Malware is definitely out there and it's targeting us specifically
A few years ago I did a count of 'viruses' that our email system had seen in incoming traffic and found that we'd seen a relatively low volume. This left me with the impression that things had died down, an impression not changed by occasional surges early in 2015.
Well, let me update that. Ever since I started actively looking at the attachment types we've been getting in email and actively blocking some of them, I've noticed what I think of as a real volume of malware and periodic surges in it. Some quick numbers suggest that this is indeed the case and we seem to be running at more than twice the rejection volume we were at the start of 2015.
With rare exceptions, what we seem to get
is mostly malware, which I suspect is all ransomware. More notably,
lately it's clear that there is a real wave of it that is specifically
targeting the university in volume. I can tell this because a great deal
of the malware we're rejecting at the moment is actually relayed to us
from the university's central email system (many of our users forward
their central email address to us). The current burst seems to be coming
from random outside envelope origin addresses, but earlier runs were
actually forged from dangerously plausible university email addresses
like copier@<our-domain>.ca
(and with Subject:
headers to match it).
(The malware that I've looked at appears to mostly be Office documents
with embedded macros. At the moment we don't feel that we can reject
all of these outright, although it's getting tempting, and anyways I'm
not sure we can reliably detect them. Some macro-enabled attachments
seem to use specific extensions, like .docm
, but it appears that some
don't. Presumably you have to sniff inside .doc
files to be sure and
I'm dubious about going that far in our own local code.)
I knew malware was out there and sending email spam, of course. But I didn't realize that it was quite as active as it seems to be.
(And I expect it to only get worse from here, partly because ransomware seems to be a pretty reliable way to make money. Reliable ways to make money feed spam activity for the obvious reasons.)
|
|