How can you find out who, on your network, is emailing viruses?

[HeroOfPellinor]

I can't get funding for an email server virusscan yet and we're getting internal virus spam. I go around every week and update the virusscans and run the cleaners for the viruses we're getting hit with, but I cannot stop my users from opening every freakin' attachment that comes into their inbox even after numerous petitions and I'm too busy to keep this up. Because most viruses replace the name in the 'from' field, I can't determine who exactly is doing it over and over (most of them do it and none will admit it). Anyway to find out who's computer is sending a virus on an internal network? NT 4.0 and Exchange 5.5.

 

[HeroOfPellinor]

Quick bump.

 

[Woodie]

1. Email virus-scanner. (GroupShield, AntiGen are MS Gold Partners w/ Exchange)
2. Drop any/all executable attachments at the mail gateway.
3. Shoot all users who login to email w/ any version of Outlook.
4. Centralized a/v console (EPO from Macafee) will tell you who's scanning engines are finding stuff.

 

[MercenaryForHire]

1) What virus is going around? Klez? Nimda? SARC has some tools to sniff them out
2) Don't necessarily drop all attachments - just mangle them beyond executable form
3) Set up GPO (if users are running 2K) to force Outlook to "secure" mode where it can't open attachments
4) If none of the above work, force people to console into the central mailserver and read everything in text-only via Pine.
5) If none of the above work, begin beating clueless users with a large object.

- M4H