== Malware is definitely out there and it's targeting us specifically A few years ago [[I did a count of 'viruses' that our email system had seen in incoming traffic EmailVirusCount-2013-08]] and found that we'd seen a relatively low volume. This left me with the impression that things had died down, an impression not changed by [[occasional surges early in 2015 LowVirusDetection-2015-01]]. Well, let me update that. Ever since I started actively looking at the attachment types we've been getting in email and [[actively blocking some of them BlockingAttachmentTypesLogic]], I've noticed what I think of as a real volume of malware and periodic surges in it. Some quick numbers suggest that this is indeed the case and we seem to be running at more than twice the rejection volume we were [[at the start of 2015 LowVirusDetection-2015-01]]. With [[rare exceptions MyDoomStillOutThere]], what we seem to get is mostly malware, which I suspect is all ransomware. More notably, lately it's clear that there is a real wave of it that is specifically targeting the university in volume. I can tell this because a great deal of the malware we're rejecting at the moment is actually relayed to us from the university's central email system (many of our users forward their central email address to us). The current burst seems to be coming from random outside envelope origin addresses, but earlier runs were actually forged from dangerously plausible university email addresses like _copier@.ca_ (and with _Subject:_ headers to match it). (The malware that I've looked at appears to mostly be Office documents with embedded macros. At the moment we don't feel that we can reject all of these outright, although it's getting tempting, and anyways I'm not sure we can reliably detect them. Some macro-enabled attachments seem to use specific extensions, like _.docm_, but it appears that some don't. Presumably you have to sniff inside _.doc_ files to be sure and I'm dubious about going that far in our own local code.) I knew malware was out there and sending email spam, of course. But I didn't realize that it was quite as active as it seems to be. (And I expect it to only get worse from here, partly because ransomware seems to be a pretty reliable way to make money. Reliable ways to make money feed spam activity for the obvious reasons.)