Virus-Induced Email Storms

This information can be freely reproduced in any medium, as long as the information is unmodified.

An "email storm" is a tempest of email caused by an off-topic message sent to a group, and then members of that group "replying to all". Often, the replies are of the form "Why am I getting these emails??" or "Stop 'replying to all', you blinking !@#$%^s!" or the like.

When a person sends the email that initiates an email storm, it can be a Bad Thing -- perhaps it's SPAM or hate mail or just something that is only minorly inappropriate. But no matter how well intended or malicious, the consequences of the subsequent "replies to all" has a large negative impact on all the members of the email group: people get irate, mailboxes clog, and there can be a severe load on the system.

"So," you ask, "what does this have to do with viruses?"

Unfortunately, several viruses not only can initiate email storms, they actually can cause the whole storms themselves. Moreover, any group members who "reply to all" exacerbate the problem.

How can this happen?

• Several viruses, including Klez, BugBear, Yaha, and Braid, can forge or "mangle" the From: field of email -- in short, the address from which the email appears to originate is NOT the actual victim.

• This means that when the virus randomly selects an address from which to appear to send email, it may happen to select an email group, instead of the name of an individual. Note that while you expect to receive email To: a group, you should be wary whenever you see email From: a group. For the most part, email comes FROM individuals.

Let us examine what happens when a virus selects a group to use as the forged From: field:

1. Naturally, everyone in the group gets a copy of the email, including the attached virus. Moreover, the virus probably will continue to email itself until the victim disinfects the compromised computer. [We have confirmed cases where a virus sent over 3000 emails in a twelve hour period, so things can be Very Very Bad....]

2. If there are invalid addresses within the database of names entered into the group (members who have changed their addresses, or data entered incorrectly originally), then when the virus emails the group, there will be a rejection message generated (by "mailer daemons") for each invalid address. And since the apparent sender is the group itself, all these rejection messages -- in addition to the emails generated by the virus -- get sent to each member of the group.

3. Now since the rejection email is sent to the whole group, it again goes to the invalid addresses -- so that Steps (2) and (3) can cycle over and over. [Some mailer daemons are smart enough to recognize this tail chasing, but unfortunately some are not. And all it takes is one such dumb mailer daemon to keep the storm brewing -- so with a large group problems can magnify quickly.]

   That would be bad enough, but that's not all:

4. When the email reaches a host with gateway antivirus software (programs that scan email for viruses), the virus should be detected and blocked. That's a Good Thing, but often the gateway scanner will try to reply to the victim that s/he is infected.

5. Usually that would be a Good Thing, too -- but in the case of forged emails, these email replies sow confusion instead of helping: each member of the group is led to believe that s/he may actually be the infected party. Add to this the fact that each group member is receiving lots of these "You are infected" messages (see point 2 above), one might well be convinced that there is a problem, even if one is well protected by current, top quality antivirus software like that available at no cost to University members via the University's site license for VirusScan and Virex.

   Like mailer daemons, some antivirus gateway scanners are smart enough not to reply to forged addresses -- but most are not. When they are not, sometimes there is explanatory text that can make it clear that you should ignore email that refers to Klez or BugBear, etc. -- but again, sometimes not. And even if they do have explanatory text, the "warning" email reply will still go to the whole group, and therefore to all the invalid addresses, and round and round we go.

   Finally, some antivirus gateway scanners allow the WHOLE, infected email to be "returned to sender." That, of course, causes the cycle to escalate as well.

So, what can be done to stop virus-induced email storms?

1. Do not contribute to the storm by "replying to all."

2. If you are not a "power user", just delete the messages -- though "just" might not describe the amount of effort this entails: you could be looking at hundreds, if not thousands -- of email messages.

3. You may want to consider resigning from the group, at least until the storm "blows over."

4. If you are a technical user, you may want to send us a copy of one of the emails bounced to the group, per the recipe found at the Sending Suspicious Email To U-M Virus Busters page.

   If you do this, be certain to send a separate, uninfected Bcc: to the group receiving the email storm, informing them that you have sent samples to the U-M Virus Busters team: we don't want to get deluged ourselves!! Be sure to use an informative Subject: line, like "I have sent U-M Virus Busters samples of the virus being mailed to <whatever your groupname is>"

5. If you are the owner of the email group receiving the storm:
   • In the short term, you should purge the group of all invalid addresses.
   • You may want to remove the group temporarily; 4-HELP can assist you in this so that you do not need to rebuild the group from scratch.
   • In the longer term: if your group is of any size, consider moving it to the ITCS Listserv. This will make it much more difficult for email storms -- viral or otherwise -- to propagate.

6. On a broader scale: you can lobby your Dean to support -- or even demand -- that antivirus software at the email gateway. Configured properly, of course, so that it doesn't generate email storms here or elsewhere!

7. Finally, be sure you are using top quality, current antivirus software. U-M faculty, staff, and students can get antivirus software here.

The URL for this page is http://www.umich.edu/~virus-busters/virusmailstorm.html

For virus or hoax info, please see our main page (http://www.umich.edu/~virus-busters/) or go to another reputable site, like The Urban Legends Reference Pages (leaving our site).

   -BPB