pianotech with the Subject: "Stats" in recent history. The message quoted might cause one to draw the conclusion that a virus was sent to Dkvander via the list, but it just isn't so. The message with the virus would have gone to everyone else on the list (including me) and it would be in the pianotech archives and it isn't. So why did this happen? Remember that the virus programs forge all the information in the mail headers. They make up a Subject: line, they make up a To: line, they make up a From: line. Internet mail allows those lines to contain ANYTHING and that information is not validated in any way. This means that anyone can send you a mail messages saying it came from andy@rudoff.com or anyone else and nothing prevents it. The virus programs use this fact to throw people off. The virus typically scans all your files, looking for patterns to use as Subject:, To:, and From: lines. So a virus sending a copy of itself with the these headers: Subject: Stats To: dkvander@joplin.com From: pianotech@ptg.org is completely understandable. Think about it, if a virus were on your machine right now and it scanned all your files (including your INBOX and outgoing mail records), would it not come up with strings just like this? So what happens is that someone receives a virus post addressed to them directly (not through the list) and the From: address is forged as "pianotech@ptg.org". Their virus software replies with the message you saw posted to the list because the return address was pianotech@ptg.org. But only the reply went out to pianotech, and that reply did NOT contain a virus. The second message was just someone else posting a reply, again NOT containing a virus. Also note that as far as we know, dkvander@joplin.com does NOT have the virus. We are seeing a reply from dkvander's virus checker. The reply went to the forged From: address, and that's why we're seeing it. Tracking down the infected machine is not possible with the amount of information we have now, but it is the machine that sent the message to dkvander, not dkvander's machine. I'm not saying I know for certain a virus cannot make it out through the list, but the evidence shows it hasn't happened yet. More than that, our current evidence shows our filters are keeping virus posts off the lists (for several years now). But there is NOTHING I can do to keep list readers from getting their machines infected via non-list messages, of course. Finally, it is worth mentioning that I've noticed a definite pattern over the past five years or so. Suddenly I'll catch zillions of virus posts over a few weeks, then it will calm down for a month or two. What I'm seeing is our "Piano Technician Community" catching a virus, spreading it around, and slowly figuring it out and getting better. Just like when people you work with pass a cold around. Fascinating to watch, really. But so far we've been very successful at preventing virus spread through the list. I hope this message helps explain some of the confusion caused by virus posts, and remember, use virus scanning software! -andy
This PTG archive page provided courtesy of Moy Piano Service, LLC